On Sat, 1 Jun 2024, Richard Lewis wrote: > > May 26 06:49:14 gatling pure-ftpd: (?@152.32.206.247) [INFO] New connection > > from 152.32.206.247 > > May 26 06:49:33 gatling pure-ftpd: (?@152.32.206.247) [INFO] Logout.
> > May 26 06:49:33 gatling pure-ftpd: (?@152.32.206.247) [INFO] New connection > > from 152.32.206.247 > > May 26 06:49:33 gatling pure-ftpd: (?@152.32.206.247) [INFO] Anonymous user > > logged in > > May 26 06:49:33 gatling pure-ftpd: (ftp@152.32.206.247) [INFO] Logout. > I have some followups: > > > 1. whether all rules should allow a ? > I see that the first 2 rules already allowed a ? -- should all the > other rules should allow a ? or just the login/logout one? (do you get > a "?" for all anonymous users for example?) First: I am not a pure-ftpd expert. I just browsed the logs yesterday then I've done some tests. As far as I can see username is '?' before a succesful login. Including the case the user aborts the session. This is why '?' can occur in logout messages. After the login the actual username is logged, but 'anonymous' is transformed into 'ftp'. > 2. lack of pids > The rules all start > > <timestamp> <hostname> pure-ftpd: ... > > do you really not see a pid after the "pure-ftpd"? this might be a Yes, I don't. At least on my system. Actual package versions are: pure-ftpd 1.0.49-4.1 rsyslog 8.2102.0-2+deb11u1 > syslog vs systemd thing but proabbly we should allow an optional pid? > (if you did "journalctl -t pure-ftpd" you would see a pid i think, so Yes, indeed: Nov 09 05:23:50 gatling pure-ftpd[107200]: (?@crawl-66-249-73-207.googlebot.com) [INFO] New connection from crawl-66-249-73-207.googlebot.com Nov 09 05:23:50 gatling pure-ftpd[107200]: (?@crawl-66-249-73-207.googlebot.com) [INFO] Anonymous user logged in Nov 09 05:23:51 gatling pure-ftpd[107200]: (f...@crawl-66-249-73-207.googlebot.com) [INFO] Can't change directory to heursch.pdf: Not a directory > we should add that as an optional group(?) I don't know. On my server, nor 'pure-ftpd' neither 'pureftp' has pid group but I never missed it. (Gee! Why are two similar files in the logcheck-database package?) > 3. The last rule was > ... pure-ftpd: PAM-listfile: Refused user [._[:alnum:]-]+ for service > pure-ftpd$ > > I assume this a) comes from PAM b) isnt produced any more? I don't know. I have no disabled users. Cheers Gabor -- No smoke, no drugs, no vindoze.
