group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1644057] Re: Excessive Disconnect unmatched entries from sshd

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1644057@xxxxxxxxxxxxxxxxxx>
Date: Tue, 06 Oct 2020 23:37:09 -0000
Reply-to: Bug 1644057 <1644057@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package logwatch -
7.4.3+git20161207-2ubuntu1.2

---------------
logwatch (7.4.3+git20161207-2ubuntu1.2) bionic; urgency=medium

  [ Bryce Harrington ]
  * d/p/0020-dhcpd-Ignore-lease-age-under-threshold-messages.patch:
    dhcpd: Ignore lease age under threshold messages
    (LP: #1578001)
  * d/p/0018-audit-Treat-Denial-Errors-same-as-Denied.patch:
    audit: Treat Denial-Errors same as Denied.
    (LP: #1577948)
  * d/p/0017-audit-Apparmor-DENIED-entries-don-t-always-include-p.patch:
    audit: Apparmor DENIED entries don't always include parent=N.
    (LP: #1577948)
  * d/p/0014-zz-sys-Suppress-warnings-if-Sys-CPU-or-Sys-MemInfo-a.patch:
    zz-sys: Suppress warnings if Sys::CPU or Sys::MemInfo are missing.
    These are not installed by default in Ubuntu's logwatch packaging.
    (LP: #1890749)
  * d/p/0012-postfix-Handle-backwards-compatible-mode.patch:
    postfix: Handle backwards-compatible mode.
    (LP: #1583705)
  * d/p/0011-postfix-Ignore-Resolved-loghost-to-127.0.0.1.patch:
    postfix: Ignore Resolved loghost to 127.0.0.1.
    (LP: #1583705)
  * d/p/0010-00-debspecific-disable-su-reporting-in-secure.diff.patch:
    Use $PATH to determine location of zpool and zfs.
    (LP: #1880211)

  [ Karl Stenerud ]
  * d/p/ssh-ignore-disconnected.patch:
    sshd: ignore disconnected from user USER
    (LP: #1644057)

 -- Bryce Harrington <bryce@xxxxxxxxxxxxx>  Thu, 03 Sep 2020 04:21:53
+0000

** Changed in: logwatch (Ubuntu Bionic)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1644057

Title:
  Excessive Disconnect unmatched entries from sshd

Status in logwatch package in Ubuntu:
  Fix Released
Status in logwatch source package in Xenial:
  Fix Released
Status in logwatch source package in Bionic:
  Fix Released
Status in logwatch package in Debian:
  Fix Released

Bug description:
  [Impact]

  User ssh disconnect messages in syslog aren't handled by logwatch, and
  thus end up in the "Unmatched Entries" section, one per event. This
  clutters up the logwatch reports unnecessarily.

  [Test Case]

  # lxc launch ubuntu-daily:cosmic tester
  # lxc exec tester bash

  # apt update
  # apt dist-upgrade -y
  # apt install -y logwatch openssh-server mailutils
    * mail configuration : Local only
    * System mail name: (use default)

  # sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config
  # systemctl restart sshd
  # passwd ubuntu
    * choose a password
  # ssh ubuntu@localhost
    * login, then exit

  # logwatch --detail Med --mailto root --service all --range today
  # sleep 1
  # mail
    * select message 1
    * Search for SSHD:
      /SSHD

  You will see unmatched entries:
     **Unmatched Entries**
     Disconnected from user ubuntu 127.0.0.1 port 53084 : 1 time(s)

  
  [Original Description]

  # lsb_release -rd
  Description:    Ubuntu 16.04.1 LTS
  Release:        16.04

  # apt-cache policy logwatch
  logwatch:
    Installed: 7.4.2-1ubuntu1
    Candidate: 7.4.2-1ubuntu1
    Version table:
   *** 7.4.2-1ubuntu1 500
          500 http://mirrors.digitalocean.com/ubuntu xenial/main amd64 Packages
          500 http://mirrors.digitalocean.com/ubuntu xenial/main i386 Packages
          100 /var/lib/dpkg/status

  The issue seems to be exactly as described here:

  https://bugzilla.redhat.com/show_bug.cgi?id=1317620

  In synopsis, Logwatch's "SSHD" output contains excessive "Unmatched
  Entries" regarding SSH disconnections. They look like this:

  Received disconnect from 123.123.123.123 port 6887:11: disconnected by user : 1 time(s)
   Received disconnect from 123.123.123.123 port 8310:11: disconnected by user : 1 time(s)
   Disconnected from 123.123.123.123 port 1306 : 1 time(s)
   Received disconnect from 123.123.123.123 port 3720:11: disconnected by user : 1 time(s)
   Received disconnect from 123.123.123.123 port 3001:11: disconnected by user : 1 time(s)
   Disconnected from 123.123.123.123 port 1054 : 1 time(s)
   Received disconnect from 123.123.123.123 port 9741:11: disconnected by user : 1 time(s)
   Received disconnect from 123.123.123.123 port 3261:11: disconnected by user : 1 time(s)
   Received disconnect from 123.123.123.123 port 4650:11: disconnected by user : 1 time(s)
   Received disconnect from 123.123.123.123 port 13235:11: disconnected by user : 1 time(s)
   Received disconnect from 123.123.123.123 port 1065:11: disconnected by user : 1 time(s)
   Received disconnect from 123.123.123.123 port 13868:11: disconnected by user : 1 time(s)
   Disconnected from 123.123.123.123 port 8542 : 1 time(s)

  I should mention that these connections are from me, and are
  legitimate; they are not from "bots" or other types of probes/scans
  that are, for example, check for the availability of vulnerable
  ciphers.

  The key finding from the above report seems to be:

  "I don't know why there are two different format disconnect messages,
  but the bit that seems to confuse logwatch was adding the port number
  to the message."

  There seem to be several (3-5) such messages that result from a normal
  connect/disconnect cycle.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1644057/+subscriptions