On Wed, 2010-10-06 at 16:39 +0200, Peter Czanik wrote:
On 10/06/2010 04:03 PM, Balazs Scheidler wrote:
On Tue, 2010-10-05 at 16:50 +0200, Peter Czanik wrote:
Hello,
Attached is a pre version of proftpd login/logout/failure events and the samples I used. As usual, new application, new problems.
The first problem is, that out of box proftpd uses its own log files instead of syslog. This poses a couple of problems: * it resembles syslog logs, but looking closer it is not * it does not have all the logs So for collecting logs I commented out the SystemLog line, so syslog is used, and also enabled anonymous ftp.
I could not find a perfect message suitable for 'logout'. There are two related lines:
proftpd[6848]: ubuntu (::ffff:192.168.2.179[::ffff:192.168.2.179]) - FTP session closed. But this is used any time a TCP/IP connection is closed, even when there was no actual login. And even if there was a login, it has no user information...
proftpd: pam_unix(proftpd:session): session closed for user czanik This one has the user name, but no information at all about the session or IP address.
do you have any identifying information that you could possibly use to correllate the two entries?
The "session closed" message has the IP address, but many companies, not just SoHo, have many users behind a single IP address, so it does not help.
PID for instance?
The "session closed" has PID, but the pam message, where the user name is available, there is no PID :-(
Isn't it possible to configure proftpd to include the PID? Because if it is, the trick would be to use a combination of the PID and IP address as session_id. This way if there's a pid, we can be quite accurate. If we don't, then we are as good as possible. Also, please note that time is also a correllation factor. So even if there's no pid and there are multiple users behind a single IP, the fact that two events happen in close proximity gives us some assurance.
I've doubts doing correllation just for the sake of the logout event, because the length of the session can be quite long. (so what timeout would you specify for the correllation engine 1 day? 7 days?)
In a webhosting environment I have often seen multiple day ftp connections. With thousands of ftp connections an hour it's better not to think about the memory requirements of correlating this :-)
Yeah, it's not a good idea.
I'd use the PAM generated event (e.g. session closed for user ...) and the IP address is not that important in this case, because it is present in the login event. you'd only need to make sure that the login/logout events can be correllated at query time somehow. e.g. usracct.sessionid should be the same for the two messages.
PAM only has the usracct.username, no sessionid. And one user can login many times, for example AFAIR windows explorer opens two different connections, and the second one is not necessarily terminated at the same time. Or some download managers open 5-10 simultaneous connections with the same username.
Summary: neither information seems to be useful in real life situations...
let's talk about this in real life, we may be able to come up with a solution. -- Bazsi