[Bug 1904362] Re: [Wishlist] Disable hostname lookup by default for logwatch service sshd
This bug was fixed in the package logwatch - 7.4.3+git20161207-2ubuntu1.4 --- logwatch (7.4.3+git20161207-2ubuntu1.4) bionic; urgency=medium * d/p/allow-disabling-lookup.patch: Allow skipping ip lookup (LP: #1904362) -- Bryce Harrington Thu, 01 Jul 2021 03:13:23 + -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904362 Title: [Wishlist] Disable hostname lookup by default for logwatch service sshd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1904362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904362] Re: [Wishlist] Disable hostname lookup by default for logwatch service sshd
This bug was fixed in the package logwatch - 7.5.2-1ubuntu1.3 --- logwatch (7.5.2-1ubuntu1.3) focal; urgency=medium * d/p/allow-disabling-lookup.patch: Allow skipping ip lookup (LP: #1904362) -- Bryce Harrington Thu, 01 Jul 2021 03:44:37 + ** Changed in: logwatch (Ubuntu Focal) Status: Fix Committed => Fix Released ** Changed in: logwatch (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904362 Title: [Wishlist] Disable hostname lookup by default for logwatch service sshd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1904362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904362] Re: [Wishlist] Disable hostname lookup by default for logwatch service sshd
This bug was fixed in the package logwatch - 7.5.4-0ubuntu3.2 --- logwatch (7.5.4-0ubuntu3.2) groovy; urgency=medium * d/p/allow-disabling-lookup.patch: Allow skipping ip lookup (LP: #1904362) -- Bryce Harrington Thu, 01 Jul 2021 03:44:20 + ** Changed in: logwatch (Ubuntu Groovy) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904362 Title: [Wishlist] Disable hostname lookup by default for logwatch service sshd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1904362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904362] Re: [Wishlist] Disable hostname lookup by default for logwatch service sshd
Hello, In a Groovy LXD container, I repro'd the bug & then installed 7.5.4-0ubuntu3.2 and found out that the fix works as expected. Similarly, in a Bionic LXD container, I repro'd the bug and installed 7.4.3+git20161207-2ubuntu1.4 and verified that the fix works as expected. Thank you! ** Tags removed: verification-needed verification-needed-bionic verification-needed-groovy ** Tags added: verification-done verification-done-bionic verification-done-groovy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904362 Title: [Wishlist] Disable hostname lookup by default for logwatch service sshd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1904362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904362] Re: [Wishlist] Disable hostname lookup by default for logwatch service sshd
@brian-murray - I performed the following test. System info: $ uname -a Linux linodeusw01 5.4.0-74-generic #83-Ubuntu SMP Sat May 8 02:35:39 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 20.04.2 LTS Release:20.04 Codename: focal Package update: $ wget https://launchpad.net/ubuntu/+source/logwatch/7.5.2-1ubuntu1.3/+build/21758051/+files/logwatch_7.5.2-1ubuntu1.3_all.deb $ sudo dpkg -i logwatch_7.5.2-1ubuntu1.3_all.deb Testing: 1) Removed my custom config /etc/logwatch/conf/services/sshd.conf and script /etc/logwatch/scripts/services/sshd 2) Ran logwatch and inspected section "Illegal users from:" within " - SSHD Begin " Sample line: 27.151.56.7 (7.56.151.27.broad.fz.fj.dynamic.163data.com.cn): 5 Times 3) Created /etc/logwatch/conf/services/sshd.conf with contents: # Set to No to disable IP lookups $sshd_ip_lookup = No 4) Ran logwatch and inspected section "Illegal users from:" within " - SSHD Begin " Sample line: 27.151.56.7: 5 Times Results: This patch is working as expected on focal. ** Tags removed: verification-needed-focal ** Tags added: verification-done-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904362 Title: [Wishlist] Disable hostname lookup by default for logwatch service sshd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1904362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904362] Re: [Wishlist] Disable hostname lookup by default for logwatch service sshd
Hello Matthew, or anyone else affected, Accepted logwatch into groovy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/logwatch/7.5.4-0ubuntu3.2 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- groovy to verification-done-groovy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-groovy. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: logwatch (Ubuntu Groovy) Status: Triaged => Fix Committed ** Tags added: verification-needed verification-needed-groovy ** Changed in: logwatch (Ubuntu Focal) Status: Triaged => Fix Committed ** Tags added: verification-needed-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904362 Title: [Wishlist] Disable hostname lookup by default for logwatch service sshd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1904362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904362] Re: [Wishlist] Disable hostname lookup by default for logwatch service sshd
** Description changed: [Impact] Logwatch looks up hostnames of every reported IP address, which increases runtime (and thus increases power and network bandwidth usage) especially for high-traffic servers. Secondly, the resultant URLs included in Logwatch's report emails can trigger spam filters. This change adds an option to turn off ip lookup. [Test Case] 1. Log into an lxc container running groovy or earlier 2. Install logwatch -$ sudo debconf-set-selections <<< "postfix postfix/mailname string test.hostname.com" -$ sudo debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Local only'" -$ sudo apt-get install -y msmtp msmtp-mta logwatch + $ sudo debconf-set-selections <<< "postfix postfix/mailname string test.hostname.com" + $ sudo debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Local only'" + $ sudo apt-get install -y msmtp msmtp-mta logwatch 3. Force an initial logrotation -$ sudo /usr/sbin/logrotate -vf /etc/logrotate.conf + $ sudo /usr/sbin/logrotate -vf /etc/logrotate.conf 4. Run logwatch manually -$ sudo logwatch --detail Med --service sshd --range "between + $ sudo logwatch --detail Med --service sshd --range "between On a system with sshd exposed to the internet that has been up for some time, this may take a considerable amount of time to run [Where Problems Could Occur] - * Think about what the upload changes in the software. Imagine the change is - wrong or breaks something else: how would this show up? - - * It is assumed that any SRU candidate patch is well-tested before - upload and has a low overall risk of regression, but it's important - to make the effort to think about what ''could'' happen in the - event of a regression. - - * This must '''never''' be "None" or "Low", or entirely an argument as to why - your upload is low risk. - - * This both shows the SRU team that the risks have been considered, - and provides guidance to testers in regression-testing the SRU. - - [Other Info] - - * Anything else you think is useful to include - * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board - and address these questions in advance + Since logwatch filters logs for errors pertinent to administrators, + standard things to watch out for are undesired changes in this filtering + behavior, such as flagging or failing to flag issues differently than + before, other than the specific messages being filtered with this + change. This specific change deals with how IP addresses are translated into hostnames, so particular issues to watch for would be any logic dependent on having textual addresses rather than numerical ones. [Original Report] By default, logwatch performs a hostname lookup of every IP address reported in SSHD logs. This has two negative consequences: 1. If there are lots of IP addresses to lookup, this increases the run time of logwatch significantly. 2. If logwatch is set to email logs, some spam filters detect the hostnames as URLs and will flag the email as spam due to the apparently large number of links. See https://serverfault.com/questions/977628/logwatch-emails-marked-as-spam-how-to-stop-reverse-dns-on-bot-hosts/1042679 . Following a request for help to disable hostname lookups in sshd... https://sourceforge.net/p/logwatch/discussion/1115929/thread/952d84109c/ a developer committed a change to support this feature... https://sourceforge.net/p/logwatch/git/ci/88c0d675f10e425faeddd23316c061f425f39a06/ This wishlist has two requests: 1. Backport the patch (which is very easy to apply) to logwatch packages in currently supported LTS versions of Ubuntu. The patch defaults to performing the IP lookup, so this would not change the behavior of any existing installations, but it would expose the ability to disable these lookups if needed. 2. For future Ubuntu distributions, set the config to disable SSHD IP lookups by default. This could be accomplished by introducing /usr/share/logwatch/dist.conf/services/sshd.conf with contents: $sshd_ip_lookup = No -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904362 Title: [Wishlist] Disable hostname lookup by default for logwatch service sshd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1904362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904362] Re: [Wishlist] Disable hostname lookup by default for logwatch service sshd
- (removed my comment that was not meant to be on the bug but the MRs) - -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904362 Title: [Wishlist] Disable hostname lookup by default for logwatch service sshd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1904362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904362] Re: [Wishlist] Disable hostname lookup by default for logwatch service sshd
