From 6092b6628eb4f31efb8e9dd4eaa2aae67841f2aa Mon Sep 17 00:00:00 2001 From: Nicola Murino Date: Thu, 2 Dec 2021 19:36:42 +0100 Subject: [PATCH] logs: use info level for login related messages so enabling debug level is not required, for example only to understand that a user exceeded the allowed sessions. Also set the cache update frequency as documented --- dataprovider/dataprovider.go | 2 +- ftpd/server.go | 12 +++++++----- httpd/api_utils.go | 8 ++++---- sftpd/server.go | 13 +++++++------ sftpd/ssh_cmd.go | 2 +- webdavd/server.go | 12 +++++++----- windows-installer/README.txt | 2 ++ 7 files changed, 29 insertions(+), 22 deletions(-) diff --git a/dataprovider/dataprovider.go b/dataprovider/dataprovider.go index 35723e15..81e7bf3b 100644 --- a/dataprovider/dataprovider.go +++ b/dataprovider/dataprovider.go @@ -2143,7 +2143,7 @@ func startUpdateCachesTimer() { } lastCachesUpdate = util.GetTimeAsMsSinceEpoch(time.Now()) providerLog(logger.LevelDebug, "update caches check started for provider %v", config.Driver) - updateCachesTicker = time.NewTicker(1 * time.Minute) + updateCachesTicker = time.NewTicker(10 * time.Minute) updateCachesTickerDone = make(chan bool) go func() { diff --git a/ftpd/server.go b/ftpd/server.go index cecd0610..9055fc8c 100644 --- a/ftpd/server.go +++ b/ftpd/server.go @@ -325,24 +325,26 @@ func (s *Server) validateUser(user dataprovider.User, cc ftpserver.ClientContext return nil, fmt.Errorf("cannot login user with invalid home dir: %#v", user.HomeDir) } if util.IsStringInSlice(common.ProtocolFTP, user.Filters.DeniedProtocols) { - logger.Debug(logSender, connectionID, "cannot login user %#v, protocol FTP is not allowed", user.Username) + logger.Info(logSender, connectionID, "cannot login user %#v, protocol FTP is not allowed", user.Username) return nil, fmt.Errorf("protocol FTP is not allowed for user %#v", user.Username) } if !user.IsLoginMethodAllowed(loginMethod, nil) { - logger.Debug(logSender, connectionID, "cannot login user %#v, %v login method is not allowed", user.Username, loginMethod) + logger.Info(logSender, connectionID, "cannot login user %#v, %v login method is not allowed", + user.Username, loginMethod) return nil, fmt.Errorf("login method %v is not allowed for user %#v", loginMethod, user.Username) } if user.MaxSessions > 0 { activeSessions := common.Connections.GetActiveSessions(user.Username) if activeSessions >= user.MaxSessions { - logger.Debug(logSender, connectionID, "authentication refused for user: %#v, too many open sessions: %v/%v", user.Username, - activeSessions, user.MaxSessions) + logger.Info(logSender, connectionID, "authentication refused for user: %#v, too many open sessions: %v/%v", + user.Username, activeSessions, user.MaxSessions) return nil, fmt.Errorf("too many open sessions: %v", activeSessions) } } remoteAddr := cc.RemoteAddr().String() if !user.IsLoginFromAddrAllowed(remoteAddr) { - logger.Debug(logSender, connectionID, "cannot login user %#v, remote address is not allowed: %v", user.Username, remoteAddr) + logger.Info(logSender, connectionID, "cannot login user %#v, remote address is not allowed: %v", + user.Username, remoteAddr) return nil, fmt.Errorf("login for user %#v is not allowed from this address: %v", user.Username, remoteAddr) } err := user.CheckFsRoot(connectionID) diff --git a/httpd/api_utils.go b/httpd/api_utils.go index 1e20c7e4..20bfa5e3 100644 --- a/httpd/api_utils.go +++ b/httpd/api_utils.go @@ -448,23 +448,23 @@ func updateLoginMetrics(user *dataprovider.User, ip string, err error) { func checkHTTPClientUser(user *dataprovider.User, r *http.Request, connectionID string) error { if util.IsStringInSlice(common.ProtocolHTTP, user.Filters.DeniedProtocols) { - logger.Debug(logSender, connectionID, "cannot login user %#v, protocol HTTP is not allowed", user.Username) + logger.Info(logSender, connectionID, "cannot login user %#v, protocol HTTP is not allowed", user.Username) return fmt.Errorf("protocol HTTP is not allowed for user %#v", user.Username) } if !user.IsLoginMethodAllowed(dataprovider.LoginMethodPassword, nil) { - logger.Debug(logSender, connectionID, "cannot login user %#v, password login method is not allowed", user.Username) + logger.Info(logSender, connectionID, "cannot login user %#v, password login method is not allowed", user.Username) return fmt.Errorf("login method password is not allowed for user %#v", user.Username) } if user.MaxSessions > 0 { activeSessions := common.Connections.GetActiveSessions(user.Username) if activeSessions >= user.MaxSessions { - logger.Debug(logSender, connectionID, "authentication refused for user: %#v, too many open sessions: %v/%v", user.Username, + logger.Info(logSender, connectionID, "authentication refused for user: %#v, too many open sessions: %v/%v", user.Username, activeSessions, user.MaxSessions) return fmt.Errorf("too many open sessions: %v", activeSessions) } } if !user.IsLoginFromAddrAllowed(r.RemoteAddr) { - logger.Debug(logSender, connectionID, "cannot login user %#v, remote address is not allowed: %v", user.Username, r.RemoteAddr) + logger.Info(logSender, connectionID, "cannot login user %#v, remote address is not allowed: %v", user.Username, r.RemoteAddr) return fmt.Errorf("login for user %#v is not allowed from this address: %v", user.Username, r.RemoteAddr) } return nil diff --git a/sftpd/server.go b/sftpd/server.go index 2e98ab40..81552ecd 100644 --- a/sftpd/server.go +++ b/sftpd/server.go @@ -494,10 +494,9 @@ func (c *Configuration) handleSftpConnection(channel ssh.Channel, connection *Co defer server.Close() if err := server.Serve(); err == io.EOF { - connection.Log(logger.LevelDebug, "connection closed, sending exit status") exitStatus := sshSubsystemExitStatus{Status: uint32(0)} _, err = channel.SendRequest("exit-status", false, ssh.Marshal(&exitStatus)) - connection.Log(logger.LevelDebug, "sent exit status %+v error: %v", exitStatus, err) + connection.Log(logger.LevelInfo, "connection closed, sent exit status %+v error: %v", exitStatus, err) } else if err != nil { connection.Log(logger.LevelWarn, "connection closed with error: %v", err) } @@ -558,24 +557,26 @@ func loginUser(user *dataprovider.User, loginMethod, publicKey string, conn ssh. return nil, fmt.Errorf("cannot login user with invalid home dir: %#v", user.HomeDir) } if util.IsStringInSlice(common.ProtocolSSH, user.Filters.DeniedProtocols) { - logger.Debug(logSender, connectionID, "cannot login user %#v, protocol SSH is not allowed", user.Username) + logger.Info(logSender, connectionID, "cannot login user %#v, protocol SSH is not allowed", user.Username) return nil, fmt.Errorf("protocol SSH is not allowed for user %#v", user.Username) } if user.MaxSessions > 0 { activeSessions := common.Connections.GetActiveSessions(user.Username) if activeSessions >= user.MaxSessions { - logger.Debug(logSender, "", "authentication refused for user: %#v, too many open sessions: %v/%v", user.Username, + logger.Info(logSender, "", "authentication refused for user: %#v, too many open sessions: %v/%v", user.Username, activeSessions, user.MaxSessions) return nil, fmt.Errorf("too many open sessions: %v", activeSessions) } } if !user.IsLoginMethodAllowed(loginMethod, conn.PartialSuccessMethods()) { - logger.Debug(logSender, connectionID, "cannot login user %#v, login method %#v is not allowed", user.Username, loginMethod) + logger.Info(logSender, connectionID, "cannot login user %#v, login method %#v is not allowed", + user.Username, loginMethod) return nil, fmt.Errorf("login method %#v is not allowed for user %#v", loginMethod, user.Username) } remoteAddr := conn.RemoteAddr().String() if !user.IsLoginFromAddrAllowed(remoteAddr) { - logger.Debug(logSender, connectionID, "cannot login user %#v, remote address is not allowed: %v", user.Username, remoteAddr) + logger.Info(logSender, connectionID, "cannot login user %#v, remote address is not allowed: %v", + user.Username, remoteAddr) return nil, fmt.Errorf("login for user %#v is not allowed from this address: %v", user.Username, remoteAddr) } diff --git a/sftpd/ssh_cmd.go b/sftpd/ssh_cmd.go index 46c4c0d6..2f24835e 100644 --- a/sftpd/ssh_cmd.go +++ b/sftpd/ssh_cmd.go @@ -85,7 +85,7 @@ func processSSHCommand(payload []byte, connection *Connection, enabledSSHCommand } } err := connection.CloseFS() - connection.Log(logger.LevelDebug, "unable to unmarshal ssh command, close fs, err: %v", err) + connection.Log(logger.LevelWarn, "unable to unmarshal ssh command, close fs, err: %v", err) return false } diff --git a/webdavd/server.go b/webdavd/server.go index 433e3a89..4a37c4ee 100644 --- a/webdavd/server.go +++ b/webdavd/server.go @@ -302,23 +302,25 @@ func (s *webDavServer) validateUser(user *dataprovider.User, r *http.Request, lo return connID, fmt.Errorf("cannot login user with invalid home dir: %#v", user.HomeDir) } if util.IsStringInSlice(common.ProtocolWebDAV, user.Filters.DeniedProtocols) { - logger.Debug(logSender, connectionID, "cannot login user %#v, protocol DAV is not allowed", user.Username) + logger.Info(logSender, connectionID, "cannot login user %#v, protocol DAV is not allowed", user.Username) return connID, fmt.Errorf("protocol DAV is not allowed for user %#v", user.Username) } if !user.IsLoginMethodAllowed(loginMethod, nil) { - logger.Debug(logSender, connectionID, "cannot login user %#v, %v login method is not allowed", user.Username, loginMethod) + logger.Info(logSender, connectionID, "cannot login user %#v, %v login method is not allowed", + user.Username, loginMethod) return connID, fmt.Errorf("login method %v is not allowed for user %#v", loginMethod, user.Username) } if user.MaxSessions > 0 { activeSessions := common.Connections.GetActiveSessions(user.Username) if activeSessions >= user.MaxSessions { - logger.Debug(logSender, connID, "authentication refused for user: %#v, too many open sessions: %v/%v", user.Username, - activeSessions, user.MaxSessions) + logger.Info(logSender, connID, "authentication refused for user: %#v, too many open sessions: %v/%v", + user.Username, activeSessions, user.MaxSessions) return connID, fmt.Errorf("too many open sessions: %v", activeSessions) } } if !user.IsLoginFromAddrAllowed(r.RemoteAddr) { - logger.Debug(logSender, connectionID, "cannot login user %#v, remote address is not allowed: %v", user.Username, r.RemoteAddr) + logger.Info(logSender, connectionID, "cannot login user %#v, remote address is not allowed: %v", + user.Username, r.RemoteAddr) return connID, fmt.Errorf("login for user %#v is not allowed from this address: %v", user.Username, r.RemoteAddr) } return connID, nil diff --git a/windows-installer/README.txt b/windows-installer/README.txt index fb56bc6d..f8b49735 100644 --- a/windows-installer/README.txt +++ b/windows-installer/README.txt @@ -9,6 +9,8 @@ and complete the initial setup. The SFTP service is available, by default, on port 2022. +If SFTPGo does not start, make sure that TCP ports 2022 and 8080 are not used by other services or change the SFTPGo configuration to suit your needs. + Default data location: C:\ProgramData\SFTPGo