Skip to content disloops

VSFTPD Log Parser

I've had ftp.disloops.com running for about ten years. It's an FTP host that's configured to allow anonymous connections and uploads. This creates some security risks that I wrote about when I deployed it. A previous article explored some of those risks in depth.

I recently wanted to extract all the username/password combinations I'd seen since deploying the server. Only two usernames are accepted by anonymous VSFTPD servers: Anonymous and FTP. Clients using these usernames receive a prompt for an arbitrary password. Sessions initiated with any other username are immediately ended.

To extract the authentication data, I created a script that accepts a VSFTPD log file as input. It pulls all username/password combinations from the file and exports them as text or CSV.

The script can be downloaded here: https://github.com/disloops/vsftpd_parse
You can see sample output from my own server here: results.txt

Note that the script is currently designed for a server that only allows anonymous connections. This VSFTPD configuration results in a specific log format since passwords are not accepted for non-anonymous usernames. The script could easily be modified to handle non-anonymous logins instead.

Leave a Reply

Your email address will not be published.