Ubuntu – Vsftpd: log failed login attempts

I am setting up fail2ban in Ubuntu 10.04 for various services. SSH went smoothly, but I have had no success with vsftpd so far. The problem is that I can't find a way to get failed login attempts to appear in the logs.

I see nothing in auth.log nor in vsftpd.log.

In the example here there are several lines which should appear in the various logs but they don't.

Here is what I have in the config file now:

listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
dual_log_enable=YES
xferlog_std_format=NO
xferlog_file=/var/log/vsftpd.log
session_support=YES
connect_from_port_20=YES
chroot_local_user=YES
userlist_deny=NO
userlist_enable=YES
userlist_file=/etc/vsftpd.allowed_users
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES

In the logs I only see successful logins, but when the client gets a 530 permission denied, nothing is logged.

I would prefer not to log the entire FTP chat.

Best Answer

It looks like vsftpd first checks username in userlist_file and do PAM only if user is allowed (with above configuration). I would suggest to disable userlist_* options and implement deny list in PAM configuration.

# put this line into /etc/pam.d/vsftpd as first "auth" check
auth    required    pam_listfile.so item=user sense=allow file=/etc/vsftpd.allowed_users onerr=fail

Then you should see denied log attempts in auth.log.

More info - pam_listfile.so

Best Answer

Related Solutions

Ftp – vsftpd not responding to LIST

Centos – VSFTPD 530 Login incorrect

Related Topic