需求:192.168.56.103服务器搭建sftp服务,配置sftp上报日志(类似vsftpd的/var/log/xferlog)
1、创建用户组sftpgroup,添加用户sftpuser(密码为123456,不可登录,上传目录为upload)
useradd -g sftpgroup -s /bin/false sftpuser
echo '123456' | passwd --stdin sftpuser
chown root:root /home/sftpuser/
mkdir -p /home/sftpuser/upload
chmod 755 -R /home/sftpuser/
chown sftpuser: /home/sftpuser/upload
PS:ChrootDirectory设置的目录权限及其所有的上级文件夹权限,属主和属组必须是root,注意配置权限
2、修改ssh相关配置文件
先把/etc/ssh/sshd_config的Subsystem那一行注释掉
Subsystem sftp /usr/libexec/openssh/sftp-server
并执行下面,添加内容
PS:Match Group sftpgroup此行sftpgroup按需修改
cat >> /etc/ssh/sshd_config <<EOF
Subsystem sftp internal-sftp -l INFO -f local5
Match Group sftpgroup
chrootDirectory %h
ForceCommand internal-sftp -l INFO -f local5
X11Forwarding no
AllowTcpForwarding no
EOF
3、修改rsyslog配置文件(日志路径:/var/log/sftp.log)
cp /etc/rsyslog.conf /etc/rsyslog.conf.bak_$(date "+%Y%m%d%H%M%S")
cat >> /etc/rsyslog.conf <<EOF
auth,authpriv.*,local5.* /var/log/sftp.log
EOF
4、重启ssh、rsyslog服务
service sshd restart
service rsyslog restart
5、192.168.56.1测试sftp并上传文件
4、192.168.56.103查看sftp日志
附一键执行脚本
[ -z $(grep -w sftpgroup /etc/group) ];[ $? -eq 0 ]&& groupadd sftpgroup
useradd -g sftpgroup -s /bin/false sftpuser
echo '123456' | passwd --stdin sftpuser
chown root:root /home/sftpuser/
mkdir -p /home/sftpuser/upload
chmod 755 -R /home/sftpuser/
chown sftpuser: /home/sftpuser/upload[[ -n $(grep ^Subsystem /etc/ssh/sshd_config |grep /usr/libexec/openssh/sftp-server) ]];[ $? -eq 0 ]&&cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak_$(date "+%Y%m%d%H%M%S")&&sed -i 's/Subsystem/#Subsystem/' /etc/ssh/sshd_configcat >> /etc/ssh/sshd_config <<EOF
Subsystem sftp internal-sftp -l INFO -f local5
Match Group sftpgroup
chrootDirectory %h
ForceCommand internal-sftp -l INFO -f local5
X11Forwarding no
AllowTcpForwarding no
EOFcp /etc/rsyslog.conf /etc/rsyslog.conf.bak_$(date "+%Y%m%d%H%M%S")
cat >> /etc/rsyslog.conf <<EOF
auth,authpriv.*,local5.* /var/log/sftp.log
EOFservice sshd restart
service rsyslog restart