From owner-freebsd-bugs@FreeBSD.ORG Tue Jun 21 13:20:09 2011 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 48B2D106566C for ; Tue, 21 Jun 2011 13:20:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 253648FC14 for ; Tue, 21 Jun 2011 13:20:09 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p5LDK93w097421 for ; Tue, 21 Jun 2011 13:20:09 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p5LDK9C0097420; Tue, 21 Jun 2011 13:20:09 GMT (envelope-from gnats) Resent-Date: Tue, 21 Jun 2011 13:20:09 GMT Resent-Message-Id: <201106211320.p5LDK9C0097420@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Jesper Wallin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 21D70106566C for ; Tue, 21 Jun 2011 13:15:44 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id 114BD8FC13 for ; Tue, 21 Jun 2011 13:15:44 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p5LDFhHx084751 for ; Tue, 21 Jun 2011 13:15:43 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.4/8.14.4/Submit) id p5LDFhq5084750; Tue, 21 Jun 2011 13:15:43 GMT (envelope-from nobody) Message-Id: <201106211315.p5LDFhq5084750@red.freebsd.org> Date: Tue, 21 Jun 2011 13:15:43 GMT From: Jesper Wallin To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: misc/158121: The "security run output" contains log entries which are a year old. X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jun 2011 13:20:09 -0000 >Number: 158121 >Category: misc >Synopsis: The "security run output" contains log entries which are a year old. >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Tue Jun 21 13:20:08 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Jesper Wallin >Release: 7.3-RELEASE-p2 >Organization: >Environment: FreeBSD ns1.nohack.se 7.3-RELEASE-p2 FreeBSD 7.3-RELEASE-p2 #0: Mon Jul 12 19:04:04 UTC 2010 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 >Description: This morning I got the regular "security run output" mails and noticed I got about 2000 invalid login attempts against my SSH daemon. I found that pretty strange as I knew my SSH server were both firewalled and listens on an internal interface with a local (192.168/8) address. After checking my firewall rules twice, digging through my pf logs (with finding anything) and still without a single clue how the heck those bots could manage to access my SSH server, I noticed the following: The log entries in /var/log/auth.log does not contain the year. Because of this, if you rarely logon to the machine (or for some other reason doesn't manage to reach the 100K limit before newsyslog rotate your auth.log) the "security run output" will send you a year old logs. :-) >How-To-Repeat: 1. Start the machine. 2. Do a few invalid/incorrect login-attempts. 3. Wait a year. ;-) 4. Check the "security run output" mail. >Fix: Make newsyslog rotate auth.log regardless of it's size or make somehow make sshd/syslogd log the year as well. Another solution would be to parse the logs more carefully to somehow exclude the lines before today. Not sure if this solves it completely though, considering such rare/wierd scenarios where no one tries to login at all in over a year. >Release-Note: >Audit-Trail: >Unformatted: