| 2020-11-16 02:00:24 |
Matthew D. Mower |
bug |
|
|
added bug |
| 2020-11-16 16:47:34 |
Matthew D. Mower |
description |
By default, logwatch performs a hostname lookup of every IP address reported in SSHD logs. This has two negative consequences:
1. If there are lots of IP addresses to lookup, this increases the runtime of logwatch significantly.
2. If logwatch is set to email logs, some spam filters detect the hostnames as URLs and will flag the log as spam due to the apparently large number of links in the email. See https://serverfault.com/questions/977628/logwatch-emails-marked-as-spam-how-to-stop-reverse-dns-on-bot-hosts/1042679 .
Following a request for help to disable hostname lookups in sshd...
https://sourceforge.net/p/logwatch/discussion/1115929/thread/952d84109c/
a developer committed a change to support this feature...
https://sourceforge.net/p/logwatch/git/ci/88c0d675f10e425faeddd23316c061f425f39a06/
This wishlist has two requests:
1. Backport the patch (which is very easy to apply) to logwatch packages in currently supported LTS versions of Ubuntu
2. Set the distribution default config to disable SSHD IP lookups by default. This could be accomplished by introducing /usr/share/logwatch/dist.conf/services/sshd.conf with contents:
$sshd_ip_lookup = No |
By default, logwatch performs a hostname lookup of every IP address reported in SSHD logs. This has two negative consequences:
1. If there are lots of IP addresses to lookup, this increases the run time of logwatch significantly.
2. If logwatch is set to email logs, some spam filters detect the hostnames as URLs and will flag the email as spam due to the apparently large number of links. See https://serverfault.com/questions/977628/logwatch-emails-marked-as-spam-how-to-stop-reverse-dns-on-bot-hosts/1042679 .
Following a request for help to disable hostname lookups in sshd...
https://sourceforge.net/p/logwatch/discussion/1115929/thread/952d84109c/
a developer committed a change to support this feature...
https://sourceforge.net/p/logwatch/git/ci/88c0d675f10e425faeddd23316c061f425f39a06/
This wishlist has two requests:
1. Backport the patch (which is very easy to apply) to logwatch packages in currently supported LTS versions of Ubuntu. The patch defaults to performing the IP lookup, so this would not change the behavior of any existing installations, but it would expose the ability to disable these lookups if needed.
2. For future Ubuntu distributions, set the config to disable SSHD IP lookups by default. This could be accomplished by introducing /usr/share/logwatch/dist.conf/services/sshd.conf with contents:
$sshd_ip_lookup = No |
|
| 2020-11-17 19:30:18 |
Lucas Kanashiro |
tags |
wishlist |
server-next wishlist |
|
| 2020-11-17 19:30:27 |
Lucas Kanashiro |
logwatch (Ubuntu): status |
New |
Triaged |
|
| 2020-11-17 19:30:36 |
Lucas Kanashiro |
bug |
|
|
added subscriber Ubuntu Server |
| 2021-03-26 21:34:18 |
Bryce Harrington |
logwatch (Ubuntu): importance |
Undecided |
Wishlist |
|
| 2021-03-26 21:34:50 |
Bryce Harrington |
nominated for series |
|
Ubuntu Bionic |
|
| 2021-03-26 21:34:50 |
Bryce Harrington |
bug task added |
|
logwatch (Ubuntu Bionic) |
|
| 2021-03-26 21:34:50 |
Bryce Harrington |
nominated for series |
|
Ubuntu Xenial |
|
| 2021-03-26 21:34:50 |
Bryce Harrington |
bug task added |
|
logwatch (Ubuntu Xenial) |
|
| 2021-03-26 21:34:50 |
Bryce Harrington |
nominated for series |
|
Ubuntu Groovy |
|
| 2021-03-26 21:34:50 |
Bryce Harrington |
bug task added |
|
logwatch (Ubuntu Groovy) |
|
| 2021-03-26 21:34:50 |
Bryce Harrington |
nominated for series |
|
Ubuntu Hirsute |
|
| 2021-03-26 21:34:50 |
Bryce Harrington |
bug task added |
|
logwatch (Ubuntu Hirsute) |
|
| 2021-03-26 21:34:50 |
Bryce Harrington |
nominated for series |
|
Ubuntu Focal |
|
| 2021-03-26 21:34:50 |
Bryce Harrington |
bug task added |
|
logwatch (Ubuntu Focal) |
|
| 2021-03-26 21:34:57 |
Bryce Harrington |
logwatch (Ubuntu Xenial): status |
New |
Triaged |
|
| 2021-03-26 21:35:00 |
Bryce Harrington |
logwatch (Ubuntu Bionic): status |
New |
Triaged |
|
| 2021-03-26 21:35:02 |
Bryce Harrington |
logwatch (Ubuntu Focal): status |
New |
Triaged |
|
| 2021-03-26 21:35:04 |
Bryce Harrington |
logwatch (Ubuntu Groovy): status |
New |
Triaged |
|
| 2021-03-26 21:35:06 |
Bryce Harrington |
logwatch (Ubuntu Groovy): importance |
Undecided |
Wishlist |
|
| 2021-03-26 21:35:08 |
Bryce Harrington |
logwatch (Ubuntu Focal): importance |
Undecided |
Wishlist |
|
| 2021-03-26 21:35:10 |
Bryce Harrington |
logwatch (Ubuntu Bionic): importance |
Undecided |
Wishlist |
|
| 2021-03-26 21:35:12 |
Bryce Harrington |
logwatch (Ubuntu Xenial): importance |
Undecided |
Wishlist |
|
| 2021-03-27 00:20:16 |
Bryce Harrington |
logwatch (Ubuntu Hirsute): status |
Triaged |
Fix Released |
|
| 2021-07-01 02:52:38 |
Bryce Harrington |
logwatch (Ubuntu Xenial): status |
Triaged |
Won't Fix |
|
| 2021-07-01 03:02:33 |
Bryce Harrington |
description |
By default, logwatch performs a hostname lookup of every IP address reported in SSHD logs. This has two negative consequences:
1. If there are lots of IP addresses to lookup, this increases the run time of logwatch significantly.
2. If logwatch is set to email logs, some spam filters detect the hostnames as URLs and will flag the email as spam due to the apparently large number of links. See https://serverfault.com/questions/977628/logwatch-emails-marked-as-spam-how-to-stop-reverse-dns-on-bot-hosts/1042679 .
Following a request for help to disable hostname lookups in sshd...
https://sourceforge.net/p/logwatch/discussion/1115929/thread/952d84109c/
a developer committed a change to support this feature...
https://sourceforge.net/p/logwatch/git/ci/88c0d675f10e425faeddd23316c061f425f39a06/
This wishlist has two requests:
1. Backport the patch (which is very easy to apply) to logwatch packages in currently supported LTS versions of Ubuntu. The patch defaults to performing the IP lookup, so this would not change the behavior of any existing installations, but it would expose the ability to disable these lookups if needed.
2. For future Ubuntu distributions, set the config to disable SSHD IP lookups by default. This could be accomplished by introducing /usr/share/logwatch/dist.conf/services/sshd.conf with contents:
$sshd_ip_lookup = No |
[Impact]
Logwatch looks up hostnames of every reported IP address, which
increases runtime (and thus increases power and network bandwidth usage)
especially for high-traffic servers.
Secondly, the resultant URLs included in Logwatch's report emails can
trigger spam filters.
This change adds an option to turn off ip lookup.
[Test Case]
1. Log into an lxc container running groovy or earlier
2. Install logwatch
$ sudo debconf-set-selections <<< "postfix postfix/mailname string test.hostname.com"
$ sudo debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Local only'"
$ sudo apt-get install -y msmtp msmtp-mta logwatch
3. Force an initial logrotation
$ sudo /usr/sbin/logrotate -vf /etc/logrotate.conf
4. Run logwatch manually
$ sudo logwatch --detail Med --service sshd --range "between
On a system with sshd exposed to the internet that has been up for some
time, this may take a considerable amount of time to run
[Where Problems Could Occur]
* Think about what the upload changes in the software. Imagine the change is
wrong or breaks something else: how would this show up?
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This must '''never''' be "None" or "Low", or entirely an argument as to why
your upload is low risk.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
and address these questions in advance
[Original Report]
By default, logwatch performs a hostname lookup of every IP address reported in SSHD logs. This has two negative consequences:
1. If there are lots of IP addresses to lookup, this increases the run time of logwatch significantly.
2. If logwatch is set to email logs, some spam filters detect the hostnames as URLs and will flag the email as spam due to the apparently large number of links. See https://serverfault.com/questions/977628/logwatch-emails-marked-as-spam-how-to-stop-reverse-dns-on-bot-hosts/1042679 .
Following a request for help to disable hostname lookups in sshd...
https://sourceforge.net/p/logwatch/discussion/1115929/thread/952d84109c/
a developer committed a change to support this feature...
https://sourceforge.net/p/logwatch/git/ci/88c0d675f10e425faeddd23316c061f425f39a06/
This wishlist has two requests:
1. Backport the patch (which is very easy to apply) to logwatch packages in currently supported LTS versions of Ubuntu. The patch defaults to performing the IP lookup, so this would not change the behavior of any existing installations, but it would expose the ability to disable these lookups if needed.
2. For future Ubuntu distributions, set the config to disable SSHD IP lookups by default. This could be accomplished by introducing /usr/share/logwatch/dist.conf/services/sshd.conf with contents:
$sshd_ip_lookup = No |
|
| 2021-07-01 21:52:56 |
Bryce Harrington |
nominated for series |
|
Ubuntu Impish |
|
| 2021-07-01 21:52:56 |
Bryce Harrington |
bug task added |
|
logwatch (Ubuntu Impish) |
|
| 2021-07-01 23:36:15 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~bryce/ubuntu/+source/logwatch/+git/logwatch/+merge/405065 |
|
| 2021-07-01 23:36:19 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~bryce/ubuntu/+source/logwatch/+git/logwatch/+merge/405066 |
|
| 2021-07-01 23:36:21 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~bryce/ubuntu/+source/logwatch/+git/logwatch/+merge/405067 |
|
| 2021-07-02 19:27:23 |
Bryce Harrington |
description |
[Impact]
Logwatch looks up hostnames of every reported IP address, which
increases runtime (and thus increases power and network bandwidth usage)
especially for high-traffic servers.
Secondly, the resultant URLs included in Logwatch's report emails can
trigger spam filters.
This change adds an option to turn off ip lookup.
[Test Case]
1. Log into an lxc container running groovy or earlier
2. Install logwatch
$ sudo debconf-set-selections <<< "postfix postfix/mailname string test.hostname.com"
$ sudo debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Local only'"
$ sudo apt-get install -y msmtp msmtp-mta logwatch
3. Force an initial logrotation
$ sudo /usr/sbin/logrotate -vf /etc/logrotate.conf
4. Run logwatch manually
$ sudo logwatch --detail Med --service sshd --range "between
On a system with sshd exposed to the internet that has been up for some
time, this may take a considerable amount of time to run
[Where Problems Could Occur]
* Think about what the upload changes in the software. Imagine the change is
wrong or breaks something else: how would this show up?
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This must '''never''' be "None" or "Low", or entirely an argument as to why
your upload is low risk.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
and address these questions in advance
[Original Report]
By default, logwatch performs a hostname lookup of every IP address reported in SSHD logs. This has two negative consequences:
1. If there are lots of IP addresses to lookup, this increases the run time of logwatch significantly.
2. If logwatch is set to email logs, some spam filters detect the hostnames as URLs and will flag the email as spam due to the apparently large number of links. See https://serverfault.com/questions/977628/logwatch-emails-marked-as-spam-how-to-stop-reverse-dns-on-bot-hosts/1042679 .
Following a request for help to disable hostname lookups in sshd...
https://sourceforge.net/p/logwatch/discussion/1115929/thread/952d84109c/
a developer committed a change to support this feature...
https://sourceforge.net/p/logwatch/git/ci/88c0d675f10e425faeddd23316c061f425f39a06/
This wishlist has two requests:
1. Backport the patch (which is very easy to apply) to logwatch packages in currently supported LTS versions of Ubuntu. The patch defaults to performing the IP lookup, so this would not change the behavior of any existing installations, but it would expose the ability to disable these lookups if needed.
2. For future Ubuntu distributions, set the config to disable SSHD IP lookups by default. This could be accomplished by introducing /usr/share/logwatch/dist.conf/services/sshd.conf with contents:
$sshd_ip_lookup = No |
[Impact]
Logwatch looks up hostnames of every reported IP address, which
increases runtime (and thus increases power and network bandwidth usage)
especially for high-traffic servers.
Secondly, the resultant URLs included in Logwatch's report emails can
trigger spam filters.
This change adds an option to turn off ip lookup.
[Test Case]
1. Log into an lxc container running groovy or earlier
2. Install logwatch
$ sudo debconf-set-selections <<< "postfix postfix/mailname string test.hostname.com"
$ sudo debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Local only'"
$ sudo apt-get install -y msmtp msmtp-mta logwatch
3. Force an initial logrotation
$ sudo /usr/sbin/logrotate -vf /etc/logrotate.conf
4. Run logwatch manually
$ sudo logwatch --detail Med --service sshd --range "between
On a system with sshd exposed to the internet that has been up for some
time, this may take a considerable amount of time to run
[Where Problems Could Occur]
Since logwatch filters logs for errors pertinent to administrators,
standard things to watch out for are undesired changes in this filtering
behavior, such as flagging or failing to flag issues differently than
before, other than the specific messages being filtered with this
change. This specific change deals with how IP addresses are translated into hostnames, so particular issues to watch for would be any logic dependent on having textual addresses rather than numerical ones.
[Original Report]
By default, logwatch performs a hostname lookup of every IP address reported in SSHD logs. This has two negative consequences:
1. If there are lots of IP addresses to lookup, this increases the run time of logwatch significantly.
2. If logwatch is set to email logs, some spam filters detect the hostnames as URLs and will flag the email as spam due to the apparently large number of links. See https://serverfault.com/questions/977628/logwatch-emails-marked-as-spam-how-to-stop-reverse-dns-on-bot-hosts/1042679 .
Following a request for help to disable hostname lookups in sshd...
https://sourceforge.net/p/logwatch/discussion/1115929/thread/952d84109c/
a developer committed a change to support this feature...
https://sourceforge.net/p/logwatch/git/ci/88c0d675f10e425faeddd23316c061f425f39a06/
This wishlist has two requests:
1. Backport the patch (which is very easy to apply) to logwatch packages in currently supported LTS versions of Ubuntu. The patch defaults to performing the IP lookup, so this would not change the behavior of any existing installations, but it would expose the ability to disable these lookups if needed.
2. For future Ubuntu distributions, set the config to disable SSHD IP lookups by default. This could be accomplished by introducing /usr/share/logwatch/dist.conf/services/sshd.conf with contents:
$sshd_ip_lookup = No |
|
| 2021-07-06 20:49:28 |
Brian Murray |
logwatch (Ubuntu Groovy): status |
Triaged |
Fix Committed |
|
| 2021-07-06 20:49:31 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2021-07-06 20:49:34 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
| 2021-07-06 20:49:39 |
Brian Murray |
tags |
server-next wishlist |
server-next verification-needed verification-needed-groovy wishlist |
|
| 2021-07-06 20:52:40 |
Brian Murray |
logwatch (Ubuntu Focal): status |
Triaged |
Fix Committed |
|
| 2021-07-06 20:52:46 |
Brian Murray |
tags |
server-next verification-needed verification-needed-groovy wishlist |
server-next verification-needed verification-needed-focal verification-needed-groovy wishlist |
|
| 2021-07-06 20:54:22 |
Brian Murray |
logwatch (Ubuntu Bionic): status |
Triaged |
Fix Committed |
|
| 2021-07-06 20:54:29 |
Brian Murray |
tags |
server-next verification-needed verification-needed-focal verification-needed-groovy wishlist |
server-next verification-needed verification-needed-bionic verification-needed-focal verification-needed-groovy wishlist |
|
| 2021-07-07 02:19:53 |
Matthew D. Mower |
tags |
server-next verification-needed verification-needed-bionic verification-needed-focal verification-needed-groovy wishlist |
server-next verification-done-focal verification-needed verification-needed-bionic verification-needed-groovy wishlist |
|
| 2021-07-16 12:14:42 |
Utkarsh Gupta |
tags |
server-next verification-done-focal verification-needed verification-needed-bionic verification-needed-groovy wishlist |
server-next verification-done verification-done-bionic verification-done-focal verification-done-groovy wishlist |
|
| 2021-07-19 19:14:56 |
Launchpad Janitor |
logwatch (Ubuntu Groovy): status |
Fix Committed |
Fix Released |
|
| 2021-07-19 19:14:59 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2021-07-20 15:28:23 |
Launchpad Janitor |
logwatch (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
| 2021-07-20 15:28:43 |
Launchpad Janitor |
logwatch (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
