1. Introduction

The File Transfer Protocol (FTP) is a standard protocol to send and receive files efficiently over a network. In fact, due to the convenience the protocol offers, administrators often depend on it to share bulk data simultaneously.

Nevertheless, to maintain and manage all activities concerning FTP, it’s essential to log all transfers. Logging FTP transfers entails tracking and storing all activities that relate to the protocol in a system. This is ideal to ensure adequate security and to keep records for audit purposes.

In this article, we’ll discuss how to efficiently log FTP transfers to ensure clear visibility of the activities in our system.

2. What is FTP?

File Transfer Protocol (FTP) is a standard communication protocol in the application layer of the Open Systems Interconnection (OSI) model that enables a client and server to transfer files over an internet network. Beyond basic file sharing, its usage cuts across various purposes, such as web content management, backup and recovery, software distribution, and data migration.

Nonetheless, FTP transmits data, including usernames and passwords used for connections, in plaintext. This vulnerability allows third parties to sniff sensitive information. While this is a concern, advanced versions like Secure File Transfer Protocol (SFTP) and File Transfer Protocol Secure (FTPS) provide better security for file transfers.

In addition, for effective operation, FTP uses two channels for communication. First is the control channel, which runs port 21 and manages the commands and responses between the client and server. The other is the data channel, which operates on port 20 and is responsible for the transfer of files across the network.

3. How to Log FTP Transfers

In order to log FTP transfers optimally, we need to ensure that we have an FTP server running in our environment. Additionally, we’ve got to ensure that this server is manually configured to log transfers; otherwise, we might not get a comprehensive result.

There are many FTP services available for this on Linux. They include the Very Secure FTP Daemon (VSFTPD), Pure FTP Daemon (PFTPD), etc. However, in this article, we’re using the VSFTPD to show examples.

3.1. Installing an FTP Server

We can install the vsftpd with the apt-get command in case it’s not already in our system. However, it’s crucial to run the command with sudo to ensure we have adequate permissions.

Now, let’s start the installation process by running the apt update command:

$ sudo apt update 

Basically, by running the apt update command, we can prevent any dependency issues that may occur during the operation. Next, we install the vsftpd server:

$ sudo apt-get install vsftpd 
...        
The following NEW packages will be installed:
 vsftpd
0 upgraded, 1 newly installed, 0 to remove and 1738 not 
...

Then, we start the service:

$ sudo systemctl start vsftpd

Normally, this shows no output, which means that the server and its packages have been installed on our system without errors.

3.2. Backing Up the Existing Configuration File

After installing our FTP server, the next step is to configure it to log all FTP activities in the environment. However, before proceeding, a few factors need to be considered.

First, backing up the existing configuration file is essential. This step is crucial because it enables us to roll back to the original configuration file if any mistakes occur during the configuration process.

Additionally, having a backup enables us to compare the new configuration file with the original to spot any errors.

For example, let’s show how to backup the FTP configuration file:

$ sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.bak

This command displays no output to indicate a successful backup. However, if successful, it creates a file known as vsftpd.conf.bak in the working directory.

3.3. Modifying the logrotate File

After backing up, another factor to consider is the management of our system’s disk space and storage. This is an issue because excess log files can consume space and hinder the logging of important activities.

To address this, we can configure tools like logrotate to ensure efficient log rotation. This tool can help control the size of files and prevent them from consuming space by rotating, compressing, and deleting old logs.

For example, let’s open the logrotate configuration file with a text editor:

$ sudo nano /etc/logrotate.d/vsftpd

Then, we delete the existing configuration lines and the following:

/var/log/vsftpd.log {
    monthly                
    missingok
    rotate 1              
    compress
    delaycompress
    notifempty
    create 0640 root utmp
    sharedscripts
    postrotate
        /usr/sbin/service vsftpd restart > /dev/null
    endscript
}

Let’s understand what these lines do:

  • /var/log/vsftpd.log: Specifies the file the configuration applies to
  • monthly: means that the log files rotates monthly
  • missingok: ensures that the logrotate doesn’t display an error message when log files are missing
  • rotate 1:  keeps log files for only 1 month
  • compress: compress log files after rotation to save space
  • delaycompress: ensures log files are compressed only after second rotation
  • notifempty: skips rotation of log files if empty
  • create 0640 root utmp: specifies file permissions for the owner and group with access to the log files
  • sharedscripts: ensures that the postrotate directive runs only once in every circumstances
  • postrotate: a script that ensures that vsftpd restarts after log rotation to create a new clean log file

After adding these lines, we save our changes and exit the editor.

3.4. Configuring the FTP Server to log Transfers

Here, we modify the vsftpd configuration file to enable logging of FTP transfers.

For example, let’s open the configuration file with a text editor:

 $ sudo nano /etc/vsftpd.conf

Then, add the following lines at the end of the file:

xferlog_enable=YES
log_ftp_protocol=YES
xferlog_std_format=NO
xferlog_file=/var/log/vsftpd.log

Let’s clarify the function of each line:

  • xferlog_enable=YES: enables file transfer logging
  • log_ftp_protocol=YES: activates logging of FTP commands and responses
  • xferlog_std_format=NO: ensures the logs comes in a comprehensive format
  • xferlog_file=/var/log/vsftpd.log: sets the log file to /var/log/vsftpd.log

After adding these lines, we save our changes and exit the editor.

Next, we restart our FTP server to apply the changes.

$ sudo systemctl restart vsftpd

Then, enable the service:

$ sudo systemctl enable vsftpd
Synchronizing state of vsftpd.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable vsftpd
Created symlink /etc/systemd/system/multi-user.target.wants/vsftpd.service → /usr/lib/systemd/system/vsftpd.service.

Basically, with these configuration settings, we can get detailed information on all FTP activities in our system. This includes the FTP commands from the client and the response from the server.

Moreover, in some cases, the xferlog_enable directive is automatically set to YES in some systems. Therefore, it’s crucial to verify the original status of this directive in the configuration file to avoid redundancy that can lead to errors.

3.5. Testing Logging Setup

For scenarios where the server is newly installed, we can perform some FTP activities to generate logs for transfers.

For example, let’s connect to our FTP server:

$ ftp [email protected]
Connected to 127.0.0.1.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

Now, we run a transfer command:

ftp> get Dedicated-to-Amara.txt
local: Dedicated-to-Amara.txt remote: Dedicated-to-Amara.txt
229 Entering Extended Passive Mode (|||20330|)
150 Opening BINARY mode data connection for Dedicated-to-Amara.txt (10 bytes).
100% |**********************************************************************************************************************************************************************************************|    10       96.68 KiB/s    00:00 ETA
226 Transfer complete.
10 bytes received in 00:00 (14.70 KiB/s)

Next, we check the FTP log:

$ sudo cat /var/log/vsftpd.log
Sat Jul 20 13:24:14 2024 [pid 103023] CONNECT: Client "::ffff:127.0.0.1"
Sat Jul 20 13:24:14 2024 [pid 103023] FTP response: Client "::ffff:127.0.0.1", "220 (vsFTPd 3.0.3)"
Sat Jul 20 13:24:14 2024 [pid 103023] FTP command: Client "::ffff:127.0.0.1", "USER john"
Sat Jul 20 13:24:14 2024 [pid 103023] [john] FTP response: Client "::ffff:127.0.0.1", "331 Please specify the password."
Sat Jul 20 13:24:16 2024 [pid 103023] [john] FTP command: Client "::ffff:127.0.0.1", "PASS <password>"
Sat Jul 20 13:24:23 2024 [pid 103048] [john] FTP command: Client "::ffff:127.0.0.1", "CWD uploads"
Sat Jul 20 13:24:23 2024 [pid 103048] [john] FTP response: Client "::ffff:127.0.0.1", "250 Directory successfully changed."
...
Sat Jul 20 13:26:07 2024 [pid 103048] [john] FTP command: Client "::ffff:127.0.0.1", "RETR Dedicated-to-Amara.txt"
Sat Jul 20 13:26:07 2024 [pid 103048] [john] FTP response: Client "::ffff:127.0.0.1", "150 Opening BINARY mode data connection for Dedicated-to-Amara.txt (10 bytes)."
Sat Jul 20 13:26:07 2024 [pid 103048] [john] OK DOWNLOAD: Client "::ffff:127.0.0.1", "/uploads/Dedicated-to-Amara.txt", 10 bytes, 6.81Kbyte/sec
Sat Jul 20 13:26:07 2024 [pid 103048] [john] FTP response: Client "::ffff:127.0.0.1", "226 Transfer complete."
...

Overall, the log shows information about the user login session. It also details the commands specified by the user and the actions performed, including downloading a file.

4. Conclusion

In this article, we’ve learned how to log FTP transfers on a server. Additionally, we explored a few factors that lead to optimal FTP logging operations.

One of the most important factors is maximizing the logrotate tool. This tool doesn’t only help control the size of files in your system; it also helps manage storage efficiently.