[Bug 1881942] Re: default configuration forwards sshd failures to port 7070

Steve Beattie 1881942 at bugs.launchpad.net
Wed Jun 24 03:56:34 UTC 2020 

Hi John,

I'm not sure what's happened here, but the default
/etc/rsyslog.d/50-default.conf contains no such snippet (a pristine copy
is also stored in /usr/share/rsyslog/50-default.conf) and is managed via
ucf. The contents of a pristine version are attached.

Either another package you have installed has modified this config file
(and looking at the failban package and postinstall script, I don't see
anything there that would add anything like that.

Doing a limited google search on the comment string "# Transform and
forward data" turned up this recipe: https://devconnected.com
/geolocating-ssh-hackers-in-real-time/ ; is it possible that this was
added as part of a recipe you were following?

Thanks.

** Attachment added: "50-default.conf"
   https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1881942/+attachment/5386636/+files/50-default.conf

** Changed in: rsyslog (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to rsyslog in Ubuntu.
https://bugs.launchpad.net/bugs/1881942

Title:
  default configuration forwards sshd failures to port 7070

Status in rsyslog package in Ubuntu:
  Incomplete

Bug description:
  ubuntu eoan (19.10)
  ---

  While investigating why my fail2ban client was not blocking the usual
  script-kiddie SSH attempts, I discovered that no sshd failures were
  appearing in /var/log/auth.log.  Upon opening
  /etc/rsyslog.d/50-default.conf I discovered that sshd failures are
  being transformed and forwarded to localhost:7070.  Here's the section
  of configuration:

  if $programname == 'sshd' then {
     if $msg startswith ' Failed' then {
        # Transform and forward data!
        action(type="omfwd" target="127.0.0.1" port="7070" protocol="tcp" template="ip-json")
     }
     stop
  }

  
  For me, nothing is bound to port 7070. 

  I assume you have a good reason for such a default but it seems
  suboptimal to stop processing after forwarding.  I commented out the
  stop line and restarted rsyslog and found that logs appeared in
  /var/log/auth.log and that my fail2ban is now banning IPs, as
  expected.

  I suggest changing the default configuration so that sshd failures
  reach /var/log/auth.log.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/1881942/+subscriptions

More information about the foundations-bugs mailing list