group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1904362] Re: [Wishlist] Disable hostname lookup by default for logwatch service sshd

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Bryce Harrington <1904362@xxxxxxxxxxxxxxxxxx>
Date: Thu, 01 Jul 2021 21:52:56 -0000
Reply-to: Bug 1904362 <1904362@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Also affects: logwatch (Ubuntu Impish)
   Importance: Wishlist
       Status: Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1904362

Title:
  [Wishlist] Disable hostname lookup by default for logwatch service
  sshd

Status in logwatch package in Ubuntu:
  Fix Released
Status in logwatch source package in Xenial:
  Won't Fix
Status in logwatch source package in Bionic:
  Triaged
Status in logwatch source package in Focal:
  Triaged
Status in logwatch source package in Groovy:
  Triaged
Status in logwatch source package in Hirsute:
  Fix Released
Status in logwatch source package in Impish:
  Fix Released

Bug description:
  [Impact]
  Logwatch looks up hostnames of every reported IP address, which
  increases runtime (and thus increases power and network bandwidth usage)
  especially for high-traffic servers.

  Secondly, the resultant URLs included in Logwatch's report emails can
  trigger spam filters.

  This change adds an option to turn off ip lookup.

  [Test Case]
  1. Log into an lxc container running groovy or earlier
  2. Install logwatch
     $ sudo debconf-set-selections <<< "postfix postfix/mailname string test.hostname.com"
     $ sudo debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Local only'"
     $ sudo apt-get install -y msmtp msmtp-mta logwatch
  3. Force an initial logrotation
     $ sudo /usr/sbin/logrotate -vf /etc/logrotate.conf
  4. Run logwatch manually
     $ sudo logwatch --detail Med --service sshd --range "between 

  On a system with sshd exposed to the internet that has been up for some
  time, this may take a considerable amount of time to run

  [Where Problems Could Occur]
  * Think about what the upload changes in the software. Imagine the change is
    wrong or breaks something else: how would this show up?

  * It is assumed that any SRU candidate patch is well-tested before
    upload and has a low overall risk of regression, but it's important
    to make the effort to think about what ''could'' happen in the
    event of a regression.

  * This must '''never''' be "None" or "Low", or entirely an argument as to why
    your upload is low risk.

  * This both shows the SRU team that the risks have been considered,
    and provides guidance to testers in regression-testing the SRU.

  [Other Info]

  * Anything else you think is useful to include
  * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
    and address these questions in advance

  [Original Report]

  By default, logwatch performs a hostname lookup of every IP address
  reported in SSHD logs. This has two negative consequences:

  1. If there are lots of IP addresses to lookup, this increases the run time of logwatch significantly.
  2. If logwatch is set to email logs, some spam filters detect the hostnames as URLs and will flag the email as spam due to the apparently large number of links. See https://serverfault.com/questions/977628/logwatch-emails-marked-as-spam-how-to-stop-reverse-dns-on-bot-hosts/1042679 .

  Following a request for help to disable hostname lookups in sshd...
  https://sourceforge.net/p/logwatch/discussion/1115929/thread/952d84109c/
  a developer committed a change to support this feature...
  https://sourceforge.net/p/logwatch/git/ci/88c0d675f10e425faeddd23316c061f425f39a06/

  This wishlist has two requests:
  1. Backport the patch (which is very easy to apply) to logwatch packages in currently supported LTS versions of Ubuntu. The patch defaults to performing the IP lookup, so this would not change the behavior of any existing installations, but it would expose the ability to disable these lookups if needed.
  2. For future Ubuntu distributions, set the config to disable SSHD IP lookups by default. This could be accomplished by introducing /usr/share/logwatch/dist.conf/services/sshd.conf with contents:
  $sshd_ip_lookup = No

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1904362/+subscriptions