RHEL / CnetOS 7 sftp logging in chroot
To have idea whats going on with internal-sftp when you have chrooted users, this is the way how to enable logging for internal-sftp for RedHat 7 or CentOS 7.
Step 1 – enable internal sftp with chroot , so for example you have user home directory in /data/user1/web and enable logging for internal sftp. Switches -f (facility) and -l (level) are needed to define how much informations you want. Config file is /etc/ssh/sshd_config
Subsystem sftp internal-sftp -f AUTHPRIV -l VERBOSE # Example of overriding settings on a per-user basis #Match user %u Match group sftp ChrootDirectory %h X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp -f AUTHPRIV -l VERBOSE
Step 2 – create dev dir in sftp user home directory (example home – /data/user1/web)
mkdir /data/user1/web/dev chmod 755 /data/user1/web/dev chown root.root /data/user1/web/dev
to be able allow logging from chrooted env.
Step 3 – configure rsyslog daemon to know whats up 😉 . In configuration file /etc/rsyslog.conf add line / or more lines at the begining of section RULES
$AddUnixListenSocket /data/user1/web/dev/log
so rsyslog daemon know where to go.
Step 4 – configure rsyslog daemon to log sftp commands into separate file and not make mess in main ssh log file /var/log/secure – on busy sites its better, if you have small traffic you can skit this step.
:programname, isequal, "internal-sftp" -/var/log/sftp.log :programname, isequal, "internal-sftp" stop
Just remember put this on top of rules. So its processed first and then stop.
Step 5 – restart services
systemctl restart sshd systemctl restart rsyslog
Now you can log via SFTP and check /var/log/sftp.log
Recent Comments