注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

红烧鱼

linux & windows management

 
 
 

日志

 
 
关于我
mac

专注IT基础架构设计与运维。 欢迎给我留言,或邮件沟通zjwsk@163.com

网易考拉推荐

OpenSSH_logging_with_ChrootDirectory  

2013-03-12 16:01:56|  分类: Linux |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

How to log events and user actions when chroot jail has been configured for incoming sftp users?
--http://h10025.www1.hp.com/ewfrf/wc/document?cc=us&lc=en&dlc=en&tmp_geoLoc=true&docname=c03154341

Three actions need to occur to enable logging for chroot jail.
--First entries need to be created for sftp jail in /etc/ssh/sshd_config .

Example:
    Subsystem sftp internal-sftp
    Match Group sftponly
        ChrootDirectory /chroots/%u
        AllowTcpForwarding no
        X11Forwarding no
        ForceCommand internal-sftp -l VERBOSE -f AUTHPRIV

The above entry allows any user that is registered in the sftponly group to login as an sftp user and will be held in chroot jail. The root directory for these users will be /chroots/username and these directories must exist prior to login.

If the sftponly user group does not exist in the authentication database it should be created and it should be unique in order to retain the most control. The group name used can be any string. The user has used sftponly only as an example.

The amount of logging can be controlled by the -l switch. The man page for sshd_config will provide more details.

It should be noted that a single user can be defined or the match user structure can be used. More detail on this can be found in the man page for sshd_config.

--Next a /dev directory must be created in each users home directory. This directory is used by the system to write log entries for each user using a socket device. When the rsyslog facility is restarted it will create a socket called log in each users /home/dev directory.

The root , user and dev directories for each user must be owned by root as the internal-sftp facility or sshd must have root access to write these logs.

--Finally the following entries should be made in the /etc/rsyslog.conf file:
$AddUnixListenSocket /chroots/test1/dev/log
$AddUnixListenSocket /chroots/test2/dev/log


The rsyslog facility will need to create a socket to write the logs for each user. That is defined using the AddUnixListenSocket entry.
Once each of the configuration files has been edited, both sshd and rsyslog facilities should be restarted. Events will be logged to the /var/log/secure log.
If the user wish to have a seperate log file the following lines can be added to the rsyslog.conf file. In this case, the file sftp.log will be used to write the events as well as the secure log file:
:programname, isequal, "internal-sftp" -/var/log/sftp.log
:programname, isequal, "internal-sftp" ~
:programname, isequal, "sshd" -/var/log/sftp.log
:programname, isequal, "sshd" ~


Only one of these two lines should be needed. Each pair of lines redirects the logging output based on the facility name (in this case either sshd or internal-sftp) to the sftp.log file which must exist.


--Log rotation for the new log file , Drop the following file in /etc/logrotate.d :
/var/log/sftp.log {
        weekly
        missingok
        rotate 52
        compress
        delaycompress
        postrotate
        invoke-rc.d rsyslog reload > /dev/null
        endscript
}

BTW, if below message in your log file, you can disable your OS SElinux service:
     rsyslogd: connot create '
/chroots/test1/dev/log': Permission denied


http://www.debian-administration.org/article/637/OpenSSH_logging_with_ChrootDirectory
http://www.rsyslog.com/doc/imuxsock.html
http://www.minstrel.org.uk/papers/sftp/builtin/
---HOWTO: chroot SFTP (only) - OpenSSH 4.9+ Built-in Version
  评论这张
 
阅读(797)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017