[Bug 1881942] Re: default configuration forwards sshd failures to port 7070

[Launchpad Bug Tracker]

[Expired for rsyslog (Ubuntu) because there has been no activity for 60
days.]

** Changed in: rsyslog (Ubuntu)
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/1881942

Title:
  default configuration forwards sshd failures to port 7070

Status in rsyslog package in Ubuntu:
  Expired

Bug description:
  ubuntu eoan (19.10)
  ---

  While investigating why my fail2ban client was not blocking the usual
  script-kiddie SSH attempts, I discovered that no sshd failures were
  appearing in /var/log/auth.log.  Upon opening
  /etc/rsyslog.d/50-default.conf I discovered that sshd failures are
  being transformed and forwarded to localhost:7070.  Here's the section
  of configuration:

  if $programname == 'sshd' then {
     if $msg startswith ' Failed' then {
        # Transform and forward data!
        action(type="omfwd" target="127.0.0.1" port="7070" protocol="tcp" template="ip-json")
     }
     stop
  }

  
  For me, nothing is bound to port 7070. 

  I assume you have a good reason for such a default but it seems
  suboptimal to stop processing after forwarding.  I commented out the
  stop line and restarted rsyslog and found that logs appeared in
  /var/log/auth.log and that my fail2ban is now banning IPs, as
  expected.

  I suggest changing the default configuration so that sshd failures
  reach /var/log/auth.log.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1881942/+subscriptions