OpenSSH internal-sftp chroot logging on Ubuntu

I’m putting this here mainly to store it for myself, so these are going to be rough notes until I have time or inclination to review and edit this post.

Note: this solution was formulated on a server running Ubuntu Server 14.04 LTS

To setup sftp chroot directories for sftp-only users, and yet still log all actions & transfers like a “xferlog”, you need to somehow get the chrooted user to be allowed to write log data into the main syslog daemon.

First of all, you need the following in your sshd_config, and make certain to pay attention to the “ForceCommand” line, as I was missing that at first, and therefore, you are not changing the logging for the chroot users, just the non-chroot users:

Subsystem sftp internal-sftp -l VERBOSE -f LOCAL6

# Next section restricts users in sftpusers group to chrootDirectory

Match Group sftpusers
  ChrootDirectory %h
  ForceCommand internal-sftp -u 002 -l VERBOSE -f LOCAL6
  AllowTcpForwarding no
  PermitTunnel no
  X11Forwarding no

Now, you want to have a line like this in your /etc/rsyslog.d/50-default.conf or other /etc/rsyslog.d/*.conf file, in order to direct the sftp verbose logs to a specific file:

local6.*			/var/log/sftp.log

Then, you have a couple of options on how to proceed. The first way I got working was to add another listening socket in the rsyslogd config, with this line:

$AddUnixListenSocket /home/username/dev/log

You could also use this method:

mkdir /home/username/dev
touch /home/username/dev/log
chmod 511 /home/username/dev
chattr +i /home/username/dev
mount --bind /dev/log /home/username/dev/log

Either one should work for you – the question is how you want to handle the situation, especially if you have either a large number of users, or a constantly changing user base; you’ll have to orchestrate either adding the special mount point and then having a lot of extra mounts, or adding a lot of extra listening socket files in rsyslogd. I leave it to you to decide which is better for your situation.

I also saw a method that didn’t work for me, but was for HP-UX, and might work for Solaris, too, over here: http://community.hpe.com/t5/Security/ssh-subsystem-internal-sftp-chroot-and-logging/td-p/5272802


Updated Thursday 31 August 2017 by David J. Pryke:

Following up on this, if you want certain information that is only available at the higher-verbosity log levels, such as INFO or VERBOSE, but those levels are too verbose, you can pipe the syslog output to a separate command that can filter certain things out of the stream that are very “chatty”, or filter the data stream down to only the exact info you want.

First, edit the syslog configuration line to pipe the output to a separate command:

local6.*			|exec /usr/local/sbin/sftp-server-log-filter

Then create a script to filter in/out any data you want.

For example, to filter out lines that have the words “opendir” or “closedir” on them (since this can be voluminous in sftp-server’s logs on VERBOSE):

while read foo
do
    echo $foo|/usr/bin/egrep -v "opendir|closedir" >> /var/log/sftp.log
done

Or to filter the output down to ONLY a few lines that are interesting with you, such as those that begin with “open “, “close “, and “session “, try:

while read foo
do
    echo $foo|/usr/bin/egrep ".*\]: open |.*\]: close |.*\]: session " >> /var/log/sftp.log
done

Note that the regex patterns with “.*\]: ” are because these lines typically look like:

Aug 31 11:02:09 hostname sftp-server[53433]: session opened for local user username from [192.168.1.2]
Aug 31 11:02:24 hostname sftp-server[53433]: open "/usr/home/username/filename" flags READ mode 0666
Aug 31 11:02:24 hostname sftp-server[53433]: close "/usr/home/username/filename" bytes read 1147 written 0
Aug 31 11:02:27 hostname sftp-server[53433]: open "/usr/home/username/filename" flags WRITE,CREATE,TRUNCATE mode 0644
Aug 31 11:02:27 hostname sftp-server[53433]: close "/usr/home/username/filename" bytes read 0 written 1147
Aug 31 11:02:28 hostname sftp-server[53433]: session closed for local user username from [192.168.1.2]

One thought on “OpenSSH internal-sftp chroot logging on Ubuntu

Leave a Reply

Your email address will not be published. Required fields are marked *