[syslog-ng] pure-ftpd

24 Sep 2010

      Hello,

I installed pure-ftpd and generated some logs. Here they are. They bring
up many questions what are the best practices in some situations...

Anonymous login:
Sep 24 13:53:05 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New
connection from 192.168.2.142
Sep 24 13:53:08 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] Anonymous
user logged in
Sep 24 13:53:11 linux-6y8u pure-ftpd: (ftp@192.168.2.142) [INFO] Logout.

Successful user login:
Sep 24 13:54:15 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New
connection from 192.168.2.142
Sep 24 13:54:19 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] czanik is
now logged in
Sep 24 13:54:21 linux-6y8u pure-ftpd: (czanik@192.168.2.142) [INFO] Logout.

Denied root login:
Sep 24 13:54:22 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New
connection from 192.168.2.142
Sep 24 13:54:24 linux-6y8u pure-ftpd: pam_listfile(pure-ftpd:auth):
Refused user root for service pure-ftpd
Sep 24 13:54:27 linux-6y8u pure-ftpd: (?@192.168.2.142) [WARNING]
Authentication failed for user [root]
Sep 24 13:54:30 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] Logout.

Wrong user password:
Sep 24 13:57:43 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New
connection from 192.168.2.142
Sep 24 13:57:51 linux-6y8u pure-ftpd: (?@192.168.2.142) [WARNING]
Authentication failed for user [czanik]
Sep 24 13:57:52 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] Logout.

Invalid user name:
Sep 24 13:57:53 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New
connection from 192.168.2.142
Sep 24 13:57:55 linux-6y8u pure-ftpd: gkr-pam: error looking up user
information for: asdf
Sep 24 13:58:00 linux-6y8u pure-ftpd: (?@192.168.2.142) [WARNING]
Authentication failed for user [asdf]
Sep 24 13:58:03 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] Logout.

Questions:

- many times there is just a question mark instead of the username.
Should it still be stored in a variable (useracct.username) or only for
the Logout lines, where it actually might get a useful value?

- the "New connection" line has the same info (the IP address) twice.
How should it be handled?

- how should Anonymous login be handled?
@QSTRING:useracct.username: @
vs.
<value name="usracct.username">Anonymous</value>

-- 
Peter Czanik (CzP) <czanik@balabit.hu>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/