logging ftp downloads.
John (EBo) David
plug-discuss@lists.PLUG.phoenix.az.us
Sat, 11 Aug 2001 22:54:04 -0700
Craig White wrote:
>
> suggesting that he use another ftp server when he doesn't understand the
> one he's got isn't exactly a great answer.
>
> Does Suse still use inetd and not xinetd?
they way I have it installed and set up it appears to be inetd... I
changed /etc/xinetd.conf and rebooted and it was a no go, I then
*finally* found /etc/inetd.conf, hacked on that and now it does what I
expect. Part of my problem is that SuSE is top heavy and some times I
have a difficult time figuring which is running when and what, as you
will see in a moment...
> Do you have anon-ftpd installed?
>
> Do you have wu-ftpd installed?
It appears so; there is a comment in the xinetd.conf that implies that
wu-ftp is the default. Later I found that inetd is currently being used
and it uses ftpd by default... go figure
> Both installed? try rpm -qa|grep ftp to see what you've got installed
yegads and little fishes. probably more than I'll ever need/use. That
is one disadvantage of SuSE. It is typically top heavy. so I guess
that is a possible vote for slackware (which I've heard is light
weight)...
gftp-2.0.7b-37
kberoftp-1.0.0pre2-267
ftpd-0.3.2-18
lukemftp-1.5-5
ftpdir-2001.1.15-0
ncftp-3.0.2-5
proftpd-1.2.0rc2-44
tftp-0.14-19
iglooftp-0.6.1-179
xftp-2.1.0-170
xmftp-1.0.4-283
> Redhat logs all transfers - /var/log/xferlog
that is what I would expect, but there is not transfer logging info.
That is what I am trying to turn on.
> also /var/log/secure lists all log-ins
I've been using "last" to get that info. I have no /var/log/secure on
my machine...
> also try less last
do you mean last | less? If so, that is what I did inwhich I stumbled
on the odd ftp logins...
> the question is whether they are doing anonymous login and not able to
> get anywhere or if these are authenticating users. Authenticated users
> could be a problem if you don't have authenticated users. Also note that
> ftp daemons - regardless of flavor are notorious security risks - and
> MUST be kept up to date to cover exploits. Also, ftp really needs to
> corral users into specific areas so if you let any REAL users on, you
> need to chroot them. Do not allow any uploads until you are completely
> up to snuff on security aspects of ftp program.
For the moment I have disallowed anonymous ftp's in any case. I still
want to get the log set up though, which I finally did and tested. I
typically use only authenticated user access. The problem with chroot
is that I typically need to rummage around and find what I want then
transfer it. It may or may not be in my directory structure, and chroot
cut off the rest of the system from me (such as the partitions that are
dual boot that has all my general data...)
> see
>
> man ftpd
> man ftpaccess
thanks, and I did read the ftpd man pages. ftpd supposidly will log
transfers to /var/log/ftpd if you give ftpd the "-S" switch on startup.
The problem is that I'm not sure where on the SuSE side to set the ftpd
command line swithces...
Ok... color me more befuddled... First I was looking for
/var/log/xferlog, then rereading the ftpd man pages I find that it is in
/var/log/ftpd (if I am reading correctly). There are so many different
log file that are specific to each ftp daemon that I've lost track...
but ohwell I got it to basically work.
I do have a further question though. In the ftpd man page I find:
-l Each successful and failed ftp(1) session is logged using
syslog
with a facility of LOG_FTP. If this option is specified
twice,
the retrieve (get), store (put), append, delete, make
directory,
remove directory and rename operations and their filename
argu
ments are also logged.
I've search all over and cannot figure out if LOG_FTP is supposed to be
an environmental variable, or what and I have been unable to turn on
logging for all users (like xferlog), or do you intrepret this to be
only anonymous users? Or is it possible that I should use wu-ftp or
proftp instead?
Oh yea, thanks a bunch Craig!
EBo --