#!/usr/bin/perl
##########################################################################
# $Id: proftpd-messages,v 1.3 2000/09/22 14:47:04 kirk Exp $
##########################################################################
# $Log: proftpd-messages,v $
# Revision 1.3  2000/09/22 14:47:04  kirk
# *** empty log message ***
#
# Revision 1.2  1999/02/23 14:50:29  kirk
# New proftpd module from Simon
#
# Revision 1.1  1999/02/23 01:28:20  kirk
# Added proftpd module by Simon Liddington <sjl96v@ecs.soton.ac.uk>.
#
##########################################################################

########################################################
# This was written and is maintained by:
#    Simon Liddington <sjl96v@ecs.soton.ac.uk>
#
# for use with Logwatch
#
# Logwatch was written and is maintained by:
#    Kirk  <kirk@kaybee.org>
#
########################################################

$Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'};
$IgnoreUnmatched = $ENV{'ftpd_ignore_unmatched'};

while (defined($ThisLine = <STDIN>)) {
   if ( ( $ThisLine =~ /^FTP session closed./ ) or
         ( $ThisLine =~ /^(ANONYMOUS )?FTP login as \'.*\' from [^ ]+ \[.*\] to .*/ ) or
         ( $ThisLine =~ /^FTP no transfer time out, disconnected\./ ) or
         ( $ThisLine =~ /^PAM\(.*\): Authentication failure/ ) or
         ( $ThisLine =~ /^data_sendfile/ ) or
         ( $ThisLine =~ /^FTP no transfer timeout, disconnected\./ ) or
         ( $ThisLine =~ /^FTP login timed out, disconnected\./ )   ) {
      # We don't care about these
   }				 
   elsif ( ($Host,$IP,$Email,) = ( $ThisLine =~ /^FTP session opened: ftp\/ftp (.*)\[(.*)\] (.*)$/ ) ) {
      $Temp = "   " . $Host . " (" . $IP . "): " . $Email . " - ";
      $AnonLogins{$Temp}++;
   }
   elsif ( ($User,$Host,$IP) = ( $ThisLine =~ /^FTP session opened: (.*\/.*) (.*)\[(.*)\] (.*)$/ ) ) {
      $Temp = "   " . $Host . " (" . $IP . "): " . $User . " - ";
      $UserLogins{$Temp}++;
   }
   elsif ( ($User) = ( $ThisLine =~ /^failed login, can\'t find user \'(.*)\' $/ ) ) {
      $Temp = "   " . "Unknown" . " (" . "Unknown.IP" . "): " . $User . " - ";
      $BadUsers{$Temp}++;
   }
   elsif ( ($User,$Host,$IP) = ( $ThisLine =~ /^USER (.*): no such user found from (.*) \[(.*)\] to .*$/ ) ) {
      $Temp = "   " . $Host . " (" . $IP . "): " . $User . " - ";
      $BadUsers{$Temp}++;
   }
   elsif ( ($User,$Host,$IP) = ( $ThisLine =~ /^USER (.*): incorrect password from (.*) \[(.*)\] to .*$/ ) ) {
      $Temp = "   " . $Host . " (" . $IP . "): " . $User . " - ";
      $BadPasswds{$Temp}++;
   }
   elsif ( ($Host,$Reason) = ( $ThisLine =~ /^refused PORT [0123456789,]+ from ([^ ]+) \((.*)\) $/ ) ) {
      $Temp = "   " . $Host . " (" . "Unknown.IP" . "): " . $Reason . " - ";
      $RefusedPorts{$Temp}++;
   }
   else {
      # Report any unmatched entries...
      push @OtherList,$ThisLine;
   }
}

if ( 
      ( (keys %AnonLogins) and ($Detail >= 5 ) ) or
      ( (keys %BadUsers) and ($Detail >= 5 ) ) or
      ( (keys %BadPasswds) and ($Detail >= 5 ) ) or
      ( (keys %DeletedFiles) and ($Detail >= 10 ) ) or
      ( (keys %RefusedPorts) and ($Detail >= 5 ) ) or
      ( @OtherList ) or
      ( keys %UserLogins )
   ) {		

   print "\n\n --------------------- proftpd-messages Begin ------------------------ \n";

   if ( (keys %AnonLogins) and ($Detail >= 5) ) {
      print "\nAnonymous FTP Logins:\n";
      foreach $ThisOne (keys %AnonLogins) {
         print $ThisOne . $AnonLogins{$ThisOne} . " Time(s)\n";
      }
   }

   if ( (keys %DeletedFiles) and ($Detail >= 10) ) {
      print "\nFiles deleted through FTP:\n";
      foreach $ThisOne (keys %DeletedFiles) {
         print $ThisOne;
         print @{$DeletedFiles{$ThisOne}};
      }
   }

   if (keys %UserLogins) {
      print "\nUser FTP Logins:\n";
      foreach $ThisOne (keys %UserLogins) {
         print $ThisOne . $UserLogins{$ThisOne} . " Time(s)\n";
      }
   }

   if ( ( (keys %BadUsers) or (keys %BadPasswds) ) and ($Detail >= 5) ) {
      print "\nFailed FTP Logins:\n";

      if ( (keys %BadUsers) and ($Detail >= 5) ) {
         print "\n  Invalid Username:\n";
         foreach $ThisOne (keys %BadUsers) {
            print $ThisOne . $BadUsers{$ThisOne} . " Time(s)\n";
         }
      }

      if ( (keys %BadPasswds) and ($Detail >= 5) ) {
         print "\n  Incorrect Password:\n";
         foreach $ThisOne (keys %BadPasswds) {
            print $ThisOne . $BadPasswds{$ThisOne} . " Time(s)\n";
         }
      }

   }

   if ( (keys %RefusedPorts) and ($Detail >= 5) ) {
      print "\nRefused PORTs:\n";
      foreach $ThisOne (keys %RefusedPorts) {
         print $ThisOne . $RefusedPorts{$ThisOne} . " Time(s)\n";
      }
   }

   if (($#OtherList >= 0) and (not $IngoreUnmatched)){
      print "\n**Unmatched Entries**\n";
      print @OtherList;
   }

   print "\n\n ---------------------- proftpd-messages End ------------------------- \n\n";

}

exit(0);