** Merge proposal linked: https://code.launchpad.net/~bryce/ubuntu/+source/logwatch/+git/logwatch/+merge/405065 ** Merge proposal linked: https://code.launchpad.net/~bryce/ubuntu/+source/logwatch/+git/logwatch/+merge/405066 ** Merge proposal linked: https://code.launchpad.net/~bryce/ubuntu/+source/logwatch/+git/logwatch/+merge/405067 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904362 Title: [Wishlist] Disable hostname lookup by default for logwatch service sshd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1904362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904362] Re: [Wishlist] Disable hostname lookup by default for logwatch service sshd
** Also affects: logwatch (Ubuntu Impish) Importance: Wishlist Status: Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904362 Title: [Wishlist] Disable hostname lookup by default for logwatch service sshd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1904362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904362] Re: [Wishlist] Disable hostname lookup by default for logwatch service sshd
** Description changed: + [Impact] + Logwatch looks up hostnames of every reported IP address, which + increases runtime (and thus increases power and network bandwidth usage) + especially for high-traffic servers. + + Secondly, the resultant URLs included in Logwatch's report emails can + trigger spam filters. + + This change adds an option to turn off ip lookup. + + [Test Case] + 1. Log into an lxc container running groovy or earlier + 2. Install logwatch +$ sudo debconf-set-selections <<< "postfix postfix/mailname string test.hostname.com" +$ sudo debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Local only'" +$ sudo apt-get install -y msmtp msmtp-mta logwatch + 3. Force an initial logrotation +$ sudo /usr/sbin/logrotate -vf /etc/logrotate.conf + 4. Run logwatch manually +$ sudo logwatch --detail Med --service sshd --range "between + + On a system with sshd exposed to the internet that has been up for some + time, this may take a considerable amount of time to run + + [Where Problems Could Occur] + * Think about what the upload changes in the software. Imagine the change is + wrong or breaks something else: how would this show up? + + * It is assumed that any SRU candidate patch is well-tested before + upload and has a low overall risk of regression, but it's important + to make the effort to think about what ''could'' happen in the + event of a regression. + + * This must '''never''' be "None" or "Low", or entirely an argument as to why + your upload is low risk. + + * This both shows the SRU team that the risks have been considered, + and provides guidance to testers in regression-testing the SRU. + + [Other Info] + + * Anything else you think is useful to include + * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board + and address these questions in advance + + [Original Report] + By default, logwatch performs a hostname lookup of every IP address reported in SSHD logs. This has two negative consequences: 1. If there are lots of IP addresses to lookup, this increases the run time of logwatch significantly. 2. If logwatch is set to email logs, some spam filters detect the hostnames as URLs and will flag the email as spam due to the apparently large number of links. See https://serverfault.com/questions/977628/logwatch-emails-marked-as-spam-how-to-stop-reverse-dns-on-bot-hosts/1042679 . Following a request for help to disable hostname lookups in sshd... https://sourceforge.net/p/logwatch/discussion/1115929/thread/952d84109c/ a developer committed a change to support this feature... https://sourceforge.net/p/logwatch/git/ci/88c0d675f10e425faeddd23316c061f425f39a06/ This wishlist has two requests: 1. Backport the patch (which is very easy to apply) to logwatch packages in currently supported LTS versions of Ubuntu. The patch defaults to performing the IP lookup, so this would not change the behavior of any existing installations, but it would expose the ability to disable these lookups if needed. 2. For future Ubuntu distributions, set the config to disable SSHD IP lookups by default. This could be accomplished by introducing /usr/share/logwatch/dist.conf/services/sshd.conf with contents: $sshd_ip_lookup = No -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904362 Title: [Wishlist] Disable hostname lookup by default for logwatch service sshd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1904362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904362] Re: [Wishlist] Disable hostname lookup by default for logwatch service sshd
Xenial has passed its end of standard support ** Changed in: logwatch (Ubuntu Xenial) Status: Triaged => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904362 Title: [Wishlist] Disable hostname lookup by default for logwatch service sshd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1904362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904362] Re: [Wishlist] Disable hostname lookup by default for logwatch service sshd
