Author Topic: Failed ftp logins not logging in /etc/security/failedlogin on AIX  (Read 473 times)

Offline mrd

  • New user
  • *
  • Posts: 7
    • View Profile
Hi, I have and issue whereby failed logins to the proftpd server (i.e user inputs wrong password.) are not being logged by AIX (N.B good logins are logged), so any restrictions I have on the user to lock after X failed attempts don't ever kick in.

I've tried this in standalone and inetd mode, but to no avail.

Is there a configuration item to resolve this, or is it this way by design?

I am using proftpd 1.3.5b.

thanks
Matt

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5274
    • View Profile
    • http://www.castaglia.org/
Re: Failed ftp logins not logging in /etc/security/failedlogin on AIX
« Reply #1 on: January 20, 2017, 04:10:32 pm »
In which file(s) are you looking, expecting to see such records of failed logins?

Offline mrd

  • New user
  • *
  • Posts: 7
    • View Profile
Re: Failed ftp logins not logging in /etc/security/failedlogin on AIX
« Reply #2 on: January 27, 2017, 01:45:44 pm »
Hi,
failed logins are recorded in /etc/security/failedlogin

See: https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm.aix.files/utmp.htm

Note the line about "On an invalid login attempt, due to an incorrect login name or password, the login program makes an entry in /etc/security/failedlogin file, which contains a record of unsuccessful login attempts."

This is an audit record of failed logins, but the way AIX keeps track how many unsuccessful login attempts a user has is stored in /etc/security/lastlog.

See: https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm.aix.files/lastlog.htm

So what doesn't seem to be happening is that a failed login attempt via proftpd is causing AIX to know there was a failed login attempt - hence users not getting locked after a number of failed login attempts, even though the user is set to lockout.

Thanks for replying!

Matt

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5274
    • View Profile
    • http://www.castaglia.org/
Re: Failed ftp logins not logging in /etc/security/failedlogin on AIX
« Reply #3 on: January 27, 2017, 05:37:41 pm »
Hmm.  ProFTPD *does* have lastlog support, so that _should_ be working.  Could you provide the config.log and config.h files, generated from building ProFTPD from source?   Those might help give some clues as to why it might not be working as expected.

Offline mrd

  • New user
  • *
  • Posts: 7
    • View Profile
Re: Failed ftp logins not logging in /etc/security/failedlogin on AIX
« Reply #4 on: January 27, 2017, 05:49:06 pm »
Thanks for looking at this, files attached

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5274
    • View Profile
    • http://www.castaglia.org/
Re: Failed ftp logins not logging in /etc/security/failedlogin on AIX
« Reply #5 on: January 27, 2017, 06:58:58 pm »
Ah.  In the config.h file, I see:

  /* Define if you have the <lastlog.h> header file.  */
  /* #undef HAVE_LASTLOG_H */

This indicates that ProFTPD's configure script couldn't find the <lastlog.h> C header file; that's a prerequisite for ProFTPD's lastlog support, as it _assumes_ that that header file defines a "struct lastlog", for writing to the lastlog file with the correct format.

I'm searching online now, hoping to find some IBM/AIX documentation for that header file (and/or struct), to see what changes would be needed for the configure script (and code)...

Update: looks like, for AIX, ProFTPD will need new code, to look for (and use) the loginfailed() and loginsuccess() functions:

  https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm.aix.basetrf1/loginsuccess.htm
  https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm.aix.basetrf1/loginfailed.htm

Would you mind opening a feature request for this work on bugs.proftpd.org?
« Last Edit: January 27, 2017, 07:15:26 pm by castaglia »

Offline mrd

  • New user
  • *
  • Posts: 7
    • View Profile
Re: Failed ftp logins not logging in /etc/security/failedlogin on AIX
« Reply #6 on: January 30, 2017, 09:00:02 am »
Bug 4285 raised, thank you for looking at this.
Matt