File: ftpd-messages

package info (click to toggle)
logwatch 5.2.2-5
  • links: PTS
  • area: main
  • in suites: sarge
  • size: 1,112 kB
  • ctags: 42
  • sloc: perl: 9,032; sh: 65; makefile: 54
file content (173 lines) | stat: -rwxr-xr-x 7,234 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
 
#!/usr/bin/perl
##########################################################################
# $Id: ftpd-messages,v 1.25 2003/12/15 18:09:23 kirk Exp $
##########################################################################

########################################################
# This was written and is maintained by:
#    Kirk Bauer <kirk@kaybee.org>
#
# Please send all comments, suggestions, bug reports,
#    etc, to kirk@kaybee.org.
########################################################

$Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
$IgnoreUnmatched = $ENV{'ftpd_ignore_unmatched'};

while (defined($ThisLine = <STDIN>)) {
   if ( ( $ThisLine =~ /FTP session closed$/ ) or
         ( $ThisLine =~ /^getpeername \(in.ftpd\): Transport endpoint is not connected$/ ) or
         ( $ThisLine =~ /^QUIT$/ ) or
         ( $ThisLine =~ /^[\w\.]+: connected: IDLE\s\[\d+\]: failed login from/ ) or         ( $ThisLine =~ /^lost connection to / ) or
         ( $ThisLine =~ /^wu-ftpd - TLS settings:/ ) or

    # The connect info is extracted elsewhere:
         ( $ThisLine =~ /^USER / ) or
         ( $ThisLine =~ /^[^ ]+: [^ ]+: USER [^ ]+\[\d+\]:/ ) or

         ( $ThisLine =~ /^PASS / ) or
         ( $ThisLine =~ /^[^ ]+: [^ ]+: IDLE\[\d+\]: PASS password$/ ) or

    # These are uninteresting:
         ( $ThisLine =~ /^[^ ]+: [^ ]+: TYPE / ) or
         ( $ThisLine =~ /^[^ ]+: [^ ]+: PORT / ) or
         ( $ThisLine =~ /^[^ ]+: [^ ]+: STOR / ) or
         ( $ThisLine =~ /^[^ ]+: [^ ]+: RNFR / ) or
         ( $ThisLine =~ /^[^ ]+: [^ ]+: RNTO / ) or
         ( $ThisLine =~ /^[^ ]+: [^ ]+: SYST\[\d+\]: SYST$/ ) or
         ( $ThisLine =~ /^[^ ]+: [^ ]+: QUIT\[\d+\]: QUIT$/ ) or
         ( $ThisLine =~ /^[^ ]+: [^ ]+: PASV\[\d+\]: PASV$/ ) or

    # Some people may want these things below, but not in a simple upfront security
         ( $ThisLine =~ /^[^ ]+: [^ ]+: RETR / ) or
         ( $ThisLine =~ /^[^ ]+: [^ ]+: LIST / ) or
         ( $ThisLine =~ /^[^ ]+: [^ ]+: NLST / ) or

    # 62.161.227.69: connected: SYST[27800]: cmd failure - not logged in
         ( $ThisLine =~ /^[^ ]+: [^ ]+: SYST\[\d+\]: cmd failure - not logged in$/ ) or
         ( $ThisLine =~ /^User .* timed out after .* seconds at .*$/ )   ) {

            # We don't care about any of these

   } elsif ( ($Host,$IP,$Email) = ( $ThisLine =~ /^ANONYMOUS FTP LOGIN FROM ([^ ]+) \[(.*)\], (.*)$/ ) ) {
      $Temp = "   " . $Host . " (" . $IP . "): " . $Email . " - ";
      $AnonLogins{$Temp}++;
   } elsif ( ($Host,$IP,$User) = ( $ThisLine =~ /FTP LOGIN FROM ([^ ]+) \[(.*)\], (.*)$/ ) ) {
      $Temp = "   " . $Host . " (" . $IP . "): " . $User . " - ";
      $UserLogins{$Temp}++;
   } elsif ( ($Host,$IP,$User) = ( $ThisLine =~ /^FTP LOGIN REFUSED \(.+\) FROM ([^ ]+) \[(.*)\], (.*)$/ ) ) {
      $Temp = "   " . $Host . " (" . $IP . "): " . $User . " - ";
      $FailedLogins{$Temp}++;
   } elsif ( ($Host,$IP,$User) = ( $ThisLine =~ /REFUSED .+ from ([^ ]+) \[(.*)\], (.*)$/i ) ) {
      $Temp = "   " . $Host . " (" . $IP . "): " . $User . " - ";
      $FailedLogins{$Temp}++;
   } elsif ( ($Host,$IP,$User) = ( $ThisLine =~ /^failed login from ([^ ]+) \[(.*)\], (.*)$/ ) ) {
      $Temp = "   " . $Host . " (" . $IP . "): " . $User . " - ";
      $FailedLogins{$Temp}++;
   } elsif ( ($Limit,$Class,$Host,$IP) = ( $ThisLine =~ /^ACCESS DENIED \(user limit (.*)\; class (.*)\) TO (.*) \[(.*)\]/ ) ) {
      $Temp = "   " . $Host . " (" . $IP . "): class " . $Class . " (Limit: " . $Limit . ") - ";
      $FailedLogins{$Temp}++;
   } elsif ( ($Host,$IP) = ( $ThisLine =~ /^FTP ACCESS REFUSED \(anonymous password not rfc822\) from (.*) \[(.*)\]/ ) ) {
      $Temp = "   " . $Host . " (" . $IP . ") - ";
      $FailedLogins{$Temp}++;
   } elsif ( ($Host,$IP,$User) = ( $ThisLine =~ /failed login from ([^ ]+) \[(.*)\]$/ ) ) {
      $Temp = "   " . $Host . " (" . $IP . ") - ";
      $FailedLogins{$Temp}++;
   } elsif ( ($IP,$Host) = ( $ThisLine =~ /^refused PORT ([\d.]+),\d+ from (.*)$/ ) ) {
      $Temp = "   " . $Host . " (" . $IP . ") - ";
      $RefusedPorts{$Temp}++;
   } elsif ( $ThisLine =~ /^exiting on signal 11: Segmentation fault$/ ) {
      $SegFault++;
   } elsif ( ($User,$Host,$IP,$File) = ( $ThisLine =~ /^([^ ]+) of ([^ ]*) \[(.*)\] deleted (.*)$/ ) ) {
      $Temp = "   " . $Host . " (" . $IP . "): " . $User . "\n";
      $Temp2 = "      " . $File . "\n";
      push @{$DeletedFiles{$Temp}}, $Temp2;
   } elsif ( ($User,$Pass,$Host,$IP) = ( $ThisLine =~ /(.*)\((.*)\) of (.*) \[(.*)\] tried to/) ) {
      $Temp = "   " . $Host . " ($IP): " . $User . " ($Pass) - ";
      $SecurityViolations{$Temp}++;
   } elsif ( ($Host,$User,$IP) = ( $ThisLine =~ /(.*)\: (.*)\: SITE .* \[(.*)\] tried to/) ) {
      $Temp = "   " . $Host . " ($IP): " . $User . " - ";
      $SecurityViolations{$Temp}++;
   } elsif ( ($Host,$IP) = ( $ThisLine =~ /^FTP LOGIN FAILED \(cannot set guest privileges\) for ([^ ]+) \[(.*)\], ftp$/ ) ) {
      $Temp = "   " . $Host . " (" . $IP . "): - ";
      $RefusedAnonLogins{$Temp}++;
   } elsif ( ($Host, $User) = ( $ThisLine =~ /^([^ ]+): ([^ ]+): IDLE\[\d+\]: User [^
]+ timed out after / ) ) {
      # dhcp024-208-136-047.insight.rr.com: visitor: IDLE[23195]: User visitor timed out after 900 seconds at Mon Jan 13 00:25:24 2003
      $TimedOut{"   " . $Host . " : " . $User}++;
   } else {
      # Report any unmatched entries...
      push @OtherList,$ThisLine;
   }
}

if ( (keys %AnonLogins) and ($Detail >= 10) ) {
   print "\nAnonymous FTP Logins:\n";
   foreach $ThisOne (keys %AnonLogins) {
      print $ThisOne . $AnonLogins{$ThisOne} . " Time(s)\n";
   }
}

if ((keys %DeletedFiles) and ($Detail >= 10)) {
   print "\nFiles deleted through FTP:\n";
   foreach $ThisOne (keys %DeletedFiles) {
      print $ThisOne;
      print @{$DeletedFiles{$ThisOne}};
   }
}

if ((keys %UserLogins) and ($Detail >= 5)) {
   print "\nUser FTP Logins:\n";
   foreach $ThisOne (keys %UserLogins) {
      print $ThisOne . $UserLogins{$ThisOne} . " Time(s)\n";
   }
}

if (keys %FailedLogins) {
   print "\nFailed FTP Logins:\n";
   foreach $ThisOne (keys %FailedLogins) {
      print $ThisOne . $FailedLogins{$ThisOne} . " Time(s)\n";
   }
}

if ( (keys %RefusedPorts) and ($Detail >= 10) ) {
   print "\nRefused PORTs:\n";
   foreach $ThisOne (keys %RefusedPorts) {
      print $ThisOne . $RefusedPorts{$ThisOne} . " Time(s)\n";
   }
}

if (keys %TimedOut) {
   print "\nConnections timed out:\n";
   foreach $ThisOne (keys %TimedOut) {
      print $ThisOne . $TimedOut{$ThisOne} . " Time(s)\n";
   }
}

if ( (keys %SecurityViolations) and ($Detail >= 5) ) {
   print "\nFailed filesystem violations:\n";
   foreach $ThisOne (keys %SecurityViolations) {
      print $ThisOne . $SecurityViolations{$ThisOne} . " Time(s)\n";
   }
}

if (keys %RefusedAnonLogins) {
   print "\nRefused anonymous FTP Logins:\n";
   foreach $ThisOne (keys %RefusedAnonLogins) {
      print $ThisOne . $RefusedAnonLogins{$ThisOne} . " Time(s)\n";
   }
}

if ($SegFault > 0) {
   print "\nexiting on signal 11: Segmentation fault: $SegFault Time(s)\n";
}

if (($#OtherList >= 0) and (not $IgnoreUnmatched)){
   print "\n**Unmatched Entries**\n";
   print @OtherList;
}

exit(0);

# vi: shiftwidth=3 tabstop=3 et