Package: fwlogwatch Version: 1.1-3 Severity: important
After sarge -> etch or etch -> lenny upgrade, fwlogwatch stopped to block attacking hosts with an iptables rule. Although the kern.log contains much more entries about dropped packect from the same address than alert_threshold, fwlw_respond isn't triggered. I've tried also sid's version (1.1-4) and it doesn't work either. >From what I managed to inspect the problem, I believe that the reason is a current format of kernel logging. The previous format was like: May 1 07:38:30 kiezmar kernel: gShield (default drop) IN=eth0 OUT= MAC=<the_mac_address> SRC=61.184.107.7 DST=83.14.195.50 LEN=40 TOS=0x00 PREC=0x00 TTL=103 ID=256 PROTO=TCP SPT=58588 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0 while currently it's like: Jul 1 09:07:36 kiezmar kernel: [736989.470314] gShield (default drop) IN=eth0 OUT= MAC=<the_mac_address> SRC=74.63.225.44 DST=83.14.195.50 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=256 DF PROTO=TCP SPT=12200 DPT=9000 WINDOW=8192 RES=0x00 SYN URGP=0 I.e., there is a new field containing a time (e.g. [736989.470314]). I emulated the old format entries by echo'ing >> kern.log a few latest entries but with the [time] field removed and then a blocking rule was successfully added to iptables. That's why I see that the new field is the reason. fwlogwatch should properly recognize it to work properly. Thanks! -- System Information: Debian Release: 5.0.2 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=pl_PL.iso-8859-2 (charmap=ISO-8859-2) Shell: /bin/sh linked to /bin/bash Versions of packages fwlogwatch depends on: ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy ii libc6 2.7-18 GNU C Library: Shared libraries ii postfix [mail-transpor 2.5.5-1.1 High-performance mail transport ag ii sysklogd [system-log-d 1.5-5 System Logging Daemon ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime fwlogwatch recommends no packages. fwlogwatch suggests no packages. -- debconf information: * fwlogwatch/email: r...@localhost * fwlogwatch/respond: yes (iptables) * fwlogwatch/realtime: true * fwlogwatch/notify: yes (mail) * fwlogwatch/cron_parameters: -p -d -O ta -t -e -l 1d * fwlogwatch/cron_email: root fwlogwatch/buildconfig: true -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

