sftp
sftp copied to clipboard
atmoz
Logging SFTP operations
Hi, I have a question about logging and verbosity. I have already looked at #24, related PR #25 was marked as invalid and never merged in and I cannot find any rationale behind it.
So, what I'm trying to achieve is to have SFTP operations (chrooted scenario) logged to some file, optionally exposed via docker logs (redirect to STDOUT), at least for debian version. As it stands, some logs about auth are being exposed to STDOUT.
I know there is a way to configure sftp-subsystem to be more verbose and I understand logging in chrooted env is more complicated.
I see there is a config option to increase logs verbosity but I don't know how to set it on container start.
Am I missing sth obvious?
The problem is that internal-sftp is spawned as a child process and do not respect the -e argument given to sshd to send logs to stderr (internal-sftp also support -e, but that will only make sense if we run that process in the foreground).
So looks like the only way to get logging from internal-sftp is via a syslog daemon. I will have a look at some alternatives that is optimal for running in a container.
@atmoz Thx for insight.
What's wrong with the approach from #25 - running kind of logging daemon beside and capture logs to file? Then, it looks like it's possible to hook custom log files to docker logs command.
Just that it's more complexity and processes running. Haven't had the time to look more into this, yet.
BTW, what is the use case for this?
@atmoz My use case is I sometimes need to test sFTP clients / apps with sFTP clients which I can't enable client operations logging at.
The obvious scenario would be to host chrooted sFTP myself, enable operations logging, point clients to that sFTP and observe the log.
@atmoz, Nice work! Do you have plans on adding the logging of SFTP operations?
@mirfilip, Did you find any workaround to achieve your goals?
Upvoted, @atmoz @mirfilip @akarasev. I would need this feature also, trying to figure out a simple solution :thinking:
Okay so... I figured out how to do this with a single chroot directory:
I installed rsyslogd and changed the last section of the entrypoint:
if $startSshd; then
log "Starting rsyslogd"
exec /usr/sbin/rsyslogd -n &
log "Starting sshd"
exec /usr/sbin/sshd -D -e
else
log "Starting $*"
exec "$@"
fi
And then add a custom file: /etc/rsyslog.d/sftplog.conf and change the
# create additional sockets for the sftp chrooted users
module(load="imuxsock")
input(type="imuxsock" Socket="/<chroot>/dev/log" CreatePath="on")
# log internal-sftp activity to /dev/stdout
if $programname == 'internal-sftp' then /dev/stdout
& stop
# log internal-sftp activity to /dev/stderr
if $programname == 'internal-sftp' then /dev/stderr
& stop
Copy the above file to the docker image:
COPY files/sftplog.conf /etc/rsyslog.d/sftplog.conf
In the sshd_config use the below in place of the existing line:
Subsystem sftp internal-sftp -f AUTH -l INFO
ForceCommand internal-sftp -f AUTH -l INFO
Don't forget to update the docker-compose.yaml (if you are using one) to use a static chroot:
volumes:
- ./data/share:/sftp:rw
And last but not least and most important, create a directory under <host_chroot> called dev with the following command on the host system:
mkdir -m2755 <host_chroot>/dev
Info sources are random serverfault posts and an the art of web blog post.
@Vizy-CC Using a chroot with sshd (sftp), root needs to be the owner of the actual chroot directory. You can then create another directory under the chroot base path with separate permissions and to be owned by users:100 which every single user who is created are in group 100 thus allowing uploads to that specific directory and not to the chroot base.
Example:
- ./data/share
drwxr-xr-x root:root(base - not writable by users)- ./data/share/upload
drwxrwx--- root:users(writable directory by users)
- ./data/share/upload
This setup is what exists based on what I did here as well using a single chroot instead of a user home chroot.
My usecase is mainly: I want to filter failed logins via fail2ban - so I need to see when an entered password was not correct.
I "solved" it for me by adding an own startup-script to launch sshd which only redirects the output:
/usr/sbin/sshd -D -e >> /var/log/sftp.log 2>&1
I mount the output-folder /var/log/ to my host, where fail2ban can filter the file.
Perhaps implementing an option to redirect the output instead of printing to STDOUT would be nice.
Okay... my workaround has a major drawback (for my usecase):
Redirecting the Log of sshd contains no timestamps - and since this it´s not parsable by fail2ban.
Would be too easy.
I´ll have a look at the solution here https://github.com/tomstockton/sftp issue https://github.com/atmoz/sftp/issues/24 pull req https://github.com/atmoz/sftp/pull/25
Maybe you could give a try to sftpgo
https://github.com/drakkan/sftpgo
you can log SFTP operations to journald and/or to a separate log file
DISCLAIMER: I'm the author
Maybe you could give a try to sftpgo
https://github.com/drakkan/sftpgo
you can log SFTP operations to journald and/or to a separate log file
DISCLAIMER: I'm the author
Wow... I had a short look. Very promising project. If I knew it before I probably would have saved a lot of time implementing several workarounds.
