On Fri, 2010-09-24 at 15:05 +0200, Peter Czanik wrote:
Hello,
I installed pure-ftpd and generated some logs. Here they are. They bring up many questions what are the best practices in some situations...
Anonymous login: Sep 24 13:53:05 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New connection from 192.168.2.142 Sep 24 13:53:08 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] Anonymous user logged in
The 2nd could be used for the login event, the first is not needed from the usracct point of view.
Sep 24 13:53:11 linux-6y8u pure-ftpd: (ftp@192.168.2.142) [INFO] Logout.
This is the logout event.
Successful user login: Sep 24 13:54:15 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New connection from 192.168.2.142 Sep 24 13:54:19 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] czanik is now logged in
this is an alternative login event (e.g. both this and the anonymous one should be marked up as a usracct login)
Sep 24 13:54:21 linux-6y8u pure-ftpd: (czanik@192.168.2.142) [INFO] Logout.
usracct logout.
Denied root login: Sep 24 13:54:22 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New connection from 192.168.2.142 Sep 24 13:54:24 linux-6y8u pure-ftpd: pam_listfile(pure-ftpd:auth): Refused user root for service pure-ftpd Sep 24 13:54:27 linux-6y8u pure-ftpd: (?@192.168.2.142) [WARNING] Authentication failed for user [root]
this should be the usracct login failure.
Sep 24 13:54:30 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] Logout.
Wrong user password: Sep 24 13:57:43 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New connection from 192.168.2.142 Sep 24 13:57:51 linux-6y8u pure-ftpd: (?@192.168.2.142) [WARNING] Authentication failed for user [czanik]
this should be the usracct login failure.
Sep 24 13:57:52 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] Logout.
Invalid user name: Sep 24 13:57:53 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New connection from 192.168.2.142 Sep 24 13:57:55 linux-6y8u pure-ftpd: gkr-pam: error looking up user information for: asdf Sep 24 13:58:00 linux-6y8u pure-ftpd: (?@192.168.2.142) [WARNING] Authentication failed for user [asdf]
this should be the usracct login failure.
Sep 24 13:58:03 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] Logout.
the exact reason for the login failure (e.g. rejected username, or no user) could be correllated to the 2nd event, but the only way to do that is by using a timeout & perhaps a username. e.g. rule for the first message is a store: <pattern>...</pattern> <values> <value name="details">$fail_reason</value> </values> <store id="pure-ftpd-auth-failure-reason" timeout="10"/> rule for the 2nd message is a join: <values join="pure-ftpd-auth-failure-reason"> <value name="details">$details@1</value> </values> This way if the 2nd message comes within 10 seconds of the first, the failure reason is correllated to the 2nd. Of course it is not very robust, at least a PID number could help here. I've looked a bit further, pure-ftpd has a -l switch to include the pid information in the log message, thus we should probably recommend pure-ftpd users to do so, and also use the $PID macro in the session id of the store/join attributes.
Questions:
- many times there is just a question mark instead of the username. Should it still be stored in a variable (useracct.username) or only for the Logout lines, where it actually might get a useful value?
Not all lines should be tagged as usracct events. And the messages that should include the usernames in their payload, not just the header.
- the "New connection" line has the same info (the IP address) twice. How should it be handled?
Well, the new connection message is irrelevant to user login/logout reporting. You could mark that up without tagging it to usracct.
- how should Anonymous login be handled? @QSTRING:useracct.username: @ vs. <value name="usracct.username">Anonymous</value>
anonymous should be handled just like any other username, although it is canonically written as "anonymous" e.g. lower case. -- Bazsi