** Changed in: logwatch (Ubuntu Hirsute) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904362 Title: [Wishlist] Disable hostname lookup by default for logwatch service sshd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1904362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904362] Re: [Wishlist] Disable hostname lookup by default for logwatch service sshd
** Changed in: logwatch (Ubuntu) Importance: Undecided => Wishlist ** Also affects: logwatch (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: logwatch (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: logwatch (Ubuntu Groovy) Importance: Undecided Status: New ** Also affects: logwatch (Ubuntu Hirsute) Importance: Wishlist Status: Triaged ** Also affects: logwatch (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: logwatch (Ubuntu Xenial) Status: New => Triaged ** Changed in: logwatch (Ubuntu Bionic) Status: New => Triaged ** Changed in: logwatch (Ubuntu Focal) Status: New => Triaged ** Changed in: logwatch (Ubuntu Groovy) Status: New => Triaged ** Changed in: logwatch (Ubuntu Groovy) Importance: Undecided => Wishlist ** Changed in: logwatch (Ubuntu Focal) Importance: Undecided => Wishlist ** Changed in: logwatch (Ubuntu Bionic) Importance: Undecided => Wishlist ** Changed in: logwatch (Ubuntu Xenial) Importance: Undecided => Wishlist -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904362 Title: [Wishlist] Disable hostname lookup by default for logwatch service sshd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1904362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904362] Re: [Wishlist] Disable hostname lookup by default for logwatch service sshd
Hi Matthew, First thank you for taking the time to file this bug and try to make Ubuntu better. The upstream patch you provided is straightforward. I am tagging this bug as server-next to put it in our team's queue of work to be done. ** Tags added: server-next ** Changed in: logwatch (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904362 Title: [Wishlist] Disable hostname lookup by default for logwatch service sshd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1904362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1904362] Re: [Wishlist] Disable hostname lookup by default for logwatch service sshd
** Description changed: By default, logwatch performs a hostname lookup of every IP address reported in SSHD logs. This has two negative consequences: - 1. If there are lots of IP addresses to lookup, this increases the runtime of logwatch significantly. - 2. If logwatch is set to email logs, some spam filters detect the hostnames as URLs and will flag the log as spam due to the apparently large number of links in the email. See https://serverfault.com/questions/977628/logwatch-emails-marked-as-spam-how-to-stop-reverse-dns-on-bot-hosts/1042679 . + 1. If there are lots of IP addresses to lookup, this increases the run time of logwatch significantly. + 2. If logwatch is set to email logs, some spam filters detect the hostnames as URLs and will flag the email as spam due to the apparently large number of links. See https://serverfault.com/questions/977628/logwatch-emails-marked-as-spam-how-to-stop-reverse-dns-on-bot-hosts/1042679 . Following a request for help to disable hostname lookups in sshd... https://sourceforge.net/p/logwatch/discussion/1115929/thread/952d84109c/ a developer committed a change to support this feature... https://sourceforge.net/p/logwatch/git/ci/88c0d675f10e425faeddd23316c061f425f39a06/ This wishlist has two requests: - 1. Backport the patch (which is very easy to apply) to logwatch packages in currently supported LTS versions of Ubuntu - 2. Set the distribution default config to disable SSHD IP lookups by default. This could be accomplished by introducing /usr/share/logwatch/dist.conf/services/sshd.conf with contents: + 1. Backport the patch (which is very easy to apply) to logwatch packages in currently supported LTS versions of Ubuntu. The patch defaults to performing the IP lookup, so this would not change the behavior of any existing installations, but it would expose the ability to disable these lookups if needed. + 2. For future Ubuntu distributions, set the config to disable SSHD IP lookups by default. This could be accomplished by introducing /usr/share/logwatch/dist.conf/services/sshd.conf with contents: $sshd_ip_lookup = No -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1904362 Title: [Wishlist] Disable hostname lookup by default for logwatch service sshd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1904362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs