Discussion:
[Proftpd-user] Logging mod_sftp Authentication Errors
(too old to reply)
n***@sinet.ca
2015-11-04 21:52:50 UTC
Permalink
You might try looking at the normal proftpd system logging (e.g. via
syslog, or via the SystemLog directive). The mod_sftp module tries to
log its authentication messages using the same logging as the main FTP
engine, which means using syslog/SystemLog.
TJ, sorry about the slow response - travelling without easy access to my
server. I originally had set up ExtendedLog and SFTPlog in the virtual
host that I had created for SFTP access. I have removed those options -
the only logging that I can see now is to /var/log/messages and
/var/log/secure. SFTP is set up to only allow login with keys. I did a
test where I logged in with a valid user/key pair and then logged in with
the same key but a different user. Both attempts are logged to
/var/log/messages but there is no obvious indication that the second
attempt failed. Only the successful login was recorded in
/var/log/secure.

[***@aws log]# tail -f messages
Nov 4 14:53:11 aws proftpd[24126]: 0.0.0.0 (::ffff:(host ip)[::ffff:(host
ip)]) - FTP session opened.
Nov 4 14:53:13 aws proftpd[24126]: 0.0.0.0 (::ffff:(host ip)[::ffff:(host
ip)]) - Preparing to chroot to directory '(root directory'
Nov 4 14:53:32 aws proftpd[24126]: 0.0.0.0 (::ffff:(host ip)[::ffff:(host
ip)]) - SSH2 session closed.

Nov 4 14:54:29 aws proftpd[24128]: 0.0.0.0 (::ffff:(host ip)[::ffff:(host
ip)]) - FTP session opened.
Nov 4 14:54:29 aws proftpd[24128]: 0.0.0.0 (::ffff:(host ip)[::ffff:(host
ip)]) - SSH2 session closed.

[***@aws log]# tail -f secure
Nov 4 14:53:13 aws proftpd[24126]: 0.0.0.0 (::ffff:(host ip)[::ffff:(host
ip)]) - USER (username): Login successful
Nov 4 14:53:13 aws proftpd[24126]: 0.0.0.0 (::ffff:(host ip)[::ffff:(host
ip)]) - USER (username): Login successful.

I am running ProFTPD Version 1.3.3g and the associated mod_sftp.so. The
proftpd.conf file is fairly standard except for the addition of the
VirtualHost for the port I am using to support SFTP access. I set
SFTPAuthMethods publickey and restricted SFTP protocols v1 through v3 for
WinSCP. I had enabled ExtendedLog directives earlier but these also did
not produce a clear one-line message that I could use to detect when
authentication failed. The closest was the SFTPLog file that showed "Nov
03 19:47:51 mod_sftp/0.9.7[4334]: client sent SSH_DISCONNECT message: No
supported authentication methods available (No other authentication
mechanisms available)" but did not include the IP address of the client.

Thanks, Norbert
TJ Saunders
2015-11-06 02:05:31 UTC
Permalink
Post by n***@sinet.ca
TJ, sorry about the slow response - travelling without easy access to my
server. I originally had set up ExtendedLog and SFTPlog in the virtual
host that I had created for SFTP access. I have removed those options -
the only logging that I can see now is to /var/log/messages and
/var/log/secure. SFTP is set up to only allow login with keys. I did a
test where I logged in with a valid user/key pair and then logged in with
the same key but a different user. Both attempts are logged to
/var/log/messages but there is no obvious indication that the second
attempt failed. Only the successful login was recorded in
/var/log/secure.
Ah, OK. So just for my clarification: you are interested in seeing both
login success and login failure, via SFTP, in the normal syslogging,
correct?
Post by n***@sinet.ca
I am running ProFTPD Version 1.3.3g and the associated mod_sftp.so.
OK. That version is a little old, but I don't think the mod_sftp
logging has changed that drastically in the latest code. I will
certainly be double-checking.
Post by n***@sinet.ca
I had enabled ExtendedLog directives earlier but these also did
not produce a clear one-line message that I could use to detect when
authentication failed.
The ExtendedLog format does not readily allow for a clear
"authentication failed" message. The ExtendedLog logs responses; there
might be some response code which can be mapped to an authentication
failure (e.g. a 4xx or 5xx response code), and newer versions of
mod_sftp have had support for more FTP response codes added.
Post by n***@sinet.ca
The closest was the SFTPLog file that showed "Nov
03 19:47:51 mod_sftp/0.9.7[4334]: client sent SSH_DISCONNECT message: No
supported authentication methods available (No other authentication
mechanisms available)" but did not include the IP address of the client.
Hmm. Your comment about the IP address is valid; that should be added.
Would you also like/want to see the user name (if any) of the
disconnecting client?

Cheers,
TJ
TJ Saunders
2015-11-06 04:47:12 UTC
Permalink
Post by TJ Saunders
Post by n***@sinet.ca
I am running ProFTPD Version 1.3.3g and the associated mod_sftp.so.
OK. That version is a little old, but I don't think the mod_sftp
logging has changed that drastically in the latest code. I will
certainly be double-checking.
Here's a pull request which adds more logging, via pr_log_auth(), for
other failures when authenticating via SFTP
publickey requests:

https://github.com/proftpd/proftpd/pull/166

This should cover more of the cases in which you are interested.

Cheers,
TJ
n***@sinet.ca
2015-11-09 21:32:12 UTC
Permalink
Post by TJ Saunders
Ah, OK. So just for my clarification: you are interested in seeing both
login success and login failure, via SFTP, in the normal syslogging,
correct?
TJ, that would be great.
Post by TJ Saunders
Hmm. Your comment about the IP address is valid; that should be added.
Would you also like/want to see the user name (if any) of the
disconnecting client?
Not sure exactly what user name you are referring to. To enable me to
block hackers, I need a date/time stamp, the IP of the person trying to
open the SFTP session, the SFTP username they are trying to access, the
status of the connection attempt and some sort of a reason code.

I have figured out how to clone the proftpd git repository and can apply
the changes in 166 to the two mod_sftp files. Is it safe to just compile
mod_sftp or should I be compiling/upgrading proftpd? I think I can manage
the former but the latter will take longer - I am in the midst of
migrating to a new server.

Thanks, Norbert
TJ Saunders
2015-11-09 22:23:40 UTC
Permalink
Post by n***@sinet.ca
Post by TJ Saunders
Ah, OK. So just for my clarification: you are interested in seeing both
login success and login failure, via SFTP, in the normal syslogging,
correct?
TJ, that would be great.
OK. I'll work on making this better in the next release.
Post by n***@sinet.ca
Post by TJ Saunders
Hmm. Your comment about the IP address is valid; that should be added.
Would you also like/want to see the user name (if any) of the
disconnecting client?
Not sure exactly what user name you are referring to. To enable me to
block hackers, I need a date/time stamp, the IP of the person trying to
open the SFTP session, the SFTP username they are trying to access, the
status of the connection attempt and some sort of a reason code.
When an SFTP client is disconnected, they may have already
sent/authenticated as a user -- or they might not. Which means that the
DISCONNECT log message can definitely include the IP address, but MAY
NOT have the user name.

Also, could you describe a little more what you mean by "status of the
connection attempt", and "some sort of reason code"? The SFTP protocol
may have some reason codes specific to the error/root cause, but some of
the reason codes cover several root causes/errors. Are these
status/reason code fields merely for logging/tracking on your end, or is
there some other bit of connection-blocking functionality that requires
a status/reason code field?
Post by n***@sinet.ca
I have figured out how to clone the proftpd git repository and can apply
the changes in 166 to the two mod_sftp files. Is it safe to just compile
mod_sftp or should I be compiling/upgrading proftpd? I think I can
manage the former but the latter will take longer - I am in the midst of
migrating to a new server.
If you have the proftpd source code for the version you are running,
then you should be able to apply the mentioned pull request as a patch
format (to get this, suffix ".patch" to the end of the URL), and patch
that version. That will be easier, I think, to get just those logging
changes into your existing installation. If you use the latest proftpd
source code from GitHub, then you will probably want to upgrade the
entire proftpd server, as there have been API changes.

Hope this helps,
TJ

------------------------------------------------------------------------------
Presto, an open source distributed SQL query engine for big data, initially
developed by Facebook, enables you to easily query your data on Hadoop in a
more interactive manner. Teradata is also now providing full enterprise
support for Presto. Download a free open source copy now.
http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140
_______________________________________________
ProFTPD Users List <proftpd-***@proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
n***@sinet.ca
2015-11-10 17:06:30 UTC
Permalink
Post by TJ Saunders
When an SFTP client is disconnected, they may have already
sent/authenticated as a user -- or they might not. Which means that the
DISCONNECT log message can definitely include the IP address, but MAY
NOT have the user name.
Also, could you describe a little more what you mean by "status of the
connection attempt", and "some sort of reason code"?
TJ, I need something in the syslog message to identify failed
authentication attempts. The reason code is more for trying to figure out
why a legitimate user is having trouble authenticating.
Post by TJ Saunders
If you have the proftpd source code for the version you are running,
then you should be able to apply the mentioned pull request as a patch
format (to get this, suffix ".patch" to the end of the URL), and patch
that version.
I have downloaded the 1.3.3g proftpd source code and the 166 patch. The
patch did not install completely but it looks like the issues are cosmetic
or due to additional authentication code added after my version of
mod_sftp. From the contrib/mod_sftp directory, I did a "./configure
--enable-openssl" which appeared to complete successfully. However, the
make failed:

make
Makefile:5: ../../Make.rules: No such file or directory
make: *** No rule to make target `../../Make.rules'. Stop.

Do I need to compile proftpd including mod_sftp and then extract out the
mod_sftp*.so files? If so, what are the recommended ./configure options
for proftpd? I am guessing I want mod_sftp to be dynamically loaded since
proftpd.conf contains "LoadModule mod_sftp.c". I'm guessing something
like:

./configure --with-shared=mod_sftp --enable-openssl
--with-includes=(anything configure can't find) --with-libraries=(anything
configure can't find)

Thanks, Norbert
n***@sinet.ca
2015-11-11 04:06:51 UTC
Permalink
TJ, I went ahead and recompiled proftpd. I updated mod_sftp.so with the
new version and am now seeing useful logging in /var/log/secure.

Thanks for all of your help!
Norbert
TJ Saunders
2015-11-11 05:22:26 UTC
Permalink
Post by n***@sinet.ca
TJ, I went ahead and recompiled proftpd. I updated mod_sftp.so with the
new version and am now seeing useful logging in /var/log/secure.
Excellent! I've now merged/committed that pull request to the master
branch.

Cheers,
TJ

Loading...