*** This bug is a security vulnerability ***
Public security bug reported:
logwatch does not include blocked connexions (iptables). As this is an
entry point in monitoring servers and because blocked connexion can be a
symptom of break-in attempts, having no report on them while you expect
to can be a big problem
Sorry for not submitting a patch, this is beyond my knowledge and time,
but since it's three lines of code, here's my fix with a bit of
explanation :
in /usr/share/logwatch/dist.conf/services/iptables.conf, set the logfile
to syslog or kern.log :
LogFile = /var/log/kern.log
After doing so, the logfile are not parsed properly. While you now get
reports, the aggregation is not acurate
Basically, the cleanup regexp does not account for the fact that for
small kernel timestamps, there is a space at the beginning of the stamp.
in /usr/share/logwatch/scripts/services/iptables on line 132
The old regexp is :
$ThisLine =~ s/^... .. ..:..:.. ([^ ]*) (kernel: )?(\[\d+\.\d+\] )?//;
The right regexp would be :
$ThisLine =~ s/^... .. ..:..:.. ([^ ]*) (kernel: )?(\[ *\d+\.\d+\] )?//;
Here is an example of a log line that would not work, because of the space in
the timestamp "[ 1690.227087]"
Apr 18 18:05:37 rack1 kernel: [ 1690.227087] fw: IN= OUT=eth0
SRC=166.78.158.192 DST=72.14.183.239 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=0 DF
PROTO=UDP
SPT=123 DPT=123 LEN=56
have fun,
Frank
** Affects: logwatch (Ubuntu)
Importance: Undecided
Status: New
** Tags: iptables logwatch
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1170458
Title:
iptables service not functionnal - Solution included
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1170458/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
