If somebody ftp a file from one server to my server, can I know what he ftp? And when he ftp?
The short answer is yes.
To get details on ftp transactions you need to turn on logging in your ftp configuration file and restart the ftp process. A typical destination is /var/log/messages. The transaction(s) will include date/time login and files transferred.
Here are some more specific steps on how to get FTP logging started.
Add the "-d" (debugging) option to your ftp process in /etc/services and refresh your inetd process
host:/:$ grep ^ftp /etc/inetd.conf
ftp stream tcp6 nowait root /usr/sbin/ftpd ftpd -d
host:/:$refresh -s inetd
0513-095 The request for subsystem refresh was completed successfully.
host:/:$
Add a "daemon.debug" entry to your /etc/syslog.conf, touch the file you specify for the logs, then restart the syslogd.
host:/:$ grep ^daemon.debug /etc/syslog.conf
daemon.debug /var/log/syslogs/syslog.daemon.debug rotate size 5m files 1 # maintain 1 archived file, 5M
host:/:$ touch /var/log/syslogs/syslog.daemon.debug
host:/:$ refresh -s syslogd
0513-095 The request for subsystem refresh was completed successfully.
host:/:$
Be sure to touch the file. The syslogd does not create log files!
FTP into your box so some logs are generated and then cd to your /var/log/syslogs directory and you should see the detailed FTP logging.
1 Like