Source IP not in my ftpd debug logs

UNIX AIX
1

I have random connections coming into my FTP server, but the source IP is not showing up in my logs. Here is what my logs look for me trying to connect as a "whatever" user that doesn't exist. You can see there is no source IP telling me where this connection came from:

Jun 27 10:13:40 hostname daemon:debug ftpd[7733374]: <--- 220
Jun 27 10:13:40 hostname daemon:debug ftpd[7733374]: hostname FTP server (Version 4.2 Mon Dec 3 12:04:40 CST 2012) ready.
Jun 27 10:13:48 hostname daemon:debug ftpd[7733374]: command: USER whatever^M
Jun 27 10:13:48 hostname daemon:debug ftpd[7733374]: <--- 331
Jun 27 10:13:48 hostname daemon:debug ftpd[7733374]: Password required for whatever.
Jun 27 10:13:56 hostname daemon:debug ftpd[7733374]: command: PASS
Jun 27 10:13:56 hostname daemon:debug ftpd[7733374]: <--- 530
Jun 27 10:13:56 hostname daemon:debug ftpd[7733374]: Login incorrect.
Jun 27 10:14:00 hostname daemon:debug ftpd[7733374]: command: QUIT^M
Jun 27 10:14:00 hostname daemon:debug ftpd[7733374]: <--- 221
Jun 27 10:14:00 hostname daemon:debug ftpd[7733374]: Goodbye.

Here's my ftp entry in the inetd.conf file:

hostname:/:$ grep ^ftp /etc/inetd.conf
ftp     stream  tcp6    nowait  root    /usr/sbin/ftpd  ftpd -u 002 -d

Here's my daemon.debug entry in my syslog.conf:

hostname:/:$ grep ^daemon.debug /etc/syslog.conf
daemon.debug    /var/log/syslogs/syslog.daemon.debug     rotate size 30m files 5  # maintain 5 files, 30M each

Is there something else I need to enable to get more detailed logs so I can see the source IP of where connections are coming from?

2

Neither inetd nor syslog control what information gets put in your logfiles, you need to configure the FTP daemon to do that. Which FTP daemon are you using?

3

I'm using the FTP daemon that is part of the AIX default install. The inetd.conf file has the ftpd executable listed in it with these arguments:

ftpd -u 002 -d

What am I missing to get it to log source IPs?

4

You may need to add the -l flag too.

Robin

2 Likes
5

EDIT!! That did it... "-l" must send "info" messages to the syslogd and the remote hostname/IP must be "info" level instead of "debug" level. Thanks rbatte1!

Jun 27 11:27:25 hostname daemon:info ftpd[5963900]: connection from remotehost at Fri Jun 27 11:27:25 2014
Jun 27 11:27:25 hostname daemon:debug ftpd[5963900]: <--- 220
Jun 27 11:27:25 hostname daemon:debug ftpd[5963900]: hostname FTP server (Version 4.2 Mon Dec 3 12:04:40 CST 2012) ready.
Jun 27 11:27:30 hostname daemon:debug ftpd[5963900]: command: USER whatever^M
Jun 27 11:27:30 hostname daemon:debug ftpd[5963900]: <--- 331
Jun 27 11:27:30 hostname daemon:debug ftpd[5963900]: Password required for whatever.
Jun 27 11:27:32 hostname daemon:debug ftpd[5963900]: command: PASS
Jun 27 11:27:32 hostname daemon:debug ftpd[5963900]: <--- 530
Jun 27 11:27:32 hostname daemon:debug ftpd[5963900]: Login incorrect.
Jun 27 11:27:33 hostname daemon:debug ftpd[5963900]: command: QUIT^M
Jun 27 11:27:33 hostname daemon:debug ftpd[5963900]: <--- 221
Jun 27 11:27:33 hostname daemon:debug ftpd[5963900]: Goodbye.
2 Likes