Skip to content

Instantly share code, notes, and snippets.

@troyfontaine

troyfontaine/readme.md

Last active February 17, 2024 02:21
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 6 You must be signed in to fork a gist
  • Save troyfontaine/3f54ad348be4226877000695d667653e to your computer and use it in GitHub Desktop.
Save troyfontaine/3f54ad348be4226877000695d667653e to your computer and use it in GitHub Desktop.
Download ZIP
Logging SFTP interactions on a Chrooted User in Ubuntu 14.04
Raw
readme.md

How to setup SFTP Logging on Ubuntu 14.04 for a Chrooted User

Prerequisites: Using internal-sftp for sftp; rsyslog for logging

Step 1. Set up your chrooted directories

sudo mkdir /sftp/myshare
sudo mkdir /sftp/myothershare

Step 2. Create your groups for your chrooted users

sudo groupadd mysharetransfergroup && sudo groupadd myothersharetransfergroup

Step 3. Set up your sshd_config normally

Subsystem sftp internal-sftp
Match group mysharetransfergroup
    ChrootDirectory /sftp/myshare/
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp -f LOCAL7 -l INFO

Match group myothersharetransfergroup
    ChrootDirectory /sftp/myothershare/
    X11Forwarding  no
    AllowTcpForwarding no
    ForceCommand internal-sftp -f LOCAL7 -l INFO

Step 4. Modify the subsystem sftp line as follows: Subsystem sftp internal-sftp -f LOCAL7 -l INFO
Step 5. In your Match group section for the chroot, append -f LOCAL7 -l INFO to the ForceCommand line for each group applicable
Step 6. In your chrooted directory for your sftp users, create a dev folder and ensure the ownership matches your chroot AND also run chmod 755 on the directory (this is important)
Step 7. Configure rsyslog to create the log for you by creating /etc/rsyslog.d/60-sftp.conf with the following contents matching your environment:

# Create socket within chrooted directories to allow for logging
$AddUnixListenSocket /sftp/myshare/dev/log
$AddUnixListenSocket /sftp/myothershare/dev/log

# Parse the data logged at level INFO and facility LOCAL7 into /var/log/sftp.log
LOCAL7.info /var/log/sftp.log

# Report logins and logoffs
:syslogtag,startswith,"sftp-server" /var/log/sftp.log

Step 8. Restart sshd and rsyslog sudo service ssh restart && sudo service rsyslog restart
Step 9. Create your chrooted users

How to view logs

sudo less /var/log/sftp.log

@danyal14
Copy link

danyal14 commented Jun 6, 2018

socket within chrooted directories to allow for logging
/var/log/sftp.log is not being created, I follow the instructions.
Any advise?

@starflighter
Copy link

Same here...

@rnhurt
Copy link

rnhurt commented Jul 9, 2018

I was having the same problem with the logs not showing up. It turns out that I had put the '.../dev/log' socket in the wrong directory. I had used the user directory "/home/myusername/dev/log" instead of the Chroot directory "/home/sftpusers/home/myusername/dev/log". Once I corrected this issue everything worked fine. :)

@aleon1220
Copy link

It didnt work for me on ubuntu 18. Possibly due to this clashing with systemd and journalctl please see Ubuntu Bug 1761630

@lgauthier1
Copy link

lgauthier1 commented Aug 23, 2021
edited

Work for me! Thanks
LOCAL.7 seems to be important ! I try with LOCAL.0 but it doesn't work

Just don't forget to update your /etc/logrotate.d/rsyslog (The volume of log could become huge ! )

/var/log/sftp.log
{
        rotate 4
        weekly
        missingok
        notifempty
        compress
        delaycompress
        sharedscripts
        postrotate
                invoke-rc.d rsyslog rotate > /dev/null
        endscript
}

@rellampec
Copy link

Chrooted users can actually use one single shared socket, as per this serverfault answer

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment