0008-Write-denied-logins-into-the-log.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147

From 75c172596aa9e7a9f32062579f7f98783341c924 Mon Sep 17 00:00:00 2001
From: Martin Sehnoutka <msehnout@redhat.com>
Date: Wed, 7 Sep 2016 10:17:17 +0200
Subject: [PATCH 08/59] Write denied logins into the log.

This patch adds a new option 'userlist_log'. If enabled,
every login denial based on the user list will be logged.
---
 logging.c     |  7 +++++++
 logging.h     | 11 +++++++++++
 parseconf.c   |  1 +
 prelogin.c    | 14 ++++++++++++++
 tunables.c    |  2 ++
 tunables.h    |  1 +
 vsftpd.conf.5 |  8 ++++++++
 7 files changed, 44 insertions(+)

diff --git a/logging.c b/logging.c
index ad531d6..99671b4 100644
--- a/logging.c
+++ b/logging.c
@@ -103,6 +103,13 @@ vsf_log_line(struct vsf_session* p_sess, enum EVSFLogEntryType what,
   vsf_log_common(p_sess, 1, what, p_str);
 }
 
+void
+vsf_log_failed_line(struct vsf_session* p_sess, enum EVSFLogEntryType what,
+             struct mystr* p_str)
+{
+  vsf_log_common(p_sess, 0, what, p_str);
+}
+
 int
 vsf_log_entry_pending(struct vsf_session* p_sess)
 {
diff --git a/logging.h b/logging.h
index 48f88ec..1ff57d1 100644
--- a/logging.h
+++ b/logging.h
@@ -80,5 +80,16 @@ void vsf_log_do_log(struct vsf_session* p_sess, int succeeded);
 void vsf_log_line(struct vsf_session* p_sess, enum EVSFLogEntryType what,
                   struct mystr* p_str);
 
+/* vsf_log_failed_line()
+ * PURPOSE
+ * Same as vsf_log_line(), except that it logs the line as failed operation.
+ * PARAMETERS
+ * p_sess       - the current session object
+ * what         - the type of operation to log
+ * p_str        - the string to log
+ */
+void vsf_log_failed_line(struct vsf_session* p_sess, enum EVSFLogEntryType what,
+                  struct mystr* p_str);
+
 #endif /* VSF_LOGGING_H */
 
diff --git a/parseconf.c b/parseconf.c
index ea2242b..385afd2 100644
--- a/parseconf.c
+++ b/parseconf.c
@@ -91,6 +91,7 @@ parseconf_bool_array[] =
   { "mdtm_write", &tunable_mdtm_write },
   { "lock_upload_files", &tunable_lock_upload_files },
   { "pasv_addr_resolve", &tunable_pasv_addr_resolve },
+  { "userlist_log", &tunable_userlist_log },
   { "debug_ssl", &tunable_debug_ssl },
   { "require_cert", &tunable_require_cert },
   { "validate_cert", &tunable_validate_cert },
diff --git a/prelogin.c b/prelogin.c
index df4aade..1588bc1 100644
--- a/prelogin.c
+++ b/prelogin.c
@@ -246,6 +246,20 @@ handle_user_command(struct vsf_session* p_sess)
       check_login_delay();
       vsf_cmdio_write(p_sess, FTP_LOGINERR, "Permission denied.");
       check_login_fails(p_sess);
+      if (tunable_userlist_log)
+      {
+        struct mystr str_log_line = INIT_MYSTR;
+        if (tunable_userlist_deny)
+        {
+          str_alloc_text(&str_log_line, "User is in the deny user list.");
+        }
+        else
+        {
+          str_alloc_text(&str_log_line, "User is not in the allow user list.");
+        }
+        vsf_log_failed_line(p_sess, kVSFLogEntryLogin, &str_log_line);
+        str_free(&str_log_line);
+      }
       str_empty(&p_sess->user_str);
       return;
     }
diff --git a/tunables.c b/tunables.c
index 0ac4c34..b30fca1 100644
--- a/tunables.c
+++ b/tunables.c
@@ -72,6 +72,7 @@ int tunable_force_anon_data_ssl;
 int tunable_mdtm_write;
 int tunable_lock_upload_files;
 int tunable_pasv_addr_resolve;
+int tunable_userlist_log;
 int tunable_debug_ssl;
 int tunable_require_cert;
 int tunable_validate_cert;
@@ -212,6 +213,7 @@ tunables_load_defaults()
   tunable_mdtm_write = 1;
   tunable_lock_upload_files = 1;
   tunable_pasv_addr_resolve = 0;
+  tunable_userlist_log = 0;
   tunable_debug_ssl = 0;
   tunable_require_cert = 0;
   tunable_validate_cert = 0;
diff --git a/tunables.h b/tunables.h
index 05d2456..e44d64c 100644
--- a/tunables.h
+++ b/tunables.h
@@ -73,6 +73,7 @@ extern int tunable_force_anon_data_ssl;       /* Require anon data uses SSL */
 extern int tunable_mdtm_write;                /* Allow MDTM to set timestamps */
 extern int tunable_lock_upload_files;         /* Lock uploading files */
 extern int tunable_pasv_addr_resolve;         /* DNS resolve pasv_addr */
+extern int tunable_userlist_log;              /* Log every failed login attempt */
 extern int tunable_debug_ssl;                 /* Verbose SSL logging */
 extern int tunable_require_cert;              /* SSL client cert required */
 extern int tunable_validate_cert;             /* SSL certs must be valid */
diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
index 5e46a2f..9d767b1 100644
--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
@@ -586,6 +586,14 @@ Default: NO
 If set to yes, all SSL client certificates received must validate OK.
 Self-signed certs do not constitute OK validation. (New in v2.0.6).
 
+Default: NO
+.TP
+.B userlist_log
+This option is examined if
+.BR userlist_enable
+is activated. If enabled, every login denial based on the user list will be
+logged.
+
 Default: NO
 .TP
 .B virtual_use_local_privs
-- 
2.14.4