[Bug 1170458] [NEW] iptables service not functionnal - Solution included

[Francois Trahan]

*** This bug is a security vulnerability ***

Public security bug reported:

logwatch does not include blocked connexions (iptables). As this is an
entry point in monitoring servers and because blocked connexion can be a
symptom of break-in attempts, having no report on them while you expect
to can be a big problem

Sorry for not submitting a patch, this is beyond my knowledge and time,
but since it's three lines of code, here's my fix with a bit of
explanation :

in /usr/share/logwatch/dist.conf/services/iptables.conf, set the logfile
to syslog or kern.log :

LogFile = /var/log/kern.log


After doing so, the logfile are not parsed properly. While you now get
reports, the aggregation is not acurate

Basically, the cleanup regexp does not account for the fact that for
small kernel timestamps, there is a space at the beginning of the stamp.

in /usr/share/logwatch/scripts/services/iptables on line 132

The old regexp is :
$ThisLine =~ s/^... .. ..:..:.. ([^ ]*) (kernel: )?(\[\d+\.\d+\] )?//;

The right regexp would be :
$ThisLine =~ s/^... .. ..:..:.. ([^ ]*) (kernel: )?(\[ *\d+\.\d+\] )?//;


Here is an example of a log line that would not work, because of the space in the timestamp "[ 1690.227087]"

Apr 18 18:05:37 rack1 kernel: [ 1690.227087] fw: IN= OUT=eth0 SRC=166.78.158.192 DST=72.14.183.239 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=0 DF PROTO=UDP      
SPT=123 DPT=123 LEN=56


have fun,
Frank

** Affects: logwatch (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: iptables logwatch

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to logwatch in Ubuntu.
https://bugs.launchpad.net/bugs/1170458

Title:
  iptables service not functionnal - Solution included

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1170458/+subscriptions