Bug#654557: logcheck-database: pure-ftpd rules need update
control: tags -1 + pending signature.asc Description: This is a digitally signed message part
Bug#654557: logcheck-database: pure-ftpd rules need update
On Sat, 1 Jun 2024, Richard Lewis wrote: > > May 26 06:49:14 gatling pure-ftpd: (?@152.32.206.247) [INFO] New connection > > from 152.32.206.247 > > May 26 06:49:33 gatling pure-ftpd: (?@152.32.206.247) [INFO] Logout. > > May 26 06:49:33 gatling pure-ftpd: (?@152.32.206.247) [INFO] New connection > > from 152.32.206.247 > > May 26 06:49:33 gatling pure-ftpd: (?@152.32.206.247) [INFO] Anonymous user > > logged in > > May 26 06:49:33 gatling pure-ftpd: (ftp@152.32.206.247) [INFO] Logout. > I have some followups: > > > 1. whether all rules should allow a ? > I see that the first 2 rules already allowed a ? -- should all the > other rules should allow a ? or just the login/logout one? (do you get > a "?" for all anonymous users for example?) First: I am not a pure-ftpd expert. I just browsed the logs yesterday then I've done some tests. As far as I can see username is '?' before a succesful login. Including the case the user aborts the session. This is why '?' can occur in logout messages. After the login the actual username is logged, but 'anonymous' is transformed into 'ftp'. > 2. lack of pids > The rules all start > > pure-ftpd: ... > > do you really not see a pid after the "pure-ftpd"? this might be a Yes, I don't. At least on my system. Actual package versions are: pure-ftpd 1.0.49-4.1 rsyslog 8.2102.0-2+deb11u1 > syslog vs systemd thing but proabbly we should allow an optional pid? > (if you did "journalctl -t pure-ftpd" you would see a pid i think, so Yes, indeed: Nov 09 05:23:50 gatling pure-ftpd[107200]: (?@crawl-66-249-73-207.googlebot.com) [INFO] New connection from crawl-66-249-73-207.googlebot.com Nov 09 05:23:50 gatling pure-ftpd[107200]: (?@crawl-66-249-73-207.googlebot.com) [INFO] Anonymous user logged in Nov 09 05:23:51 gatling pure-ftpd[107200]: (f...@crawl-66-249-73-207.googlebot.com) [INFO] Can't change directory to heursch.pdf: Not a directory > we should add that as an optional group(?) I don't know. On my server, nor 'pure-ftpd' neither 'pureftp' has pid group but I never missed it. (Gee! Why are two similar files in the logcheck-database package?) > 3. The last rule was > ... pure-ftpd: PAM-listfile: Refused user [._[:alnum:]-]+ for service > pure-ftpd$ > > I assume this a) comes from PAM b) isnt produced any more? I don't know. I have no disabled users. Cheers Gabor -- No smoke, no drugs, no vindoze.
Bug#654557: logcheck-database: pure-ftpd rules need update
On Sat, 1 Jun 2024 at 14:21, Kiss Gabor (Bitman) wrote:
>
> On Sat, 1 Jun 2024, Richard Lewis wrote:
>
> > > does not cover log entry
> > >
> > > Jan 4 07:23:42 gatling pure-ftpd: (?@203.158.197.21) [INFO] Logout.
> > >
> > > The problem is with ? before @.
> >
> > It's a shame no-one replied to this bug from 2012
> > Is there still interest in adding this rule, and is the above still valid?
>
> Dear Richard,
>
> I was not waiting paralyzed till now. :-)
> I've created a local rule to solve the problem.
>
> > is the above message really harmless? it the bit before the @ is meant
> > to be a username then it looks like something fishy is going on and
> > this message should not be filtered?
>
> AFAIK "?" stands for the username if the session is terminated
> before logging in.
>
> May 26 06:49:14 gatling pure-ftpd: (?@152.32.206.247) [INFO] Logout.
> May 26 06:49:14 gatling pure-ftpd: (?@152.32.206.247) [INFO] New connection
> from 152.32.206.247
> May 26 06:49:33 gatling pure-ftpd: (?@152.32.206.247) [INFO] Logout.
> May 26 06:49:33 gatling pure-ftpd: (?@152.32.206.247) [INFO] New connection
> from 152.32.206.247
> May 26 06:49:33 gatling pure-ftpd: (?@152.32.206.247) [INFO] Anonymous user
> logged in
> May 26 06:49:33 gatling pure-ftpd: (ftp@152.32.206.247) [INFO] Logout.
>
> I think this is quite uninteresting. But it's up to you.
thank-you - i agree, we should add this to the rules.
I also see that there is some other rules in pureftp in both
ignore.d.server and ignore.d.paranoid. Merging everything into
ignore.d.server my candidate rules are:
([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+
pure-ftpd(\[[0-9]+\])?: \([?_.[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\]
New connection from [._[:alnum:]-]+$
([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+
pure-ftpd(\[[0-9]+\])?: \([?_.[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\]
[_.[:alnum:]-]+ is now logged in$
([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+
pure-ftpd(\[[0-9]+\])?: \([_.[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\]
Can't change directory to .+: (No such file or|Not a) directory$
([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+
pure-ftpd(\[[0-9]+\])?: \([_.[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\]
Timeout - try typing a little faster next time$
([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+
pure-ftpd(\[[0-9]+\])?: \([_.[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\]
Timeout \(no new data for [0-9]+ seconds\)$
([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+
pure-ftpd(\[[0-9]+\])?: \([?_.[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\]
Logout\.$
([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+
pure-ftpd(\[[0-9]+\])?: \([_.[:alnum:]-]+@[._[:alnum:]-]+\) \[NOTICE\]
.+ (up|down)loaded \([0-9]+ bytes, [0-9.]+KB/sec\)$
([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+
pure-ftpd(\[[0-9]+\])?: \([_.[:alnum:]-]+@[._[:alnum:]-]+\) \[NOTICE\]
File successfully renamed or moved: \[.+\]->\[.+\]$
([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+
pure-ftpd(\[[0-9]+\])?: \([_.[:alnum:]-]+@[._[:alnum:]-]+\) \[NOTICE\]
Deleted .+$
([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+
pure-ftpd(\[[0-9]+\])?: \([_.[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\]
Timeout$
([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+
pure-ftpd(\[[0-9]+\])?: \([_.[:alnum:]-]+@[._[:alnum:]-]+\) \[ERROR\]
Can't open .+: No such file or directory$
([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+
pure-ftpd(\[[0-9]+\])?: \([_.[:alnum:]-]+@[._[:alnum:]-]+\) \[ERROR\]
Can't remove directory: No such file or directory$
([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+
pure-ftpd(\[[0-9]+\])?: \(\?@[._[:alnum:]-]+\) \[DEBUG\] This is a
private system - No anonymous login$
---
I have some followups:
1. whether all rules should allow a ?
I see that the first 2 rules already allowed a ? -- should all the
other rules should allow a ? or just the login/logout one? (do you get
a "?" for all anonymous users for example?)
2. lack of pids
The rules all start
pure-ftpd: ...
do you really not see a pid after the "pure-ftpd"? this might be a
syslog vs systemd thing but proabbly we should allow an optional pid?
(if you did "journalctl -t pure-ftpd" you would see a pid i think, so
we should add that as an optional group(?)
3. The last rule was
... pure-ftpd: PAM-listfile: Refused user [._[:alnum:]-]+ for service
pure-ftpd$
I assume this a) comes from PAM b) isnt produced any more?
Bug#654557: logcheck-database: pure-ftpd rules need update
On Sat, 1 Jun 2024, Richard Lewis wrote: > > does not cover log entry > > > > Jan 4 07:23:42 gatling pure-ftpd: (?@203.158.197.21) [INFO] Logout. > > > > The problem is with ? before @. > > It's a shame no-one replied to this bug from 2012 > Is there still interest in adding this rule, and is the above still valid? Dear Richard, I was not waiting paralyzed till now. :-) I've created a local rule to solve the problem. > is the above message really harmless? it the bit before the @ is meant > to be a username then it looks like something fishy is going on and > this message should not be filtered? AFAIK "?" stands for the username if the session is terminated before logging in. May 26 06:49:14 gatling pure-ftpd: (?@152.32.206.247) [INFO] Logout. May 26 06:49:14 gatling pure-ftpd: (?@152.32.206.247) [INFO] New connection from 152.32.206.247 May 26 06:49:33 gatling pure-ftpd: (?@152.32.206.247) [INFO] Logout. May 26 06:49:33 gatling pure-ftpd: (?@152.32.206.247) [INFO] New connection from 152.32.206.247 May 26 06:49:33 gatling pure-ftpd: (?@152.32.206.247) [INFO] Anonymous user logged in May 26 06:49:33 gatling pure-ftpd: (ftp@152.32.206.247) [INFO] Logout. I think this is quite uninteresting. But it's up to you. Cheers Gabor -- A mug of beer, please. Shaken, not stirred.
Bug#654557: logcheck-database: pure-ftpd rules need update
control: tags -1 + moreinfo
thanks
On Wed, 04 Jan 2012 09:58:11 +0100 Gabor Kiss wrote:
> /etc/logcheck/ignore.d.server/pure-ftpd rule
>
> ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd:
> \([._[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] Logout\.$
>
> does not cover log entry
>
> Jan 4 07:23:42 gatling pure-ftpd: (?@203.158.197.21) [INFO] Logout.
>
> The problem is with ? before @.
It's a shame no-one replied to this bug from 2012
Is there still interest in adding this rule, and is the above still valid?
is the above message really harmless? it the bit before the @ is meant
to be a username then it looks like something fishy is going on and
this message should not be filtered?
Bug#654557: logcheck-database: pure-ftpd rules need update
Package: logcheck-database
Version: 1.3.13
Severity: minor
/etc/logcheck/ignore.d.server/pure-ftpd rule
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ pure-ftpd:
\([._[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\] Logout\.$
does not cover log entry
Jan 4 07:23:42 gatling pure-ftpd: (?@203.158.197.21) [INFO] Logout.
The problem is with ? before @.
Regards
Gabor
-- System Information:
Debian Release: 6.0.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
pure-ftpd version is 1.0.28-3
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
