Skip to content

Instantly share code, notes, and snippets.

@troyfontaine
Last active February 17, 2024 02:21
Show Gist options
  • Save troyfontaine/3f54ad348be4226877000695d667653e to your computer and use it in GitHub Desktop.
Save troyfontaine/3f54ad348be4226877000695d667653e to your computer and use it in GitHub Desktop.
Logging SFTP interactions on a Chrooted User in Ubuntu 14.04

How to setup SFTP Logging on Ubuntu 14.04 for a Chrooted User

Prerequisites: Using internal-sftp for sftp; rsyslog for logging

Step 1. Set up your chrooted directories

sudo mkdir /sftp/myshare
sudo mkdir /sftp/myothershare

Step 2. Create your groups for your chrooted users

sudo groupadd mysharetransfergroup && sudo groupadd myothersharetransfergroup

Step 3. Set up your sshd_config normally

Subsystem sftp internal-sftp
Match group mysharetransfergroup
    ChrootDirectory /sftp/myshare/
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp -f LOCAL7 -l INFO

Match group myothersharetransfergroup
    ChrootDirectory /sftp/myothershare/
    X11Forwarding  no
    AllowTcpForwarding no
    ForceCommand internal-sftp -f LOCAL7 -l INFO

Step 4. Modify the subsystem sftp line as follows: Subsystem sftp internal-sftp -f LOCAL7 -l INFO
Step 5. In your Match group section for the chroot, append -f LOCAL7 -l INFO to the ForceCommand line for each group applicable
Step 6. In your chrooted directory for your sftp users, create a dev folder and ensure the ownership matches your chroot AND also run chmod 755 on the directory (this is important)
Step 7. Configure rsyslog to create the log for you by creating /etc/rsyslog.d/60-sftp.conf with the following contents matching your environment:

# Create socket within chrooted directories to allow for logging
$AddUnixListenSocket /sftp/myshare/dev/log
$AddUnixListenSocket /sftp/myothershare/dev/log

# Parse the data logged at level INFO and facility LOCAL7 into /var/log/sftp.log
LOCAL7.info /var/log/sftp.log

# Report logins and logoffs
:syslogtag,startswith,"sftp-server" /var/log/sftp.log

Step 8. Restart sshd and rsyslog sudo service ssh restart && sudo service rsyslog restart
Step 9. Create your chrooted users

How to view logs

sudo less /var/log/sftp.log

@rellampec
Copy link

Chrooted users can actually use one single shared socket, as per this serverfault answer

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment