[Proftpd-devel] New proftpd module: mod_log

Discussion:

[Proftpd-devel] New proftpd module: mod_log_forensic

(too old to reply)

TJ Saunders

2011-04-22 21:18:35 UTC

Hello, proftpd developers. I wanted to let you know of a module I just
finished writing, whose purpose is to help provide the verbose logging you
want for diagnosis/debugging, but only when you want it (e.g. on failed
logins, or because the session died because of a segfault or other issue),
rather than all of the time:

http://www.castaglia.org/proftpd/modules/mod_log_forensic.html

This module curently requires the proftpd code in CVS, due to the logging
events/hooks I added recently.

As always, questions, comments, feedback welcomed.

TJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The world is not to be put in order; the world is order,
incarnate. It is for us to harmonize with this order.

-Henry Miller

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Dennis Jacobfeuerborn

2011-04-23 12:14:48 UTC

Permalink

Hi,
this looks very interesting. Is it possible to add a "SuccessfullLogin"
criterium? This would be useful for systems that see a lot of distributed
brute forcing attempts clogging up the logs. It could be used to express
something like "I only want to log the session once the user has
successfully logged in".

Regards,
Dennis

Post by TJ Saunders
Hello, proftpd developers. I wanted to let you know of a module I just
finished writing, whose purpose is to help provide the verbose logging you
want for diagnosis/debugging, but only when you want it (e.g. on failed
logins, or because the session died because of a segfault or other issue),
http://www.castaglia.org/proftpd/modules/mod_log_forensic.html
This module curently requires the proftpd code in CVS, due to the logging
events/hooks I added recently.
As always, questions, comments, feedback welcomed.
TJ
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The world is not to be put in order; the world is order,
incarnate. It is for us to harmonize with this order.
-Henry Miller
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
------------------------------------------------------------------------------
Fulfilling the Lean Software Promise
Lean software platforms are now widely adopted and the benefits have been
demonstrated beyond question. Learn why your peers are replacing JEE
containers with lightweight application servers - and what you can gain
from the move. http://p.sf.net/sfu/vmware-sfemails
_______________________________________________
ProFTPD Developers List
https://lists.sourceforge.net/lists/listinfo/proftp-devel

TJ Saunders

2011-04-25 18:33:39 UTC

Permalink

Post by Dennis Jacobfeuerborn
this looks very interesting. Is it possible to add a "SuccessfullLogin"
criterium? This would be useful for systems that see a lot of
distributed brute forcing attempts clogging up the logs. It could be
used to express something like "I only want to log the session once the
user has successfully logged in".

That's a good idea, but it's not something that I would add to this new
mod_log_forensic module. Mostly because mod_log_forensic uses a ring
buffer to store up the last N messages (which are flushed to disk when the
configured criteria are met); it is not useful for general purpose
logging.

That said, I think a combination of:

http://bugs.proftpd.org/show_bug.cgi?id=3629

and some work would get you what you need.

For example, the Trace configuration can be changed after authentication;
mod_core's POST_CMD PASS handler looks for this directive. Similar
lookups for DebugLevel and SyslogFacility could be added to that same
handler. That should help achieve the functionality you're looking for.

Cheers,
TJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This truth - to prove, and make thine own:
"Thou hast been, shalt be, art, alone."

-Matthew Arnold

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~