Hello, I installed pure-ftpd and generated some logs. Here they are. They bring up many questions what are the best practices in some situations... Anonymous login: Sep 24 13:53:05 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New connection from 192.168.2.142 Sep 24 13:53:08 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] Anonymous user logged in Sep 24 13:53:11 linux-6y8u pure-ftpd: (ftp@192.168.2.142) [INFO] Logout. Successful user login: Sep 24 13:54:15 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New connection from 192.168.2.142 Sep 24 13:54:19 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] czanik is now logged in Sep 24 13:54:21 linux-6y8u pure-ftpd: (czanik@192.168.2.142) [INFO] Logout. Denied root login: Sep 24 13:54:22 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New connection from 192.168.2.142 Sep 24 13:54:24 linux-6y8u pure-ftpd: pam_listfile(pure-ftpd:auth): Refused user root for service pure-ftpd Sep 24 13:54:27 linux-6y8u pure-ftpd: (?@192.168.2.142) [WARNING] Authentication failed for user [root] Sep 24 13:54:30 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] Logout. Wrong user password: Sep 24 13:57:43 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New connection from 192.168.2.142 Sep 24 13:57:51 linux-6y8u pure-ftpd: (?@192.168.2.142) [WARNING] Authentication failed for user [czanik] Sep 24 13:57:52 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] Logout. Invalid user name: Sep 24 13:57:53 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New connection from 192.168.2.142 Sep 24 13:57:55 linux-6y8u pure-ftpd: gkr-pam: error looking up user information for: asdf Sep 24 13:58:00 linux-6y8u pure-ftpd: (?@192.168.2.142) [WARNING] Authentication failed for user [asdf] Sep 24 13:58:03 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] Logout. Questions: - many times there is just a question mark instead of the username. Should it still be stored in a variable (useracct.username) or only for the Logout lines, where it actually might get a useful value? - the "New connection" line has the same info (the IP address) twice. How should it be handled? - how should Anonymous login be handled? @QSTRING:useracct.username: @ vs. <value name="usracct.username">Anonymous</value> -- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/
My votes:
- many times there is just a question mark instead of the username. Should it still be stored in a variable (useracct.username) or only for the Logout lines, where it actually might get a useful value?
I would vote not to store the question mark since I think the ? is equivalent to NULL, which is what would get logically stored anyway.
- the "New connection" line has the same info (the IP address) twice. How should it be handled?
I'm not seeing the IP twice in the examples you provided. If it is indeed there twice, I guess the question is what the tag name is for both. If you weren't planning on having a tag for one of the two occurrences, then I would say skip that one since it wouldn't make sense without a tag name.
- how should Anonymous login be handled? @QSTRING:useracct.username: @ vs. <value name="usracct.username">Anonymous</value>
I think "Anonymous" should definitely get logged the same as any other user name, since you would want to see that on reports. Another thought would be to maybe switch it to the IP address, but I don't see how you would do that across log lines.
Hello, On 09/24/2010 03:34 PM, Martin Holste wrote:
My votes:
- many times there is just a question mark instead of the username. Should it still be stored in a variable (useracct.username) or only for the Logout lines, where it actually might get a useful value?
I would vote not to store the question mark since I think the ? is equivalent to NULL, which is what would get logically stored anyway.
- the "New connection" line has the same info (the IP address) twice. How should it be handled?
I'm not seeing the IP twice in the examples you provided. It was broken into two lines due to automatic line breaks, but the next is a single log line, where the remote IP address (192.168.2.142) appears twice: Sep 24 13:52:42 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New connection from 192.168.2.142
If it is indeed there twice, I guess the question is what the tag name is for both. If you weren't planning on having a tag for one of the two occurrences, then I would say skip that one since it wouldn't make sense without a tag name.
As the address/fqdn is always the same here, belonging to the same variable, useracct.device. So, storing it once is enough. Then the first appearance could be discarded with at @QSTRING::@@)@ and the second one stored with an @ANYSTRING:useracct.device@
- how should Anonymous login be handled? @QSTRING:useracct.username: @ vs. <value name="usracct.username">Anonymous</value>
I think "Anonymous" should definitely get logged the same as any other user name, since you would want to see that on reports.
It would be stored both ways, I just would like to know, which is more elegand, less resource hungry, etc.
Another thought would be to maybe switch it to the IP address, but I don't see how you would do that across log lines.
Well, that would require some session tracking, but even then we are out of luck, as session information is missing from the logs. Bye, -- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/
On Fri, 2010-09-24 at 15:05 +0200, Peter Czanik wrote:
Hello,
I installed pure-ftpd and generated some logs. Here they are. They bring up many questions what are the best practices in some situations...
Anonymous login: Sep 24 13:53:05 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New connection from 192.168.2.142 Sep 24 13:53:08 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] Anonymous user logged in
The 2nd could be used for the login event, the first is not needed from the usracct point of view.
Sep 24 13:53:11 linux-6y8u pure-ftpd: (ftp@192.168.2.142) [INFO] Logout.
This is the logout event.
Successful user login: Sep 24 13:54:15 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New connection from 192.168.2.142 Sep 24 13:54:19 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] czanik is now logged in
this is an alternative login event (e.g. both this and the anonymous one should be marked up as a usracct login)
Sep 24 13:54:21 linux-6y8u pure-ftpd: (czanik@192.168.2.142) [INFO] Logout.
usracct logout.
Denied root login: Sep 24 13:54:22 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New connection from 192.168.2.142 Sep 24 13:54:24 linux-6y8u pure-ftpd: pam_listfile(pure-ftpd:auth): Refused user root for service pure-ftpd Sep 24 13:54:27 linux-6y8u pure-ftpd: (?@192.168.2.142) [WARNING] Authentication failed for user [root]
this should be the usracct login failure.
Sep 24 13:54:30 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] Logout.
Wrong user password: Sep 24 13:57:43 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New connection from 192.168.2.142 Sep 24 13:57:51 linux-6y8u pure-ftpd: (?@192.168.2.142) [WARNING] Authentication failed for user [czanik]
this should be the usracct login failure.
Sep 24 13:57:52 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] Logout.
Invalid user name: Sep 24 13:57:53 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New connection from 192.168.2.142 Sep 24 13:57:55 linux-6y8u pure-ftpd: gkr-pam: error looking up user information for: asdf Sep 24 13:58:00 linux-6y8u pure-ftpd: (?@192.168.2.142) [WARNING] Authentication failed for user [asdf]
this should be the usracct login failure.
Sep 24 13:58:03 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] Logout.
the exact reason for the login failure (e.g. rejected username, or no user) could be correllated to the 2nd event, but the only way to do that is by using a timeout & perhaps a username. e.g. rule for the first message is a store: <pattern>...</pattern> <values> <value name="details">$fail_reason</value> </values> <store id="pure-ftpd-auth-failure-reason" timeout="10"/> rule for the 2nd message is a join: <values join="pure-ftpd-auth-failure-reason"> <value name="details">$details@1</value> </values> This way if the 2nd message comes within 10 seconds of the first, the failure reason is correllated to the 2nd. Of course it is not very robust, at least a PID number could help here. I've looked a bit further, pure-ftpd has a -l switch to include the pid information in the log message, thus we should probably recommend pure-ftpd users to do so, and also use the $PID macro in the session id of the store/join attributes.
Questions:
- many times there is just a question mark instead of the username. Should it still be stored in a variable (useracct.username) or only for the Logout lines, where it actually might get a useful value?
Not all lines should be tagged as usracct events. And the messages that should include the usernames in their payload, not just the header.
- the "New connection" line has the same info (the IP address) twice. How should it be handled?
Well, the new connection message is irrelevant to user login/logout reporting. You could mark that up without tagging it to usracct.
- how should Anonymous login be handled? @QSTRING:useracct.username: @ vs. <value name="usracct.username">Anonymous</value>
anonymous should be handled just like any other username, although it is canonically written as "anonymous" e.g. lower case. -- Bazsi
Hello, On 09/29/2010 01:26 PM, Balazs Scheidler wrote:
- how should Anonymous login be handled? @QSTRING:useracct.username: @ vs. <value name="usracct.username">Anonymous</value>
anonymous should be handled just like any other username, although it is canonically written as "anonymous" e.g. lower case.
Anonymous is logged differently, so it can't be handled with the same rule: "Anonymous user logged in" vs. "czanik is now logged in" Considering that the lower case name is preferred, I'd say, that we should use the second way, but use a lowercase "anonymous": <value name="usracct.username">anonymous</value> Bye, -- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/
On Wed, 2010-09-29 at 13:35 +0200, Peter Czanik wrote:
Hello,
On 09/29/2010 01:26 PM, Balazs Scheidler wrote:
- how should Anonymous login be handled? @QSTRING:useracct.username: @ vs. <value name="usracct.username">Anonymous</value>
anonymous should be handled just like any other username, although it is canonically written as "anonymous" e.g. lower case.
Anonymous is logged differently, so it can't be handled with the same rule:
"Anonymous user logged in" vs. "czanik is now logged in"
Considering that the lower case name is preferred, I'd say, that we should use the second way, but use a lowercase "anonymous": <value name="usracct.username">anonymous</value> Bye,
it doesn't have to be the same rule. two rules can result in the same tags/name-value pairs. even more, it is better if they are different rules, they identify different messages after all. multiple patterns should only be used if the same log message has multiple variants. -- Bazsi
participants (3)
-
Balazs Scheidler
-
Martin Holste
-
Peter Czanik