Is there a way to alter the Logwatch settings such that it stops performing reverse dns name resolution on all the hosts which tried to probe the server or were blocked?
These URLs are causing the emails to be blocked, particularly by Gmail, and thereby making Logwatch unusable as a sysadmin tool.
I'd prefer an answer which uses pre-existing config files on Ubuntu or Debian but I'll take whatever I can get.
Possible solution:
In Ubuntu 18.04 LTS:
Alternatively, you can edit the file by hand:
Find all occurrences of "my $name = LookupIP($ip);"
Replace with "my $name = $ip;"
At first I tried simply adding "my $DoLookup = 0;" near the top of the sshd script by hand, as a look at /usr/share/logwatch/lib/Logwatch.pm seemed to indicate that setting this would cause the LookupIP function to skip hostname lookups, but this did not work.
This answer is heavily inspired by @RedScourge's original answer, but disables
LookupIP
via config and makes minimally invasive changes to thesshd
script only if necessary.In response to a user asking about the ability to selectively disable hostname hostname lookups for certain services, a patch was committed to logwatch that enables this feature for SSHD. As of this writing, the patch is not part of a tagged release, but it is easy to apply locally. As an added bonus, this speeds up log generation significantly if there are lots of SSH attempts on your server.
Step 1: Make sure flag
sshd_ip_lookup
is handled by your local version oflogwatch
.Open
/usr/share/logwatch/scripts/services/sshd
and search forsshd_ip_lookup
.If you don't find any references to this flag, then...
a. Copy
sshd
script to/etc
so that it won't be overwritten iflogwatch
is updatedb. Open
/etc/logwatch/scripts/services/sshd
with your preferred editorc. Modify script with changes from this commit.
i.e. paste the following, just before
my $DebugCounter = 0;
(or anywhere near the top):Step 2: Set flag
sshd_ip_lookup
toNo
/etc/logwatch/conf/services/sshd.conf
using your preferred editor.Try running logwatch again!
Addendum: Google Mail (GMail) spam detection
I experienced Google blocking logwatch emails as well. They never made it to the recipient's spam folder; Google blocked the email on the way out. @RedScourge's analysis that this is due to the large number of domain names in the logwatch report appears correct. The email must look like it's full of URLs to Google's spam filters.
I believe there is a correlation between IP addresses that Google Mail links when displaying an email and those that its spam filter considers a link before an email is sent. I noticed that Google Mail linked the IP in
123.123.123.123: X Time(s)
but it did not link the IP in123.123.123.123 : X Time(s)
. With this in mind, I included a space after the IP and before the colon in the "Negotiation failed" and "Illegal users from" sections. Since doing this – a few weeks ago, now – I have not had any logwatch emails blocked by Google Mail.The changes to
/etc/logwatch/scripts/services/sshd
include:if (keys %NegotiationFailed) { ... }
, modify: to:if (keys %IllegalUsers) { ... }
, modify: to:A gist showing these changes is available here.
Notes
I've submitted a wishlist request to add the upstream logwatch patch to LTS releases of Ubuntu. I'm not sure that it will be approved, but you can subscribe to it here to track its status: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1904362