From nobody@FreeBSD.org  Tue Jun 21 13:15:44 2011
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 21D70106566C
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 21 Jun 2011 13:15:44 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 114BD8FC13
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 21 Jun 2011 13:15:44 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p5LDFhHx084751
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 21 Jun 2011 13:15:43 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id p5LDFhq5084750;
	Tue, 21 Jun 2011 13:15:43 GMT
	(envelope-from nobody)
Message-Id: <201106211315.p5LDFhq5084750@red.freebsd.org>
Date: Tue, 21 Jun 2011 13:15:43 GMT
From: Jesper Wallin <jesper@ifconfig.se>
To: freebsd-gnats-submit@FreeBSD.org
Subject: The "security run output" contains log entries which are a year old.
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         158121
>Category:       misc
>Synopsis:       The "security run output" contains log entries which are a year old.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 21 13:20:08 UTC 2011
>Closed-Date:    Thu Jun 23 18:11:44 UTC 2011
>Last-Modified:  Thu Jun 23 18:11:44 UTC 2011
>Originator:     Jesper Wallin
>Release:        7.3-RELEASE-p2
>Organization:
>Environment:
FreeBSD ns1.nohack.se 7.3-RELEASE-p2 FreeBSD 7.3-RELEASE-p2 #0: Mon Jul 12 19:04:04 UTC 2010     root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
This morning I got the regular "security run output" mails and noticed I got about 2000 invalid login attempts against my SSH daemon. I found that pretty strange as I knew my SSH server were both firewalled and listens on an internal interface with a local (192.168/8) address.

After checking my firewall rules twice, digging through my pf logs (with finding anything) and still without a single clue how the heck those bots could manage to access my SSH server, I noticed the following:

The log entries in /var/log/auth.log does not contain the year. Because of this, if you rarely logon to the machine (or for some other reason doesn't manage to reach the 100K limit before newsyslog rotate your auth.log) the "security run output" will send you a year old logs. :-)
>How-To-Repeat:
1. Start the machine.
2. Do a few invalid/incorrect login-attempts.
3. Wait a year. ;-)
4. Check the "security run output" mail.
>Fix:
Make newsyslog rotate auth.log regardless of it's size or make somehow make sshd/syslogd log the year as well.

Another solution would be to parse the logs more carefully to somehow exclude the lines before today. Not sure if this solves it completely though, considering such rare/wierd scenarios where no one tries to login at all in over a year.

>Release-Note:
>Audit-Trail:

From: Jaakko Heinonen <jh@FreeBSD.org>
To: Jesper Wallin <jesper@ifconfig.se>
Cc: bug-followup@FreeBSD.org
Subject: Re: misc/158121: The "security run output" contains log entries
 which are a year old.
Date: Wed, 22 Jun 2011 07:32:25 +0300

 On 2011-06-21, Jesper Wallin wrote:
 > The log entries in /var/log/auth.log does not contain the year.
 > Because of this, if you rarely logon to the machine (or for some other
 > reason doesn't manage to reach the 100K limit before newsyslog rotate
 > your auth.log) the "security run output" will send you a year old
 > logs. :-)
 
 > >Fix:
 > Make newsyslog rotate auth.log regardless of it's size or make somehow
 > make sshd/syslogd log the year as well.
 
 You can configure interval based rotation in /etc/newsyslog.conf . See
 the description for "when" field in newsyslog.conf(5) manual page.
 
 -- 
 Jaakko
State-Changed-From-To: open->closed 
State-Changed-By: linimon 
State-Changed-When: Thu Jun 23 18:11:30 UTC 2011 
State-Changed-Why:  
A workaround was suggested. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=158121 
>Unformatted:
