Time is strange in vsftpd log


Page 1 of 2 12 LastLast
Results 1 to 15 of 26

Thread: Time is strange in vsftpd log

  1. #1
    Join Date
    Jan 2004
    Location
    Toronto, Canada
    Posts
    763

    Time is strange in vsftpd log

    Hi, I wasnt quite sure where to post this but here it is..

    I have a vsftpd server running, and I have noticed that when I check my logs(/var/ftp/xferlog to be exact) the times dont make any sense. For Example:

    Fri Jun 10 23:31:23 2005 6 X.X.X.X 466944 etc....

    According to this, this person has started uploading the file at 11:31PM...which is strange since right now the actual time is 10PM. At first I thought that maybe my date/time isnt set up correctly on my server so I ran the "date" command and got the follwing result:

    Fri Jun 22:02:58 EDT 2005

    Which is the correct time. So my question is this. How come my logs show the wrong time and is there a way to fix this??

    Thanks in advance.
    Check out the Unix/Linux Administration Program at Seneca College.
    Thanx to everyone that helped/helps me on this forum!

    t0mmyw on #linuxn00b

  2. #2
    Join Date
    Jun 2005
    Posts
    8
    Hi Calipso,

    I think I was having the same problem you were. Apparently vsftpd defaults to GMT time. In its conf, you have to tell it:

    use_localtime=YES

    to get it to work. It at least solved my problem. Hope this helps!

  3. #3
    Join Date
    Jan 2004
    Location
    Toronto, Canada
    Posts
    763
    cool. Thanks for the reply. Ill give that a shot and hopefully it solves my problem. I expected it to have something to do with GMT settings but wasnt sure what to do about it.
    Check out the Unix/Linux Administration Program at Seneca College.
    Thanx to everyone that helped/helps me on this forum!

    t0mmyw on #linuxn00b

  4. #4
    Join Date
    Jan 2004
    Location
    Toronto, Canada
    Posts
    763
    Well, turns out that for some strange reason the line, use_localtime=YES does not work!
    Yesterday my power went out so I lost my precious uptime(50 days give or take ) so I had the chance to take a look in my bios thinking that maybe the system clock isnt set correctly. Turns out everything is set up to the right time zone and yet vsftpd insists on displaying the wrong time in its logs. I just dont get it. I wouldve thought that editing the .conf file would solve the problem but for some reason it hasnt.
    Check out the Unix/Linux Administration Program at Seneca College.
    Thanx to everyone that helped/helps me on this forum!

    t0mmyw on #linuxn00b

  5. #5
    Join Date
    Apr 2001
    Location
    SF Bay Area, CA
    Posts
    14,936
    Well... What does the date command show? Is that time correct?

  6. #6
    Join Date
    Jan 2004
    Location
    Toronto, Canada
    Posts
    763
    I actually mentioned the "date" command in my original post and yes its correct.
    This is what makes it so confusing and strange for me. I actually just double checked. The "date" command says its 21:29 and I just moved a file over from my ftp so it would log the transfer, checked the log, and it said it took place at 01:29. The time that gets logged is 4 hours ahead the local time. I actually find this a little strange too since Toronto, Ontario, Canada is GMT -5 so if anything I would imagine the time in the logs would be 5 hours ahead and not 4. Maybe that little difference has something to do with daylight savings or something.
    Check out the Unix/Linux Administration Program at Seneca College.
    Thanx to everyone that helped/helps me on this forum!

    t0mmyw on #linuxn00b

  7. #7
    Join Date
    Aug 2002
    Location
    Delaware
    Posts
    4,285
    I would be more concerned about the 12 day difference...
    irc.freenode.net #justlinux The Not So Official JL IRC Channel.
    ¤ Debian ¤ Apt-Get ¤

  8. #8
    Join Date
    Jan 2004
    Location
    Toronto, Canada
    Posts
    763
    ok..thats odd
    I dont know why in my original post I have a difference of 12 days...im gonna assume its some sort of typo.

    I just checked and its only a 4 hour difference....the date is the same...well "date" shows july 18th and the log shows july 19th but thats because 01:29 is already tomorrow morning.
    Check out the Unix/Linux Administration Program at Seneca College.
    Thanx to everyone that helped/helps me on this forum!

    t0mmyw on #linuxn00b

  9. #9
    Join Date
    Jun 2005
    Posts
    8
    What distro and version of vsftpd are you using?

  10. #10
    Join Date
    Apr 2001
    Location
    SF Bay Area, CA
    Posts
    14,936
    Quote Originally Posted by Calipso
    I actually mentioned the "date" command in my original post and yes its correct.
    Must have forgotten that then. OK, never mind...

    I actually find this a little strange too since Toronto, Ontario, Canada is GMT -5 so if anything I would imagine the time in the logs would be 5 hours ahead and not 4. Maybe that little difference has something to do with daylight savings or something.
    It is because of DST.

    Eastern Standard Time is GMT-5, but Eastern Daylight Time (which is what I'm in now, and I assume you're in it also in Toronto) is GMT-4 because of the daylight-saving that it's doing.

    It really looks like your vsftpd is still logging the times in GMT...

    Are you sure it's using the config file that you edited? If you're chrooting it, then it's possible that it isn't...

    Otherwise, is the /etc/localtime file that vsftpd sees (once it's in the chroot, if applicable) copied from /usr/share/zoneinfo/EST5EDT or /usr/share/zoneinfo/Canada/Eastern? glibc uses the data in /etc/localtime to decide which timezone to convert the kernel's UTC data to.
    Last edited by bwkaz; 07-19-2005 at 07:11 PM.

  11. #11
    Join Date
    Jan 2004
    Location
    Toronto, Canada
    Posts
    763
    What distro and version of vsftpd are you using?
    CentOS 4, vsftpd-2.0.1

    It is because of DST.

    Eastern Standard Time is GMT-5, but Eastern Daylight Time (which is what I'm in now, and I assume you're in it also in Toronto) is GMT-4 because of the daylight-saving that it's doing.
    I had a feeling that it had something to do with daylight savings, just wasnt sure. I know that some places changed their time at different times and some places I think dont even change their time at all. Thanks for clearing it up.

    Are you sure it's using the config file that you edited?
    umm... as far as I know it is. This is the only config file I have ever worked with so I cant imagine why it would be using some other config file. How would I check that just to be sure??

    Now as far as chrooting it, here is how I have vsftpd set up. Im not quite sure if its considered being chrooted or not but here it goes.

    The vsftpd.conf file had a comment recommending that I create a non privileged user and run it as that user by using the line, "nopriv_user=<user without privileges>.
    I have created such a user. I edited a file, now I cant freaking believe that I forgot the file name, but its the file where it specifies which shell the user will use when loging in as local user and whether or not they are even allowed to log in as a local user. I know that knowing the actual name of the file would help but I just cant remember it. Im gonna search for it and hopefuly post it. Anyhoo, the point is that I said that the shell for the user without privileges is, null(or something like that...I really gotta find this file), and I think I put something along the lines of deny for local logins. So basically, vsftpd is running as a user without any privileges...at least thats my understanding of the situation. Could this possibly be causing a problem?? maybe since the user has no privileges, it cant access the required file/files that have the local time in them??

    I also have a chroot-list set up with all the users that connect via ftp to the server. This prevents them from browsing my entire file system and keeps them locked in their home directory.

    Otherwise, is the /etc/localtime file that vsftpd sees (once it's in the chroot, if applicable) copied from /usr/share/zoneinfo/EST5EDT or /usr/share/zoneinfo/Canada/Eastern? glibc uses the data in /etc/localtime to decide which timezone to convert the kernel's UTC data to.
    wow, Im gonna sound really stupid here because I have no idea and have no idea how to even check.

    I really appreciate all of your questions/effort trying to help me out. If there is any other info you need, let me know and I will post it. This is my first ever attempt at setting up an ftp server and besides this time thing everything seems to be running smoothly. However, if anyone has a tip of any kind, whether its security,setup, or performance related, I will really appreciate it if you post them here. Thank you in advance.
    Check out the Unix/Linux Administration Program at Seneca College.
    Thanx to everyone that helped/helps me on this forum!

    t0mmyw on #linuxn00b

  12. #12
    Join Date
    Jan 2004
    Location
    Toronto, Canada
    Posts
    763
    HA!, I found it.

    The file was /etc/passwd

    and the line I edited was,
    Code:
    noprivuser:x:505:501:noprivuser:/var/ftp/:/sbin/nologin
    I changed, /bin/bash to /sbin/nologin
    Check out the Unix/Linux Administration Program at Seneca College.
    Thanx to everyone that helped/helps me on this forum!

    t0mmyw on #linuxn00b

  13. #13
    Join Date
    Apr 2001
    Location
    SF Bay Area, CA
    Posts
    14,936
    Quote Originally Posted by Calipso
    How would I check that just to be sure??
    Well...

    When you have vsftpd up and running, do a pidof vsftpd to see what PID it has. Then do an ls -l /proc/<that PID>/root to find out what it thinks the root directory is. If the root symlink points at /, then it's not chrooted. (If pidof shows more than one PID, look at all of them.)

    I edited a file, now I cant freaking believe that I forgot the file name, but its the file where it specifies which shell the user will use when loging in as local user and whether or not they are even allowed to log in as a local user.
    /etc/passwd?

    the point is that I said that the shell for the user without privileges is, null
    /dev/null or /bin/false perhaps?

    So basically, vsftpd is running as a user without any privileges...at least thats my understanding of the situation. Could this possibly be causing a problem?? maybe since the user has no privileges, it cant access the required file/files that have the local time in them??
    Well, the only things that check that shell field are login, sshd, telnet, that kind of thing. Only processes that need to start up a shell for that user.

    The user's permissions are what define whether that user can read the file in question. Check the permissions on /etc/localtime, but it should be world-readable.

    I also have a chroot-list set up with all the users that connect via ftp to the server. This prevents them from browsing my entire file system and keeps them locked in their home directory.
    OK, then if someone's logged in, you'll probably show multiple numbers in the pidof command (one for each login). Each one will have its root symlink pointing to the directory you lock them into. The one you want to double check, though, is the "main" PID, not the one associated with any login.

    wow, Im gonna sound really stupid here because I have no idea and have no idea how to even check.
    Well... I'm not entirely sure either. First you'd need to find out what the vsftpd process thinks its root directory is. Then compare <that dir>/etc/localtime against the files I listed (use diff -a; I think they're binary files, and -a treats them as text), and one (or maybe more) of them should hopefully show up with no differences.

  14. #14
    Join Date
    Jan 2004
    Location
    Toronto, Canada
    Posts
    763
    First, thank you for the quick reply.

    Now I did what you said and here are my results:

    [root@localhost ~]# pidof vsftpd
    2878
    [root@localhost ~]# ls -l /proc/2878/root
    lrwxrwxrwx 1 root root 0 Jul 20 18:51 /proc/2878/root -> /

    Then I wasn't entirely sure what you wanted me to compare. I assumed you wanted me to compare /etc/local time with /usr/share/zoneinfo/EST5EDT and /usr/share/zoneinfo/Canada/Eastern...Did I understand this correctly??

    Either way, this is what I tried:

    [root@localhost ~]# diff -a /etc/localtime /usr/share/zoneinfo/EST5EDT

    The result was what looks to a human as random characters all over the screen. My understanding is that those are the differences between the two files. I then tried:

    [root@localhost ~]# diff -a /etc/localtime /usr/share/zoneinfo/Canada/Eastern

    The result was just a blank prompt. No text what-so-ever. Im once again assuming this means that they had no differences.

    I also ran, ls -l /etc/localtime to make sure that everyone has read access and they do.
    [root@localhost ~]# ls -l /etc/localtime
    -rw-r--r-- 1 root root 1252 May 2 18:03 /etc/localtime

    If the root symlink points at /, then it's not chrooted.
    This seems like something Im gonna have to take care of later on for security reasons. But one step at a time

    Thanks for the reply and Im looking forward to finding out where to go from here.
    Check out the Unix/Linux Administration Program at Seneca College.
    Thanx to everyone that helped/helps me on this forum!

    t0mmyw on #linuxn00b

  15. #15
    Join Date
    Apr 2001
    Location
    SF Bay Area, CA
    Posts
    14,936
    Quote Originally Posted by Calipso
    [root@localhost ~]# diff -a /etc/localtime /usr/share/zoneinfo/EST5EDT

    The result was what looks to a human as random characters all over the screen. My understanding is that those are the differences between the two files.
    Yep, that's right.

    I then tried:

    [root@localhost ~]# diff -a /etc/localtime /usr/share/zoneinfo/Canada/Eastern

    The result was just a blank prompt. No text what-so-ever. Im once again assuming this means that they had no differences.
    Correct.

    And everyone does have read access...

    OK, I'm out of ideas then.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •