Follow the steps outlined below to configure the logging of failed login attempts using pam.
1. Please add to pam_tally2 line after system-auth or password-auth line in /etc/pam.d/vsftpd file as below :
auth include password-auth auth required pam_tally2.so deny=5 onerr=fail lock_time=600 serialize account required pam_tally2.so
For example :
# vi /etc/pam.d/vsftpd #%PAM-1.0 #%PAM-1.0 session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include password-auth auth required pam_tally2.so deny=5 onerr=fail lock_time=600 serialize account include password-auth account required pam_tally2.so session required pam_loginuid.so session include password-auth
2. Test logins to vsftpd to confirm attempts are being correctly logged
Note: there should be no need to restart the vsftpd service or reboot the system for these changes to be applied, as a new connection should pick them up, however, if for some reason, this hasn’t occurred, please restart to vsftpd daemon.