From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461) Description of problem: Logwatch will hang when processing kernel messages when it encounters and unresolvable IP name. Hackers will use spoofed IP addresses to gain access and therefor cause logwatch never to finish if it trys to lookup the hosts IP name. In a firewall configuration I recommend that the default Logwatch configuration should be to return IP addresses and not the hosts name. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Spoofed IP address 2. Generate some denied and logged traffic to your firewall. 3. Run logwatch and watch it choke on LookupIP Actual Results: Logwatch will remain running in the background until it is either killed or finishes it parsing of the kernel messages. Which could take longer then a day. Expected Results: Change to echo out IP address instead of name. Additional info: Change LookupIP function to be: sub LookupIP { my ($name, $a1, $a2,$a3,$a4,$PackedAddr,$Addr); $Addr = $_[0]; ($a1,$a2,$a3,$a4) = split /\./,$Addr; $PackedAddr = pack('C4',$a1,$a2,$a3,$a4); # if ($name = gethostbyaddr ($PackedAddr,2)) { # return ($name . " (" . $Addr . ")"); # } else { return ($Addr); # } }
Fixed in logwatch-4.0