This site is now 100% read-only, and retired.

OpenSSH logging with ChrootDirectory

Posted by niol on Mon 4 May 2009 at 14:01

Finally following up on the previous article on the subject, I found some time to investigate logging what happens in an internal-sftp session using rsyslog.

Making syslog available in the chroot

Simply create a dev directory in each one of the chosen user chroot directories.

# mkdir /home/user/dev

Configuring rsyslog to probe the new logging source

Simply drop the following contents in /etc/rsyslog.d/sshd.conf :

# Create an additional socket for some of the sshd chrooted users.
$AddUnixListenSocket /home/user/dev/log

# Log internal-sftp in a separate file
:programname, isequal, "internal-sftp" -/var/log/sftp.log
:programname, isequal, "internal-sftp" ~

Configuring openssh for logging

From the previous article, /etc/sshd_config should be changed. The Subsystem sftp line should read :

Subsystem sftp internal-sftp -l VERBOSE

The Match sections should look like the following.

Match group sftponly
         ChrootDirectory /home/%u
         X11Forwarding no
         AllowTcpForwarding no
         ForceCommand internal-sftp -l VERBOSE

Because of a limitation bug in OpenSSH, the ForceCommand line cannot be used with logging parameters on versions earlier than 5.2. But omitting the ForceCommand directive implicitely provides the user shell access in the chrooted directory if he has upload privileges. Therefore, this is in my view a security risk, and that is why I would say that enabling logging in this configuration requires OpenSSH 5.2 or later.

Log rotation for the new log file

Drop the following file in /etc/logrotate.d :

/var/log/sftp.log {
        weekly
        missingok
        rotate 52
        compress
        delaycompress
        postrotate
                invoke-rc.d rsyslog reload > /dev/null
        endscript
}
Any comments on this solution are very welcome.

 

 


Re: OpenSSH logging with ChrootDirectory
Posted by Anonymous (187.152.xx.xx) on Mon 4 May 2009 at 23:22
hi

i tried to do it but i can the logs from not chroot users. on the last step i nemed ssh to file into logrotate.d. is that correct?.

i m using debian 5 and openssh 5.2

thanks

[ Parent ]

Re: OpenSSH logging with ChrootDirectory
Posted by Anonymous (208.247.xx.xx) on Tue 19 May 2009 at 20:03
Tried this with openssh's portable 5.2 compiled on Redhat el5 update 3. It doesn't error out, but the extended logging features don't seem to do anything. For example, if chrooting is not enabled you can use arguments -f AUTHPRIV -l DEBUG3 to log every single sftp command to /var/log/secure. Doing the same thing with this solution doesn't include the additional logging.

[ Parent ]

Re: OpenSSH logging with ChrootDirectory
Posted by Anonymous (208.247.xx.xx) on Tue 19 May 2009 at 20:45
I was missing a chrooted /dev/log. I created a dev/ dir in one of the chrooted user's home dirs, and appended '-u /home/someuser/dev/log' to the SYSLOGD start options and restarted syslog. It logs properly now, but because this requires modifying the syslog config & restarting syslog for every new user I will probably abandon this approach.

[ Parent ]

Re: OpenSSH logging with ChrootDirectory
Posted by Anonymous (208.247.xx.xx) on Tue 19 May 2009 at 20:46
that should be -a, not -u for the syslogd options.

[ Parent ]

Re: OpenSSH logging with ChrootDirectory
Posted by Anonymous (193.186.xx.xx) on Wed 21 Apr 2010 at 13:34
could you explain exactly what you have done ? where did you put the line '-a /home/someuser/dev/log'

[ Parent ]

Re: OpenSSH logging with ChrootDirectory
Posted by Anonymous (204.13.xx.xx) on Thu 12 Jul 2012 at 19:05
After you create the directory:
 # mkdir /home/user/dev 
You will probably want to issue:
 # touch /home/user/dev/log 
To create a file with no content which the socket will bind to, not sure if this is strictly necessary
Then when you insert the:
 # Create an additional socket for& nbsp;some of the sshd chrooted users.
$AddUnixListenSocket /home/user/dev/log 

into /etc/rsyslog.d/sshd.conf , just make sure you have the socket and directory/file you created agree. Follow the rest of the steps and it should work just fine.

[ Parent ]

Re: OpenSSH logging with ChrootDirectory
Posted by Anonymous (89.253.xx.xx) on Wed 7 Nov 2012 at 22:54
Since this thread showed up when I was googling the same problem, I just wanted to share the solution that I eventually came to. I posted it over at the Ubuntu forums "ubuntuforums.org/showthread.php?t=2081637" Thank you for pointing me in the right direction.

[ Parent ]

Re: OpenSSH logging with ChrootDirectory
Posted by Anonymous (173.228.xx.xx) on Thu 31 Jul 2014 at 00:57
Works perfectly, thankyou! :)

[ Parent ]

Re: OpenSSH logging with ChrootDirectory
Posted by pmackinney (50.197.xx.xx) on Fri 23 Jan 2015 at 19:26

I've found similar solutions, this one is coherent and works perfectly on Ubuntu 14.04LTS. Thanks!

One of my purposes in setting up logging was to capture every uploaded file. So imagine my surprise when I discovered that I was getting incomplete logs. The cause turned out to be rsyslog's rate limiting feature.

If a complete log is more important to you than performance, disable rate limiting by adding the following lines to the Modules section of /etc/rsyslog.conf:

# 5 lines added to disable rate-limiting
$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 0
$IMUxSockRateLimitBurst 0
$IMUXSockRateLimitBurst 0
$IMUxSockRateLimitSeverity 7

Then sudo restart rsyslog and you're good to go.

Disclaimer: I got this from somewhere else on the web but I've lost the attribution, sorry.

[ Parent ]