Our solution, based on @metalcated 's comments, can be found at https://hub.docker.com/repository/docker/corilus/sftp and https://github.com/Corilus/sftp
We use this to forward SFTP logs to a central rsyslog audit server.
@dwagelaar I tried your fork but it doesn't seem to work:
sftp | [/entrypoint] Starting rsyslogd
sftp | [/entrypoint] Executing sshd
sftp | rsyslogd: $WorkDirectory: /var/lib/rsyslog can not be accessed, probably does not exist - directive ignored [v8.24.0 try http://www.rsyslog.com/e/2181 ]
sftp | rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 24: warnings occured in file '/etc/rsyslog.conf' around line 24 [v8.24.0 try http://www.rsyslog.com/e/2207 ]
sftp | rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 24: invalid character '(' - is there an invalid escape sequence somewhere? [v8.24.0 try http://www.rsyslog.com/e/2207 ]
sftp | rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 24: warnings occured in file '/etc/rsyslog.conf' around line 24 [v8.24.0 try http://www.rsyslog.com/e/2207 ]
sftp | rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 24: invalid character '=' - is there an invalid escape sequence somewhere? [v8.24.0 try http://www.rsyslog.com/e/2207 ]
sftp | rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 24: invalid character '"' - is there an invalid escape sequence somewhere? [v8.24.0 try http://www.rsyslog.com/e/2207 ]
sftp | rsyslogd: invalid character in selector line - ';template' expected [v8.24.0]
sftp | rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 24: errors occured in file '/etc/rsyslog.conf' around line 24 [v8.24.0 try http://www.rsyslog.com/e/2207 ]
sftp | rsyslogd: could not load module '/usr/lib/x86_64-linux-gnu/rsyslog/omstdout.so', dlopen: /usr/lib/x86_64-linux-gnu/rsyslog/omstdout.so: cannot open shared object file: No such file or directory [v8.24.0 try http://www.rsyslog.com/e/2066 ]
sftp | rsyslogd: module name 'omstdout' is unknown [v8.24.0 try http://www.rsyslog.com/e/2209 ]
sftp | rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 39: errors occured in file '/etc/rsyslog.conf' around line 39 [v8.24.0 try http://www.rsyslog.com/e/2207 ]
Do you have any advice?
@dwagelaar I tried your fork but it doesn't seem to work:
sftp | [/entrypoint] Starting rsyslogd sftp | [/entrypoint] Executing sshd sftp | rsyslogd: $WorkDirectory: /var/lib/rsyslog can not be accessed, probably does not exist - directive ignored [v8.24.0 try http://www.rsyslog.com/e/2181 ] sftp | rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 24: warnings occured in file '/etc/rsyslog.conf' around line 24 [v8.24.0 try http://www.rsyslog.com/e/2207 ] sftp | rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 24: invalid character '(' - is there an invalid escape sequence somewhere? [v8.24.0 try http://www.rsyslog.com/e/2207 ] sftp | rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 24: warnings occured in file '/etc/rsyslog.conf' around line 24 [v8.24.0 try http://www.rsyslog.com/e/2207 ] sftp | rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 24: invalid character '=' - is there an invalid escape sequence somewhere? [v8.24.0 try http://www.rsyslog.com/e/2207 ] sftp | rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 24: invalid character '"' - is there an invalid escape sequence somewhere? [v8.24.0 try http://www.rsyslog.com/e/2207 ] sftp | rsyslogd: invalid character in selector line - ';template' expected [v8.24.0] sftp | rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 24: errors occured in file '/etc/rsyslog.conf' around line 24 [v8.24.0 try http://www.rsyslog.com/e/2207 ] sftp | rsyslogd: could not load module '/usr/lib/x86_64-linux-gnu/rsyslog/omstdout.so', dlopen: /usr/lib/x86_64-linux-gnu/rsyslog/omstdout.so: cannot open shared object file: No such file or directory [v8.24.0 try http://www.rsyslog.com/e/2066 ] sftp | rsyslogd: module name 'omstdout' is unknown [v8.24.0 try http://www.rsyslog.com/e/2209 ] sftp | rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 39: errors occured in file '/etc/rsyslog.conf' around line 39 [v8.24.0 try http://www.rsyslog.com/e/2207 ]Do you have any advice?
https://github.com/Corilus/sftp/issues/2 created
You can try running the alpine tag in the mean time.
Does it mean that the comment at the end of the current configuration file doesn't help when we want to track the file transfert themselves, and not only the connection?
# Secure defaults
# See: https://stribika.github.io/2015/01/04/secure-secure-shell.html
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
# Faster connection
# See: https://github.com/atmoz/sftp/issues/11
UseDNS no
# Limited access
PermitRootLogin no
X11Forwarding no
AllowTcpForwarding no
# Force sftp and chroot jail
Subsystem sftp internal-sftp
ForceCommand internal-sftp
ChrootDirectory %h
# Enable this for more logs
#LogLevel VERBOSE
