[syslog-ng] proftpd, blog

Mon Oct 11 12:20:22 CEST 2010

On Wed, 2010-10-06 at 16:39 +0200, Peter Czanik wrote:
> On 10/06/2010 04:03 PM, Balazs Scheidler wrote:
> > On Tue, 2010-10-05 at 16:50 +0200, Peter Czanik wrote:
> >   
> >> Hello,
> >>
> >> Attached is a pre version of proftpd login/logout/failure events and the
> >> samples I used. As usual, new application, new problems.
> >>
> >> The first problem is, that out of box proftpd uses its own log files
> >> instead of syslog. This poses a couple of problems:
> >> * it resembles syslog logs, but looking closer it is not
> >> * it does not have all the logs
> >> So for collecting logs I commented out the SystemLog line, so syslog is
> >> used, and also enabled anonymous ftp.
> >>
> >> I could not find a perfect message suitable for 'logout'. There are two
> >> related lines:
> >>
> >> proftpd[6848]: ubuntu (::ffff:192.168.2.179[::ffff:192.168.2.179]) - FTP
> >> session closed.
> >> But this is used any time a TCP/IP connection is closed, even when there
> >> was no actual login. And even if there was a login, it has no user
> >> information...
> >>
> >> proftpd: pam_unix(proftpd:session): session closed for user czanik
> >> This one has the user name, but no information at all about the session
> >> or IP address.
> >>     
> > do you have any identifying information that you could possibly use to
> > correllate the two entries?
> >   
> The "session closed" message has the IP address, but many companies, not
> just SoHo, have many users behind a single IP address, so it does not help.
> 
> > PID for instance?
> >   
> The "session closed" has PID, but the pam message, where the user name
> is available, there is no PID :-(

Isn't it possible to configure proftpd to include the PID? Because if it
is, the trick would be to use a combination of the PID and IP address as
session_id.

This way if there's a pid, we can be quite accurate. If we don't, then
we are as good as possible.

Also, please note that time is also a correllation factor. So even if
there's no pid and there are multiple users behind a single IP, the fact
that two events happen in close proximity gives us some assurance.

> 
> > I've doubts doing correllation just for the sake of the logout event,
> > because the length of the session can be quite long. (so what timeout
> > would you specify for the correllation engine 1 day? 7 days?)
> >   
> In a webhosting environment I have often seen multiple day ftp
> connections. With thousands of ftp connections an hour it's better not
> to think about the memory requirements of correlating this :-)

Yeah, it's not a good idea.

> 
> > I'd use the PAM generated event (e.g. session closed for user ...) and
> > the IP address is not that important in this case, because it is present
> > in the login event. you'd only need to make sure that the login/logout
> > events can be correllated at query time somehow. e.g. usracct.sessionid
> > should be the same for the two messages.
> >   
> PAM only has the usracct.username, no sessionid. And one user can login
> many times, for example AFAIR windows explorer opens two different
> connections, and the second one is not necessarily terminated at the
> same time. Or some download managers open 5-10 simultaneous connections
> with the same username.
> 
> Summary: neither information seems to be useful in real life situations...

let's talk about this in real life, we may be able to come up with a
solution.

-- 
Bazsi