Bug 152807

Summary: [periodic] security 900.tcpwrap does not report any refused connections
Product: Base System Reporter: Michiel Detailleur <md>
Component: confAssignee: freebsd-bugs (Nobody) <bugs>
Status: Open ---    
Severity: Affects Only Me    
Priority: Normal    
Version: 8.1-RELEASE   
Hardware: Any   
OS: Any   

Description Michiel Detailleur 2010-12-03 14:50:10 UTC 
The periodic script /etc/periodic/security/900.tcpwrap that is enabled by default in the periodic emails does not report any refused connections.

Reason is that refused connections do not seem to be reported anymore in the /var/log/messages file. However, refused connections to SSH daemons are (still) reported in /var/log/auth.log.

My /etc/syslog.conf file is (by my knowledge) the standard 8.1 syslog file:

# $FreeBSD: src/etc/syslog.conf,v 1.30.2.1.4.1 2010/06/14 02:09:06 kensmith Exp $
#
#   Spaces ARE valid field separators in this file. However,
#   other *nix-like systems still insist on using tabs as field
#   separators. If you are sharing this file between systems, you
#   may want to use only tabs as field separators here.
#   Consult the syslog.conf(5) manpage.
*.err;kern.warning;auth.notice;mail.crit        /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err   /var/log/messages
security.*                  /var/log/security                                                                                                                                                       auth.info;authpriv.info             /var/log/auth.log
mail.info                   /var/log/maillog
lpr.info                    /var/log/lpd-errs                                                                                                                                                       ftp.info                    /var/log/xferlog
cron.*                      /var/log/cron
*.=debug                    /var/log/debug.log
*.emerg                     *
# uncomment this to log all writes to /dev/console to /var/log/console.log
#console.info                   /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
#*.*                        /var/log/all.log
# uncomment this to enable logging to a remote loghost named loghost
#*.*                        @loghost
# uncomment these if you're running inn
# news.crit                 /var/log/news/news.crit
# news.err                  /var/log/news/news.err
# news.notice                   /var/log/news/news.notice
!ppp
*.*                     /var/log/ppp.log
!*

I do not see any major differences in here from previous FreeBSD versions.

Fix: 

An easy but incorrect fix (IMHO) would be to have the /etc/periodic/security/900.tcpwrap parse the /var/log/auth.log file. However this would then only show refused connections to daemons concerned with authentication.

I suspect that the tcp-wrappers code logs to the wrong syslog facility and/or level. Or that a change has been made to this without also changing the /etc/syslog.conf file.
How-To-Repeat: Edit /etc/hosts.allow in a way that blocks an IP address controlled by you.

Try to make a tcp session to the FreeBSD 8.1 installation from the blocked IP address. Observe that your connection is refused.

Check the /var/log/messages file and see that there is no log record mentioning the blocking of your IP address.
Comment 1 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 08:00:16 UTC 
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped