Record vsftpd logins in /var/log/wtmp

vahab · 04-11-2012, 01:44 AM

Hi,

I was wondering if anyone could tell me if there is any way to record the users logins in /var/adm/wtmp just like SSH logins.
So we would be able to get the user login history with "last" command or get the last login time with "lastlog" command.

Please note that I don't want to user xfer log.

Thanks in advance

unSpawn · 04-11-2012, 11:04 AM

Quote:

Originally Posted by vahab

any way to record the users logins in /var/adm/wtmp just like SSH logins.

The difference between OpenSSH and Vsftpd is that OpenSSH requires an account on the system and Vsftpd allows for virtual users: the latter are only known to the FTP service. Fortunately Vsftpd can use PAM so if you use a list of virtual users (see pam_listfile.so) then pam_lastlog.so might be able to silently update wtmp. If you can't get it to work minimally post your vsftp.conf (that is 'grep -v ^# vsftp.conf|grep .;') and tell us what you changed, your PAM stack for FTP and system and or daemon log excerpts showing errors (client side error messages will most likely not be useful).

vahab · 04-12-2012, 01:08 AM

I added a line to /etc/pam.d/vsftpd containing pam_lastlog.so as below and still I cannot find the ftp logins within 'last' or 'lastlog' commands

# cat /etc/pam.d/vsftpd
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include system-auth
account include system-auth
session include system-auth
session required pam_loginuid.so
session required pam_lastlog.so

I am using RHEL 5.5 with its default vsftpd and default configurations :

vsftpd: version 2.0.5

# grep -v ^# /etc/vsftpd/vsftpd.conf|grep .;
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
ftpd_banner=Welcome to FTP server
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

lithos · 04-12-2012, 01:45 AM

Hi vahab

I could only point you to logging vsftpd settings like this
where you will have to manually cat the log file for user logins.

good luck

unSpawn · 04-14-2012, 10:18 AM

Quote:

Originally Posted by vahab

still I cannot find the ftp logins within 'last' or 'lastlog' commands

From your config you seem to mix anonymous and local users. I hope you're not looking to logging anonymous users access? Are you saying you can't even 'last' or 'lastlog' local users?

vahab · 04-14-2012, 11:35 PM

Quote:

Originally Posted by unSpawn

From your config you seem to mix anonymous and local users. I hope you're not looking to logging anonymous users access? Are you saying you can't even 'last' or 'lastlog' local users?

I do not want anonymous logins.
And I cannot last or lastlog local users