Public bug reported:
ubuntu eoan (19.10)
---
While investigating why my fail2ban client was not blocking the usual
script-kiddie SSH attempts, I discovered that no sshd failures were
appearing in /var/log/auth.log. Upon opening
/etc/rsyslog.d/50-default.conf I discovered that sshd failures are being
transformed and forwarded to localhost:7070. Here's the section of
configuration:
if $programname == 'sshd' then {
if $msg startswith ' Failed' then {
# Transform and forward data!
action(type="omfwd" target="127.0.0.1" port="7070" protocol="tcp"
template="ip-json")
}
stop
}
For me, nothing is bound to port 7070.
I assume you have a good reason for such a default but it seems
suboptimal to stop processing after forwarding. I commented out the
stop line and restarted rsyslog and found that logs appeared in
/var/log/auth.log and that my fail2ban is now banning IPs, as expected.
I suggest changing the default configuration so that sshd failures reach
/var/log/auth.log.
** Affects: rsyslog (Ubuntu)
Importance: Undecided
Status: New
** Tags: eoan
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/1881942
Title:
default configuration forwards sshd failures to port 7070
Status in rsyslog package in Ubuntu:
New
Bug description:
ubuntu eoan (19.10)
---
While investigating why my fail2ban client was not blocking the usual
script-kiddie SSH attempts, I discovered that no sshd failures were
appearing in /var/log/auth.log. Upon opening
/etc/rsyslog.d/50-default.conf I discovered that sshd failures are
being transformed and forwarded to localhost:7070. Here's the section
of configuration:
if $programname == 'sshd' then {
if $msg startswith ' Failed' then {
# Transform and forward data!
action(type="omfwd" target="127.0.0.1" port="7070" protocol="tcp"
template="ip-json")
}
stop
}
For me, nothing is bound to port 7070.
I assume you have a good reason for such a default but it seems
suboptimal to stop processing after forwarding. I commented out the
stop line and restarted rsyslog and found that logs appeared in
/var/log/auth.log and that my fail2ban is now banning IPs, as
expected.
I suggest changing the default configuration so that sshd failures
reach /var/log/auth.log.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1881942/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
