Monitoring Proftpd

My major problem with proftpd is the real time monitoring of log analysis.

I will try to describe on this post the current solution I have build on my proftpd server.

Prerequisites:

  • Proftpd + mysql
  • Perl + Perl-MIME-Lite + Perl-MailsTools + Perl-DBI and Perl-DBD-mysql

ProFTPD + MySQL Authentication + E-Mail Monitor

First step is to sending an alert by email when a user update or connect to the ftp
This howto become from this great tutorial:
ProFTPD + MySQL Authentication + E-Mail Monitor Howto

The idea is to make a crontab script which check every X minutes that the field « modified » or « accessed » has been updated.

Logon to MySQL and issue the following command:

Code:

CREATE TABLE ftpusermonitor (
  id int(10) unsigned NOT NULL,
  userid varchar(32) NOT NULL default '',
  accessed datetime NOT NULL default '0000-00-00 00:00:00',
  modified datetime NOT NULL default '0000-00-00 00:00:00',
  PRIMARY KEY  (id),
  UNIQUE KEY userid (userid)
) TYPE=MyISAM;

You need to add this row to the ftpusermonitor table whenever you add a new ftp user :

Code:

INSERT INTO ftpusermonitor (id, userid) SELECT id, userid FROM ftpuser WHERE userid='myuser';

Now just copy this script on you ftp server:

Code:

#! /usr/bin/perl

# ftpmon.pl
# Monitor updates to FTP directories
# Author: Stefano Radice <stefano@despammed.com>

use strict;
use DBI;
use MIME::Lite;

my $server = 'localhost';
my $db = 'ftp';
my $dblogin = 'root';
my $dbpwd = 'password';
my $ftpalert = 'emmanuel.vargas@gmail.com';
#my $dbquery ="SELECT a.id, a.userid, a.modified FROM ftpuser a INNER JOIN ftpusermonitor b ON a.id = b.id WHERE a.modified > b.modified";
my $dbquery ="SELECT a.id, a.userid, a.accessed FROM ftpuser a INNER JOIN ftpusermonitor b ON a.id = b.id WHERE a.accessed > b.accessed";

my $dbh = DBI->connect("dbi:mysql:$db:$server", $dblogin, $dbpwd);
my $sth = $dbh->prepare($dbquery);
$sth->execute();

my @dbrow;

while(@dbrow=$sth->fetchrow_array()) {
    my $subject='FTP Update: ' . $dbrow[1];
    my $body=("The user -".$dbrow[1]. "- has acceded his FTP home.");
    send_mail($ftpalert,
              'FTPSERVER@ftp.crapules.com',
              $subject,
              $body);
    my $dbupd="UPDATE ftpusermonitor SET accessed='". $dbrow[2] . "' WHERE id=" . $dbrow[0];
#       my $dbupd=
#          "UPDATE ftpusermonitor SET modified='". $dbrow[2] . "' WHERE id=" . $dbrow[0];
    $dbh->do($dbupd);
}

$sth->finish( );

sub send_mail {
    print "Evoie d'un email\n";
    my($to, $from, $subject, $body)=@_;

    my $msg = new MIME::Lite
        From    =>$from,
        To      =>$to,
        Subject =>$subject,
        Type    =>'TEXT',
        Data    =>$body;
    $msg -> send;


}

Make this script executable:

Code:

# chmod 700 ftpmon.pl

and add this script in you crontab file:

Code:

# ftpmonitoring
*/5 * * * * /usr/sbin/ftpmoni.pl

Logs Analysis

First step is webalizer installation:

Code:

[root@pussycat plugins]# yum install webalizer

now add in your /etc/proftpd.conf:
In the general config:

Code:

TransferLog none     # WARNING: TransferLog directive might need to be placed inside a virtual host context if you use them.

In the <Anonymous>:

Code:

  TransferLog                 /var/log/proftpd/xferlog.legacy

Now edit your /etc/webalizer.conf:

Code:


LogFile        /var/log/proftpd/xferlog.legacy
LogType	ftp
OutputDir      /var/www/html/admin/webalizer
HistoryName	/var/lib/webalizer/webalizer.hist
Incremental	yes
IncrementalName	/var/lib/webalizer/webalizer.current
HostName       pussycat
PageType	htm*
PageType	cgi
PageType        php
PageType        shtml
DNSCache	/var/lib/webalizer/dns_cache.db


DNSChildren	10
Quiet	   yes

FoldSeqErr	yes
HideURL		*.gif
HideURL		*.GIF
HideURL		*.jpg
HideURL		*.JPG
HideURL		*.png
HideURL		*.PNG
HideURL		*.ra

SearchEngine	yahoo.com	p=
SearchEngine	altavista.com	q=
SearchEngine	google.com	q=
SearchEngine	eureka.com	q=
SearchEngine	lycos.com	query=
SearchEngine	hotbot.com	MT=
SearchEngine	msn.com		MT=
SearchEngine	infoseek.com	qt=
SearchEngine	webcrawler	searchText=
SearchEngine	excite		search=
SearchEngine	netscape.com	search=
SearchEngine	mamma.com	query=
SearchEngine	alltheweb.com	query=
SearchEngine	northernlight.com  qr=
# End of configuration file...  Have a nice day!

In your crontab file:

Code:


# webalizer for proftpd
10 3 * * * root /usr/bin/webalizer > /dev/null

Ce contenu a été publié dans Linux. Vous pouvez le mettre en favoris avec ce permalien.

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *