1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
|
########################################################
# Please file all bug reports, patches, and feature
# requests under:
# https://sourceforge.net/p/logwatch/_list/tickets
# Help requests and discusion can be filed under:
# https://sourceforge.net/p/logwatch/discussion/
########################################################
########################################################
# This was written by Simon Liddington for use with Logwatch
########################################################
#######################################################
## Copyright (c) 2008 Simon Liddington
## Covered under the included MIT/X-Consortium License:
## http://www.opensource.org/licenses/mit-license.php
## All modifications and contributions by other persons to
## this script are assumed to have been donated to the
## Logwatch project and thus assume the above copyright
## and licensing terms. If you want to make contributions
## under your own copyright or a different license this
## must be explicitly stated in the contribution an the
## Logwatch project reserves the right to not accept such
## contributions. If you have made significant
## contributions to this script and want to claim
## copyright please contact logwatch-devel@lists.sourceforge.net.
#########################################################
use strict;
my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
my $IgnoreUnmatched = $ENV{'ftpd_ignore_unmatched'};
#Init Counters
my $NoEndpoints = 0;
my $UnmatchedEntries = 0;
#Init String Containers
my (
$Email, $Error, $Host,
$IP, $Notice, $Option,
$Reason, $Temp, $User
);
#Init Arrays
my @OtherList = ();
#Init Hashes
my (
%AnonLogins, %BadPasswds, %BadShell,
%BadUsers, %ConnectionRefused, %DeletedFiles,
%DeprecatedOptions, %ErrorLines, %MaxLoginAttempts,
%NoticeLines, %RefusedPorts, %RootLoginAttempt,
%TransferTimeout, %UserLogins
);
while (defined(my $ThisLine = <STDIN>)) {
if (
( $ThisLine =~ /^FTP session closed/ ) or
( $ThisLine =~ /^(ANONYMOUS )?FTP login as \'.*\' from [^ ]+ \[.*\] to .*/ ) or
( $ThisLine =~ /(PAM|pam_unix)\(.*\): [Aa]uthentication failure/ ) or
( $ThisLine =~ /(PAM|pam_unix)\(.*\): session (opened|closed) for user/ ) or
( $ThisLine =~ /^data_sendfile/ ) or
( $ThisLine =~ /(:| \-) FTP session (closed|opened)/ ) or
( $ThisLine =~ /(:| \-) No certificate files found/ ) or
( $ThisLine =~ /FTP (no transfer|session idle) timeout, disconnected/ ) or
( $ThisLine =~ / masquerading as / ) or
( $ThisLine =~ /mod_delay\// ) or
( $ThisLine =~ /FTP login timed out, disconnected/ ) or
( $ThisLine =~ /Preparing to chroot to directory/ ) or
( $ThisLine =~ /\(.*\[.*\]\)(\:| \-) no such user '.*'/ )
) {
#We don't care about these
} elsif ( ($Host,$IP,$Email,) = ( $ThisLine =~ /^FTP session opened: ftp\/ftp (.*)\[(.*)\] (.*)$/ ) ) {
$Temp = " " . $Host . " (" . $IP . "): " . $Email . " - ";
$AnonLogins{$Temp}++;
} elsif ( ($Host, $IP) = ( $ThisLine =~ /\((.*)\[(.*)\]\)(?:\:| \-) ANON .+: Login successful\./ ) ) {
$Temp = " " . $Host . " (" . $IP . ")";
$AnonLogins{$Temp}++;
} elsif ( ($User,$Host,$IP) = ( $ThisLine =~ /^FTP session opened: (.*\/.*) (.*)\[(.*)\] (.*)$/ ) ) {
$Temp = " $Host : $User - ";
$UserLogins{$Temp}++;
} elsif ( ($Host,$IP,$User) = ( $ThisLine =~ /\((.*)\[(.*)\]\)(?:\:| \-) USER (.+): Login successful/ ) ) {
$Temp = " " . $Host . ": " . $User . " - ";
$UserLogins{$Temp}++;
} elsif ( ($User) = ( $ThisLine =~ /^failed login, can\'t find user \'(.*)\' $/ ) ) {
$Temp = " " . "Unknown" . " (" . "Unknown.IP" . "): " . $User . " - ";
$BadUsers{$Temp}++;
} elsif ( ($User,$Host,$IP) = ( $ThisLine =~ /USER (.*): no such user found from (.*) \[(.*)\] to/ ) ) {
#$Temp = " $Host : $User - ";
#$BadUsers{$Temp}++;
$BadUsers{$User}{$Host}++;
# } elsif ( ($Host,$Ip,$User) = ( $ThisLine =~ /\((.*)\[(.*)\]\)(?:\:| \-) no such user '(.*)'/ ) ) {
# #$Temp = "$Host($Ip)";
# $BadUsers{$User}{$Host}++;
} elsif ( ($Host,$User) = ( $ThisLine =~ /\[(.*)\]\)(?:\:| \-) USER (.*) \(Login failed\): Incorrect password/ ) ) {
$Temp = " $Host : $User - ";
$BadPasswds{$Temp}++;
} elsif ( ($Host,$User) = ( $ThisLine =~ /\[(.*)\]\)(?:\:| \-) USER (.*) \(Login failed\): Invalid shell/ ) ) {
$Temp = " $Host : $User - ";
$BadShell{$Temp}++;
} elsif ( ($Host,$IP) = ( $ThisLine =~ /\((.*)\[(.*)\]\)(?:\:| \-) SECURITY VIOLATION: root login attempted/ ) ) {
$RootLoginAttempt{$Host}++;
} elsif ( ($Host) = ( $ThisLine =~ /\(((.*)\[(.*)\])\)(?:\:| \-) Maximum login attempts .*exceeded/ ) ) {
$MaxLoginAttempts{$Host}++;
} elsif ( ($Host,$Reason) = ( $ThisLine =~ /\[(.*)\]\)(?:\:| \-) Refused PORT [\d,]+ \((.*)\)/ ) ) {
$Temp = " " . $Host . ": " . $Reason . " - ";
$RefusedPorts{$Temp}++;
} elsif ( ($Host,$Reason) = ( $ThisLine =~ /\(((.*)\[(.*)\])\)(?:\:| \-) Connection refused \((.*)\)/ ) ) {
$ConnectionRefused{$Reason}{$Host}++;
} elsif ( ($Host) = ( $ThisLine =~ /\(((.*)\[(.*)\])\)(?:\:| \-) Data transfer stall timeout/ ) ) {
$TransferTimeout{$Host}++;
} elsif ( $ThisLine =~ m/[^ ]*(?:\:| \-) Fatal: Transport endpoint is not connected/ ) {
$NoEndpoints++;
} elsif ( ($Option) = ( $ThisLine =~ /warning: (.*) is deprecated/ ) ) {
$DeprecatedOptions{$Option}++;
} elsif ( ($Host,$IP,$Error) = ( $ThisLine =~ /\((.*)\[(.*)\]\)(?:\:| \-) error: (.*)$/ ) ) {
$ErrorLines{$Host}{$Error}++;
} elsif ( ($Host,$IP,$Notice) = ( $ThisLine =~ /\((.*)\[(.*)\]\)(?:\:| \-) notice: (.*)$/ ) ) {
$NoticeLines{$Host}{$Notice}++;
} else {
# Report any unmatched entries...
push @OtherList,$ThisLine;
}
}
##############################################
if (keys %DeprecatedOptions) {
print "\nDeprecated options in config:\n";
foreach my $Option (sort {$a cmp $b} keys %DeprecatedOptions) {
print " $Option\n";
}
}
if ( (keys %AnonLogins) and ($Detail >= 5) ) {
print "\nAnonymous FTP Logins:\n";
foreach my $ThisOne (sort {$a cmp $b} keys %AnonLogins) {
print $ThisOne . $AnonLogins{$ThisOne} . " Time(s)\n";
}
}
if ( (keys %DeletedFiles) and ($Detail >= 10) ) {
print "\nFiles deleted through FTP:\n";
foreach my $ThisOne (sort {$a cmp $b} keys %DeletedFiles) {
print $ThisOne;
print @{$DeletedFiles{$ThisOne}};
}
}
if (keys %UserLogins) {
print "\nUser FTP Logins:\n";
foreach my $ThisOne (sort {$a cmp $b} keys %UserLogins) {
print $ThisOne . $UserLogins{$ThisOne} . " Time(s)\n";
}
}
if (keys %RootLoginAttempt) {
print "\nSECURITY VIOLATION!!!!\n";
print "Root login attempt from:\n";
foreach my $Host (sort {$a cmp $b} keys %RootLoginAttempt) {
print " $Host : $RootLoginAttempt{$Host} Time(s)\n";
}
}
if (keys %MaxLoginAttempts) {
print "\nMaximum login attempts exceeded from hosts:\n";
foreach my $Host (sort {$a cmp $b} keys %MaxLoginAttempts) {
print " $Host : $MaxLoginAttempts{$Host} Time(s)\n";
}
}
if (keys %ConnectionRefused) {
print "\nConnection refused with reason:\n";
foreach my $Reason (sort {$a cmp $b} keys %ConnectionRefused) {
print " $Reason :\n";
foreach my $Host (sort {$a cmp $b} keys %{$ConnectionRefused{$Reason}}) {
print " $Host : $ConnectionRefused{$Reason}{$Host} Time(s)\n";
}
}
}
if ( ( (keys %BadUsers) or (keys %BadPasswds) ) and ($Detail >= 5) ) {
print "\nFailed FTP Logins:\n";
if ( (keys %BadUsers) and ($Detail >= 5) ) {
print "\n Invalid Username:\n";
foreach my $User (sort {$a cmp $b} keys %BadUsers) {
print " $User:\n";
foreach my $Host (sort {$a cmp $b} keys %{$BadUsers{$User}}) {
print " $Host : $BadUsers{$User}{$Host} Time(s)\n";
}
}
}
if ( (keys %BadPasswds) and ($Detail >= 5) ) {
print "\n Incorrect Password:\n";
foreach my $ThisOne (sort {$a cmp $b} keys %BadPasswds) {
print $ThisOne . $BadPasswds{$ThisOne} . " Time(s)\n";
}
}
if ( (keys %BadShell) and ($Detail >= 5) ) {
print "\n Invalid Shell:\n";
foreach my $ThisOne (sort {$a cmp $b} keys %BadShell) {
print $ThisOne . $BadShell{$ThisOne} . " Time(s)\n";
}
}
}
if ( (keys %RefusedPorts) and ($Detail >= 5) ) {
print "\nRefused PORTs:\n";
foreach my $ThisOne (sort {$a cmp $b} keys %RefusedPorts) {
print $ThisOne . $RefusedPorts{$ThisOne} . " Time(s)\n";
}
}
if ( (keys %TransferTimeout) and ($Detail >= 5) ) {
print "\nData transfer stall timeout:\n";
foreach my $Host (sort {$a cmp $b} keys %TransferTimeout) {
print " $Host : $TransferTimeout{$Host} Time(s)\n";
}
}
if ( (keys %NoticeLines) and ($Detail >= 10) ) {
print "\nNotices Reported by Host:\n";
foreach my $Host (sort {$a cmp $b} keys %NoticeLines) {
print " $Host:\n";
foreach my $Notice (sort {$a cmp $b} keys %{$NoticeLines{$Host}}) {
print " $Notice : $NoticeLines{$Host}{$Notice} Time(s)\n";
}
}
}
if ( (keys %ErrorLines) and ($Detail >= 5) ) {
print "\nErrors Reported by Host:\n";
foreach my $Host (sort {$a cmp $b} keys %ErrorLines) {
print " $Host:\n";
foreach my $Errors (sort {$a cmp $b} keys %{$ErrorLines{$Host}}) {
print " $Errors : $ErrorLines{$Host}{$Errors} Time(s)\n";
}
}
}
if ($NoEndpoints > 0) {
print "\nTransport endpoint is not connected error $NoEndpoints Time(s)\n";
}
if (($#OtherList >= 0) and (not $IgnoreUnmatched)) {
print "\n**Unmatched Entries**\n";
print @OtherList;
}
exit(0);
# vi: shiftwidth=3 tabstop=3 syntax=perl et
# Local Variables:
# mode: perl
# perl-indent-level: 3
# indent-tabs-mode: nil
# End:
|
