[syslog-ng] pure-ftpd

Balazs Scheidler bazsi at balabit.hu
Wed Sep 29 13:26:28 CEST 2010 

On Fri, 2010-09-24 at 15:05 +0200, Peter Czanik wrote:
> Hello,
> 
> I installed pure-ftpd and generated some logs. Here they are. They bring
> up many questions what are the best practices in some situations...
> 
> Anonymous login:
> Sep 24 13:53:05 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New
> connection from 192.168.2.142
> Sep 24 13:53:08 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] Anonymous
> user logged in

The 2nd could be used for the login event, the first is not needed from
the usracct point of view.

> Sep 24 13:53:11 linux-6y8u pure-ftpd: (ftp at 192.168.2.142) [INFO] Logout.

This is the logout event.

> 
> Successful user login:
> Sep 24 13:54:15 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New
> connection from 192.168.2.142
> Sep 24 13:54:19 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] czanik is
> now logged in

this is an alternative login event (e.g. both this and the anonymous one
should be marked up as a usracct login)

> Sep 24 13:54:21 linux-6y8u pure-ftpd: (czanik at 192.168.2.142) [INFO] Logout.

usracct logout.

> 
> Denied root login:
> Sep 24 13:54:22 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New
> connection from 192.168.2.142
> Sep 24 13:54:24 linux-6y8u pure-ftpd: pam_listfile(pure-ftpd:auth):
> Refused user root for service pure-ftpd
> Sep 24 13:54:27 linux-6y8u pure-ftpd: (?@192.168.2.142) [WARNING]
> Authentication failed for user [root]

this should be the usracct login failure.

> Sep 24 13:54:30 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] Logout.
> 
> Wrong user password:
> Sep 24 13:57:43 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New
> connection from 192.168.2.142
> Sep 24 13:57:51 linux-6y8u pure-ftpd: (?@192.168.2.142) [WARNING]
> Authentication failed for user [czanik]

this should be the usracct login failure.

> Sep 24 13:57:52 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] Logout.
> 
> Invalid user name:
> Sep 24 13:57:53 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New
> connection from 192.168.2.142
> Sep 24 13:57:55 linux-6y8u pure-ftpd: gkr-pam: error looking up user
> information for: asdf
> Sep 24 13:58:00 linux-6y8u pure-ftpd: (?@192.168.2.142) [WARNING]
> Authentication failed for user [asdf]

this should be the usracct login failure.

> Sep 24 13:58:03 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] Logout.

the exact reason for the login failure (e.g. rejected username, or no
user) could be correllated to the 2nd event, but the only way to do that
is by using a timeout & perhaps a username.

e.g. 

rule for the first message is a store:
<pattern>...</pattern>
<values>
  <value name="details">$fail_reason</value>
</values>
<store id="pure-ftpd-auth-failure-reason" timeout="10"/>

rule for the 2nd message is a join:
<values join="pure-ftpd-auth-failure-reason">
  <value name="details">$details at 1</value>
</values>

This way if the 2nd message comes within 10 seconds of the first, the
failure reason is correllated to the 2nd. Of course it is not very
robust, at least a PID number could help here.

I've looked a bit further, pure-ftpd has a -l switch to include the pid
information in the log message, thus we should probably recommend
pure-ftpd users to do so, and also use the $PID macro in the session id
of the store/join attributes.

> 
> Questions:
> 
> - many times there is just a question mark instead of the username.
> Should it still be stored in a variable (useracct.username) or only for
> the Logout lines, where it actually might get a useful value?

Not all lines should be tagged as usracct events. And the messages that
should include the usernames in their payload, not just the header.

> 
> - the "New connection" line has the same info (the IP address) twice.
> How should it be handled?

Well, the new connection message is irrelevant to user login/logout
reporting. You could mark that up without tagging it to usracct.

> 
> - how should Anonymous login be handled?
> @QSTRING:useracct.username: @
> vs.
> <value name="usracct.username">Anonymous</value>

anonymous should be handled just like any other username, although it is
canonically written as "anonymous" e.g. lower case.

-- 
Bazsi

More information about the syslog-ng mailing list