Home > Linux > RHEL / CnetOS 7 sftp logging in chroot

RHEL / CnetOS 7 sftp logging in chroot

January 21st, 2015 Leave a comment Go to comments

To have idea whats going on with internal-sftp when you have chrooted users, this is the way how to enable logging for internal-sftp for RedHat 7 or CentOS 7.

Step 1 – enable internal sftp with chroot , so for example you have user home directory in /data/user1/web and enable logging for internal sftp. Switches -f (facility) and -l (level) are needed to define how much informations you want.  Config file is /etc/ssh/sshd_config

Subsystem sftp internal-sftp -f AUTHPRIV -l VERBOSE

# Example of overriding settings on a per-user basis
#Match user %u

Match group sftp
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp -f AUTHPRIV -l VERBOSE

Step 2 – create dev dir in sftp user home directory (example  home – /data/user1/web)

mkdir /data/user1/web/dev
chmod 755 /data/user1/web/dev
chown root.root /data/user1/web/dev

to be able allow logging from chrooted env.

Step 3 – configure rsyslog daemon to know whats up 😉 . In configuration file /etc/rsyslog.conf add line / or more lines at the begining of section RULES

$AddUnixListenSocket /data/user1/web/dev/log

so rsyslog daemon know where to go.

Step 4 – configure rsyslog daemon to log sftp commands into separate file and not make mess in main ssh log file /var/log/secure – on busy sites its better, if you have small traffic you can skit this step.

:programname, isequal, "internal-sftp" -/var/log/sftp.log
:programname, isequal, "internal-sftp" stop

Just remember put this on top of rules. So its processed first and then stop.

Step 5 – restart services

systemctl restart sshd
systemctl  restart rsyslog

Now you can log via SFTP and check /var/log/sftp.log

 

 

Categories: Linux Tags: , ,
  1. No comments yet.
  1. No trackbacks yet.

%d bloggers like this: