Centos7 搭建多用户SFTP服务，并开启日志记录

Centos7 搭建多用户SFTP服务，并开启日志记录

一、环境描述

系统版本：CentOS Linux release 7.8.2003
背景：有一台Centos服务器作为SFTP服务器，需要有SFTP用户，且需要记录操作日志。

二、基于Centos7搭建sftp

①、修改SSH文件 /etc/ssh/sshd.conf

先注销掉这行

#Subsystem       sftp    /usr/libexec/openssh/sftp-server

在最底下添加如下几行

Subsystem       sftp    internal-sftp
Match Group sftp
ChrootDirectory /data/sftp/%u
ForceCommand    internal-sftp
AllowTcpForwarding no
X11Forwarding no

添加后如下：

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
#Subsystem	sftp	/usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server
Subsystem       sftp    internal-sftp -l INFO -f local5
Match Group sftp
ChrootDirectory /data/sftp/%u
ForceCommand    internal-sftp -l INFO -f local5
AllowTcpForwarding no
X11Forwarding no

ChrootDirectory 锁定SFTP目录到该路径， %u 每用户不同家目录

②、创建SFTP用户组

[root@server3 ~]# groupadd sftp

③、重启sshd服务

[root@server3 ~]# systemctl restart sshd

④、建sftp用户

创建用户，用户所属组为sftp
useradd -g sftp -s /bin/false tempsftp
设置用户密码
echo “123456” |passwd --stdin tempsftp
创建家目录/data/sftp/tempsftp
注：用户无法在家目录直接操作，需要在家目录下创建一个文件夹用于存放文件
mkdir -p /data/sftp/tempsftp/home
修改用户家目录
usermod -d /data/sftp/tempsftp tempsftp
修改文件夹属主和属组
chown tempsftp:sftp /data/sftp/tempsftp/home/

[root@localhost ~]# useradd -g sftp -s /bin/false tempsftp
[root@localhost ~]# echo "123456" |passwd --stdin tempsftp
Changing password for user tempsftp.
passwd: all authentication tokens updated successfully.
[root@localhost ~]# mkdir -p /data/sftp/tempsftp/home
[root@localhost ~]# usermod -d /data/sftp/tempsftp tempsftp
[root@localhost ~]# chown tempsftp:sftp /data/sftp/tempsftp/home/
[root@localhost ~]# ls -l /data/sftp/tempsftp/
total 0
drwxr-xr-x 2 tempsftp sftp 6 May 12 16:23 home
[root@localhost ~]# ls -l /data/sftp/tempsftp/home/

家目录属主、属组、及用户权限如下：

[root@localhost ~]# ls -l /data/sftp/
total 0
drwxr-xr-x 3 root root 18 May 12 16:23 tempsftp
[root@localhost ~]# ls -l /data/sftp/tempsftp/
total 0
drwxr-xr-x 2 tempsftp sftp 25 May 12 16:24 home

⑤、测试sftp

[16:24:17] [L] SSH 连接打开
[16:24:17] [L] 已建立连接对象: OpenSSH_7.4 (SFTP v3)
[16:24:17] [L] SFTP 连接就绪
[16:24:17] [L] 获取目录列表中……
[16:24:18] [L] 列表完成: 255 字节 耗时 0.03 秒 (0.2 KB/s)
[16:24:19] [L] 目录更改进度：/home/
[16:24:19] [L] 获取目录列表中……
[16:24:19] [L] 列表完成: 170 字节 耗时 0.02 秒 (0.2 KB/s)
[16:24:22] [L] 正在上载: /home/2021-02.txt
[16:24:22] 上载: 2021-02.txt 521 字节 耗时 0.02 秒 (0.5 KB/s)
[16:24:22] [L] 获取目录列表中……
[16:24:22] [L] 列表完成: 271 字节 耗时 0.04 秒 (0.3 KB/s)
[16:24:22] 传输队列已完成
[16:24:22] 已传输 1 个文件 (521 字节) 耗时 0.08 秒 (0.5 KB/s)

三、开启SFTP日志记录

①、设置sshd.conf文件

修改Subsystem 和ForceCommand 在后面增加 -l INFO -f local5

Subsystem       sftp    internal-sftp -l INFO -f local5
Match Group sftp
ChrootDirectory /data/sftp/%u
ForceCommand    internal-sftp -l INFO -f local5
AllowTcpForwarding no
X11Forwarding no

重要 [ -l INFO -f local5 ]

日志等级：INFO # 定义代码：local5

记录消息代码：DAEMON，USER，AUTH，LOCAL0，LOCAL1，LOCAL2，LOCAL3，LOCAL4，LOCAL5，LOCAL6，LOCAL7。默认值为AUTH。

②、修改/etc/rsyslog.conf

[root@localhost ~]# vim /etc/rsyslog.conf
在最后面添加以下
auth,authpriv.,local5. /var/log/sftp.log

# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
auth,authpriv.*,local5.*  /var/log/sftp.log

③、重启sshd、rsyslog服务

[root@localhost ~]# systemctl restart rsyslog
[root@localhost ~]# systemctl restart sshd

④、验证sshd日志是否记录

[root@localhost ~]# tail -f /var/log/sftp.log 
May 12 16:31:52 localhost polkitd[645]: Unregistered Authentication Agent for unix-process:1543:60006 (system bus name :1.23, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
May 12 16:33:39 localhost polkitd[645]: Registered Authentication Agent for unix-process:1559:70773 (system bus name :1.24 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
May 12 16:33:39 localhost sshd[1540]: Received signal 15; terminating.
May 12 16:33:39 localhost sshd[1566]: Server listening on 0.0.0.0 port 22.
May 12 16:33:39 localhost sshd[1566]: Server listening on :: port 22.
May 12 16:33:39 localhost polkitd[645]: Unregistered Authentication Agent for unix-process:1559:70773 (system bus name :1.24, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
May 12 16:33:44 localhost polkitd[645]: Registered Authentication Agent for unix-process:1567:71197 (system bus name :1.25 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
May 12 16:33:44 localhost polkitd[645]: Unregistered Authentication Agent for unix-process:1567:71197 (system bus name :1.25, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
May 12 16:33:54 localhost sshd[1525]: pam_unix(sshd:session): session closed for user tempsftp
May 12 16:33:54 localhost systemd-logind: Removed session 2.
May 12 16:33:56 localhost sshd[1580]: Accepted password for tempsftp from 192.168.7.119 port 54375 ssh2
May 12 16:33:56 localhost systemd-logind: New session 3 of user tempsftp.
May 12 16:33:56 localhost sshd[1580]: pam_unix(sshd:session): session opened for user tempsftp by (uid=0)
May 12 16:33:56 localhost sshd[1580]: session opened for local user tempsftp from [192.168.7.119] [postauth]
May 12 16:33:56 localhost sshd[1580]: opendir "/home/" [postauth]
May 12 16:33:56 localhost sshd[1580]: closedir "/home/" [postauth]
May 12 16:33:56 localhost sshd[1580]: opendir "/home/" [postauth]
May 12 16:33:56 localhost sshd[1580]: closedir "/home/" [postauth]
May 12 16:33:58 localhost sshd[1580]: sent status No such file [postauth]
May 12 16:33:58 localhost sshd[1580]: open "/home/123.jpg" flags WRITE,CREATE,TRUNCATE mode 0666 [postauth]
May 12 16:33:58 localhost sshd[1580]: close "/home/123.jpg" bytes read 0 written 10566 [postauth]
May 12 16:33:58 localhost sshd[1580]: set "/home/123.jpg" modtime 20210318-06:12:39 [postauth]
May 12 16:33:58 localhost sshd[1580]: opendir "/home/" [postauth]
May 12 16:33:58 localhost sshd[1580]: closedir "/home/" [postauth]

参考连接：https://blog.51cto.com/wangxiaoyong/2394832