|
 |
d7fdbd |
From 75c172596aa9e7a9f32062579f7f98783341c924 Mon Sep 17 00:00:00 2001
|
|
|
d7fdbd |
From: Martin Sehnoutka <msehnout@redhat.com>
|
|
|
d7fdbd |
Date: Wed, 7 Sep 2016 10:17:17 +0200
|
|
|
d7fdbd |
Subject: [PATCH 08/59] Write denied logins into the log.
|
|
|
d7fdbd |
|
|
|
d7fdbd |
This patch adds a new option 'userlist_log'. If enabled,
|
|
|
d7fdbd |
every login denial based on the user list will be logged.
|
|
|
d7fdbd |
---
|
|
|
d7fdbd |
logging.c | 7 +++++++
|
|
|
d7fdbd |
logging.h | 11 +++++++++++
|
|
|
d7fdbd |
parseconf.c | 1 +
|
|
|
d7fdbd |
prelogin.c | 14 ++++++++++++++
|
|
|
d7fdbd |
tunables.c | 2 ++
|
|
|
d7fdbd |
tunables.h | 1 +
|
|
|
d7fdbd |
vsftpd.conf.5 | 8 ++++++++
|
|
|
d7fdbd |
7 files changed, 44 insertions(+)
|
|
|
d7fdbd |
|
|
|
d7fdbd |
diff --git a/logging.c b/logging.c
|
|
|
d7fdbd |
index ad531d6..99671b4 100644
|
|
|
d7fdbd |
--- a/logging.c
|
|
|
d7fdbd |
+++ b/logging.c
|
|
|
d7fdbd |
@@ -103,6 +103,13 @@ vsf_log_line(struct vsf_session* p_sess, enum EVSFLogEntryType what,
|
|
|
d7fdbd |
vsf_log_common(p_sess, 1, what, p_str);
|
|
|
d7fdbd |
}
|
|
|
d7fdbd |
|
|
|
d7fdbd |
+void
|
|
|
d7fdbd |
+vsf_log_failed_line(struct vsf_session* p_sess, enum EVSFLogEntryType what,
|
|
|
d7fdbd |
+ struct mystr* p_str)
|
|
|
d7fdbd |
+{
|
|
|
d7fdbd |
+ vsf_log_common(p_sess, 0, what, p_str);
|
|
|
d7fdbd |
+}
|
|
|
d7fdbd |
+
|
|
|
d7fdbd |
int
|
|
|
d7fdbd |
vsf_log_entry_pending(struct vsf_session* p_sess)
|
|
|
d7fdbd |
{
|
|
|
d7fdbd |
diff --git a/logging.h b/logging.h
|
|
|
d7fdbd |
index 48f88ec..1ff57d1 100644
|
|
|
d7fdbd |
--- a/logging.h
|
|
|
d7fdbd |
+++ b/logging.h
|
|
|
d7fdbd |
@@ -80,5 +80,16 @@ void vsf_log_do_log(struct vsf_session* p_sess, int succeeded);
|
|
|
d7fdbd |
void vsf_log_line(struct vsf_session* p_sess, enum EVSFLogEntryType what,
|
|
|
d7fdbd |
struct mystr* p_str);
|
|
|
d7fdbd |
|
|
|
d7fdbd |
+/* vsf_log_failed_line()
|
|
|
d7fdbd |
+ * PURPOSE
|
|
|
d7fdbd |
+ * Same as vsf_log_line(), except that it logs the line as failed operation.
|
|
|
d7fdbd |
+ * PARAMETERS
|
|
|
d7fdbd |
+ * p_sess - the current session object
|
|
|
d7fdbd |
+ * what - the type of operation to log
|
|
|
d7fdbd |
+ * p_str - the string to log
|
|
|
d7fdbd |
+ */
|
|
|
d7fdbd |
+void vsf_log_failed_line(struct vsf_session* p_sess, enum EVSFLogEntryType what,
|
|
|
d7fdbd |
+ struct mystr* p_str);
|
|
|
d7fdbd |
+
|
|
|
d7fdbd |
#endif /* VSF_LOGGING_H */
|
|
|
d7fdbd |
|
|
|
d7fdbd |
diff --git a/parseconf.c b/parseconf.c
|
|
|
d7fdbd |
index ea2242b..385afd2 100644
|
|
|
d7fdbd |
--- a/parseconf.c
|
|
|
d7fdbd |
+++ b/parseconf.c
|
|
|
d7fdbd |
@@ -91,6 +91,7 @@ parseconf_bool_array[] =
|
|
|
d7fdbd |
{ "mdtm_write", &tunable_mdtm_write },
|
|
|
d7fdbd |
{ "lock_upload_files", &tunable_lock_upload_files },
|
|
|
d7fdbd |
{ "pasv_addr_resolve", &tunable_pasv_addr_resolve },
|
|
|
d7fdbd |
+ { "userlist_log", &tunable_userlist_log },
|
|
|
d7fdbd |
{ "debug_ssl", &tunable_debug_ssl },
|
|
|
d7fdbd |
{ "require_cert", &tunable_require_cert },
|
|
|
d7fdbd |
{ "validate_cert", &tunable_validate_cert },
|
|
|
d7fdbd |
diff --git a/prelogin.c b/prelogin.c
|
|
|
d7fdbd |
index df4aade..1588bc1 100644
|
|
|
d7fdbd |
--- a/prelogin.c
|
|
|
d7fdbd |
+++ b/prelogin.c
|
|
|
d7fdbd |
@@ -246,6 +246,20 @@ handle_user_command(struct vsf_session* p_sess)
|
|
|
d7fdbd |
check_login_delay();
|
|
|
d7fdbd |
vsf_cmdio_write(p_sess, FTP_LOGINERR, "Permission denied.");
|
|
|
d7fdbd |
check_login_fails(p_sess);
|
|
|
d7fdbd |
+ if (tunable_userlist_log)
|
|
|
d7fdbd |
+ {
|
|
|
d7fdbd |
+ struct mystr str_log_line = INIT_MYSTR;
|
|
|
d7fdbd |
+ if (tunable_userlist_deny)
|
|
|
d7fdbd |
+ {
|
|
|
d7fdbd |
+ str_alloc_text(&str_log_line, "User is in the deny user list.");
|
|
|
d7fdbd |
+ }
|
|
|
d7fdbd |
+ else
|
|
|
d7fdbd |
+ {
|
|
|
d7fdbd |
+ str_alloc_text(&str_log_line, "User is not in the allow user list.");
|
|
|
d7fdbd |
+ }
|
|
|
d7fdbd |
+ vsf_log_failed_line(p_sess, kVSFLogEntryLogin, &str_log_line);
|
|
|
d7fdbd |
+ str_free(&str_log_line);
|
|
|
d7fdbd |
+ }
|
|
|
d7fdbd |
str_empty(&p_sess->user_str);
|
|
|
d7fdbd |
return;
|
|
|
d7fdbd |
}
|
|
|
d7fdbd |
diff --git a/tunables.c b/tunables.c
|
|
|
d7fdbd |
index 0ac4c34..b30fca1 100644
|
|
|
d7fdbd |
--- a/tunables.c
|
|
|
d7fdbd |
+++ b/tunables.c
|
|
|
d7fdbd |
@@ -72,6 +72,7 @@ int tunable_force_anon_data_ssl;
|
|
|
d7fdbd |
int tunable_mdtm_write;
|
|
|
d7fdbd |
int tunable_lock_upload_files;
|
|
|
d7fdbd |
int tunable_pasv_addr_resolve;
|
|
|
d7fdbd |
+int tunable_userlist_log;
|
|
|
d7fdbd |
int tunable_debug_ssl;
|
|
|
d7fdbd |
int tunable_require_cert;
|
|
|
d7fdbd |
int tunable_validate_cert;
|
|
|
d7fdbd |
@@ -212,6 +213,7 @@ tunables_load_defaults()
|
|
|
d7fdbd |
tunable_mdtm_write = 1;
|
|
|
d7fdbd |
tunable_lock_upload_files = 1;
|
|
|
d7fdbd |
tunable_pasv_addr_resolve = 0;
|
|
|
d7fdbd |
+ tunable_userlist_log = 0;
|
|
|
d7fdbd |
tunable_debug_ssl = 0;
|
|
|
d7fdbd |
tunable_require_cert = 0;
|
|
|
d7fdbd |
tunable_validate_cert = 0;
|
|
|
d7fdbd |
diff --git a/tunables.h b/tunables.h
|
|
|
d7fdbd |
index 05d2456..e44d64c 100644
|
|
|
d7fdbd |
--- a/tunables.h
|
|
|
d7fdbd |
+++ b/tunables.h
|
|
|
d7fdbd |
@@ -73,6 +73,7 @@ extern int tunable_force_anon_data_ssl; /* Require anon data uses SSL */
|
|
|
d7fdbd |
extern int tunable_mdtm_write; /* Allow MDTM to set timestamps */
|
|
|
d7fdbd |
extern int tunable_lock_upload_files; /* Lock uploading files */
|
|
|
d7fdbd |
extern int tunable_pasv_addr_resolve; /* DNS resolve pasv_addr */
|
|
|
d7fdbd |
+extern int tunable_userlist_log; /* Log every failed login attempt */
|
|
|
d7fdbd |
extern int tunable_debug_ssl; /* Verbose SSL logging */
|
|
|
d7fdbd |
extern int tunable_require_cert; /* SSL client cert required */
|
|
|
d7fdbd |
extern int tunable_validate_cert; /* SSL certs must be valid */
|
|
|
d7fdbd |
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
|
|
|
d7fdbd |
index 5e46a2f..9d767b1 100644
|
|
|
d7fdbd |
--- a/vsftpd.conf.5
|
|
|
d7fdbd |
+++ b/vsftpd.conf.5
|
|
|
d7fdbd |
@@ -586,6 +586,14 @@ Default: NO
|
|
|
d7fdbd |
If set to yes, all SSL client certificates received must validate OK.
|
|
|
d7fdbd |
Self-signed certs do not constitute OK validation. (New in v2.0.6).
|
|
|
d7fdbd |
|
|
|
d7fdbd |
+Default: NO
|
|
|
d7fdbd |
+.TP
|
|
|
d7fdbd |
+.B userlist_log
|
|
|
d7fdbd |
+This option is examined if
|
|
|
d7fdbd |
+.BR userlist_enable
|
|
|
d7fdbd |
+is activated. If enabled, every login denial based on the user list will be
|
|
|
d7fdbd |
+logged.
|
|
|
d7fdbd |
+
|
|
|
d7fdbd |
Default: NO
|
|
|
d7fdbd |
.TP
|
|
|
d7fdbd |
.B virtual_use_local_privs
|
|
|
d7fdbd |
--
|
|
|
d7fdbd |
2.14.4
|
|
|
d7fdbd |
|