On Sat, 1 Jun 2024 at 14:21, Kiss Gabor (Bitman) <ki...@ssg.ki.iif.hu> wrote:
>
> On Sat, 1 Jun 2024, Richard Lewis wrote:
>
> > > does not cover log entry
> > >
> > > Jan 4 07:23:42 gatling pure-ftpd: (?@203.158.197.21) [INFO] Logout.
> > >
> > > The problem is with ? before @.
> >
> > It's a shame no-one replied to this bug from 2012
> > Is there still interest in adding this rule, and is the above still valid?
>
> Dear Richard,
>
> I was not waiting paralyzed till now. :-)
> I've created a local rule to solve the problem.
>
> > is the above message really harmless? it the bit before the @ is meant
> > to be a username then it looks like something fishy is going on and
> > this message should not be filtered?
>
> AFAIK "?" stands for the username if the session is terminated
> before logging in.
>
> May 26 06:49:14 gatling pure-ftpd: (?@152.32.206.247) [INFO] Logout.
> May 26 06:49:14 gatling pure-ftpd: (?@152.32.206.247) [INFO] New connection
> from 152.32.206.247
> May 26 06:49:33 gatling pure-ftpd: (?@152.32.206.247) [INFO] Logout.
> May 26 06:49:33 gatling pure-ftpd: (?@152.32.206.247) [INFO] New connection
> from 152.32.206.247
> May 26 06:49:33 gatling pure-ftpd: (?@152.32.206.247) [INFO] Anonymous user
> logged in
> May 26 06:49:33 gatling pure-ftpd: (ftp@152.32.206.247) [INFO] Logout.
>
> I think this is quite uninteresting. But it's up to you.
thank-you - i agree, we should add this to the rules.
I also see that there is some other rules in pureftp in both
ignore.d.server and ignore.d.paranoid. Merging everything into
ignore.d.server my candidate rules are:
----------------------------------------------------------------------------------------
([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+
pure-ftpd(\[[0-9]+\])?: \([?_.[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\]
New connection from [._[:alnum:]-]+$
([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+
pure-ftpd(\[[0-9]+\])?: \([?_.[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\]
[_.[:alnum:]-]+ is now logged in$
([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+
pure-ftpd(\[[0-9]+\])?: \([_.[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\]
Can't change directory to .+: (No such file or|Not a) directory$
([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+
pure-ftpd(\[[0-9]+\])?: \([_.[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\]
Timeout - try typing a little faster next time$
([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+
pure-ftpd(\[[0-9]+\])?: \([_.[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\]
Timeout \(no new data for [0-9]+ seconds\)$
([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+
pure-ftpd(\[[0-9]+\])?: \([?_.[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\]
Logout\.$
([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+
pure-ftpd(\[[0-9]+\])?: \([_.[:alnum:]-]+@[._[:alnum:]-]+\) \[NOTICE\]
.+ (up|down)loaded \([0-9]+ bytes, [0-9.]+KB/sec\)$
([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+
pure-ftpd(\[[0-9]+\])?: \([_.[:alnum:]-]+@[._[:alnum:]-]+\) \[NOTICE\]
File successfully renamed or moved: \[.+\]->\[.+\]$
([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+
pure-ftpd(\[[0-9]+\])?: \([_.[:alnum:]-]+@[._[:alnum:]-]+\) \[NOTICE\]
Deleted .+$
([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+
pure-ftpd(\[[0-9]+\])?: \([_.[:alnum:]-]+@[._[:alnum:]-]+\) \[INFO\]
Timeout$
([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+
pure-ftpd(\[[0-9]+\])?: \([_.[:alnum:]-]+@[._[:alnum:]-]+\) \[ERROR\]
Can't open .+: No such file or directory$
([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+
pure-ftpd(\[[0-9]+\])?: \([_.[:alnum:]-]+@[._[:alnum:]-]+\) \[ERROR\]
Can't remove directory: No such file or directory$
([[:alpha:]]{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+
pure-ftpd(\[[0-9]+\])?: \(\?@[._[:alnum:]-]+\) \[DEBUG\] This is a
private system - No anonymous login$
-----------------------------------------------------------------------------------------------
I have some followups:
1. whether all rules should allow a ?
I see that the first 2 rules already allowed a ? -- should all the
other rules should allow a ? or just the login/logout one? (do you get
a "?" for all anonymous users for example?)
2. lack of pids
The rules all start
<timestamp> <hostname> pure-ftpd: ...
do you really not see a pid after the "pure-ftpd"? this might be a
syslog vs systemd thing but proabbly we should allow an optional pid?
(if you did "journalctl -t pure-ftpd" you would see a pid i think, so
we should add that as an optional group(?)
3. The last rule was
... pure-ftpd: PAM-listfile: Refused user [._[:alnum:]-]+ for service
pure-ftpd$
I assume this a) comes from PAM b) isnt produced any more?
