Centos7 搭建多用戶SFTP服務,並開啟日志記錄---親測,成功---OK!!!
https://blog.csdn.net/xjjj064/article/details/116708500
===========================================================
先寫后期維護:只需要新建用戶和賦權,以admin001為例:
useradd -g sftpuser -M -s /sbin/nologin admin001
echo "123456" | passwd --stdin admin001
mkdir -p /data/sftp/admin001/home
usermod -d /data/sftp/admin001 admin001
chown root:sftpuser /data/sftp/admin001/
chown admin001:sftpuser /data/sftp/admin001/home/
systemctl restart sshd
===========================================================
entos7 搭建多用戶SFTP服務,並開啟日志記錄
一、環境描述
系統版本:CentOS Linux release 7.8.2003
背景:有一台Centos服務器作為SFTP服務器,需要有SFTP用戶,且需要記錄操作日志。
=======================================
二、基於Centos7搭建sftp
①、修改SSH文件 /etc/ssh/sshd.conf
先注銷掉這行
#Subsystem sftp /usr/libexec/openssh/sftp-server
1
在最底下添加如下幾行
Subsystem sftp internal-sftp -l INFO -f local5
Match Group sftpuser
ChrootDirectory /data/sftp/%u
ForceCommand internal-sftp -l INFO -f local5
AllowTcpForwarding no
X11Forwarding no
================================================
ChrootDirectory 鎖定SFTP目錄到該路徑, %u 每用戶不同家目錄
================================================
====組名為sftpuser===目錄名為sftp===都可自定義=====================
創建SFTP根目錄
mkdir /data/sftp
====先創建sftp組===組名隨意=========================================
②、創建SFTP用戶組sftpuser
[root@server3 ~]# groupadd sftpuser
1
③、重啟sshd服務
[root@server3 ~]# systemctl restart sshd
==========================================================
以上的不變了,只需要新建用戶和賦權
==建sftp用戶==============================================
④、建sftp用戶admin
創建用戶admin,用戶所屬組為sftp
useradd -g sftpuser -s /bin/false admin
或者
# -d 指定家目錄 -s 禁止登陸; -M 不創建家目錄
-------------------------------
useradd -g sftpuser -M -s /sbin/nologin admin (推薦)
-------------------------------
或者,直接指定家目錄,指定組,自動創建目錄
useradd -d /data/sftp/admin -g sftpuser -m -s /sbin/nologin admin
---上面這命令,雖全面,但是會在新建目錄下,產生.bashrc等等文件,還是用上面第一個吧。各有優勢!
===========
設置用戶密碼
echo “123456” |passwd --stdin admin
===========
家目錄/data/sftp/admin
注:用戶無法在家目錄直接操作,需要在家目錄下創建一個文件夾用於存放文件
mkdir -p /data/sftp/admin/home
===========
修改用戶家目錄
usermod -d /data/sftp/admin admin
===========
修改文件夾屬主和屬組
chown admin:sftpuser /data/sftp/admin/home/
----------------------------
家目錄屬主、屬組、及用戶權限,不能有錯,錯了,就登錄報錯。
/data root:root 755
/data/sftp root:root 755
/data/sftp/admin root:sftpuser 755
/data/sftp/danny root:sftpuser 755
-------------------------
如下:
[root@ftp-cd01 sftp]# ll -d /data/
drwxr-xr-x 3 root root 18 Mar 2 15:53 /data/
[root@ftp-cd01 sftp]#
[root@ftp-cd01 sftp]# cd /data/
[root@ftp-cd01 data]# ll
total 0
drwxr-xr-x 4 root root 32 Mar 2 16:12 sftp
[root@ftp-cd01 data]#
[root@ftp-cd01 data]# cd sftp/
[root@ftp-cd01 sftp]# ll
total 0
drwxr-xr-x 4 root sftpuser 90 Mar 2 16:13 admin
drwxr-xr-x 3 root sftpuser 18 Mar 2 16:00 danny
[root@ftp-cd01 sftp]# cd admin/
[root@ftp-cd01 admin]# ll
total 0
drwxr-xr-x 2 admin sftpuser 6 Mar 2 16:39 home
[root@ftp-cd01 admin]# cd home/
[root@ftp-cd01 home]# pwd
/data/sftp/admin/home
================================================
測試:
[root@ftp-cd01 sftp]# sftp admin@10.28.10.6
admin@10.28.10.6's password:
Connected to 10.28.10.6.
sftp>
三、開啟SFTP日志記錄(最前面已經做了,可跳過)
①、設置sshd.conf文件
修改Subsystem 和ForceCommand 在后面增加 -l INFO -f local5
Subsystem sftp internal-sftp -l INFO -f local5
Match Group sftpuser
ChrootDirectory /data/sftp/%u
ForceCommand internal-sftp -l INFO -f local5
AllowTcpForwarding no
X11Forwarding no
重要 [ -l INFO -f local5 ]
日志等級:INFO # 定義代碼:local5
記錄消息代碼:DAEMON,USER,AUTH,LOCAL0,LOCAL1,LOCAL2,LOCAL3,LOCAL4,LOCAL5,LOCAL6,LOCAL7。默認值為AUTH。
②、修改/etc/rsyslog.conf
[root@localhost ~]# vim /etc/rsyslog.conf
在最后面添加以下
auth,authpriv.,local5. /var/log/sftp.log
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
auth,authpriv.*,local5.* /var/log/sftp.log
③、重啟sshd、rsyslog服務
[root@localhost ~]# systemctl restart rsyslog
[root@localhost ~]# systemctl restart sshd
1
2
④、驗證sshd日志是否記錄
May 12 16:33:56 localhost sshd[1580]: Accepted password for admin from 192.168.7.119 port 54375 ssh2
May 12 16:33:56 localhost systemd-logind: New session 3 of user admin.
May 12 16:33:56 localhost sshd[1580]: pam_unix(sshd:session): session opened for user admin by (uid=0)
May 12 16:33:56 localhost sshd[1580]: session opened for local user admin from [192.168.7.119] [postauth]
May 12 16:33:56 localhost sshd[1580]: opendir "/home/" [postauth]
May 12 16:33:56 localhost sshd[1580]: closedir "/home/" [postauth]
May 12 16:33:56 localhost sshd[1580]: opendir "/home/" [postauth]
May 12 16:33:56 localhost sshd[1580]: closedir "/home/" [postauth]
May 12 16:33:58 localhost sshd[1580]: sent status No such file [postauth]
May 12 16:33:58 localhost sshd[1580]: open "/home/123.jpg" flags WRITE,CREATE,TRUNCATE mode 0666 [postauth]
May 12 16:33:58 localhost sshd[1580]: close "/home/123.jpg" bytes read 0 written 10566 [postauth]
May 12 16:33:58 localhost sshd[1580]: set "/home/123.jpg" modtime 20210318-06:12:39 [postauth]
May 12 16:33:58 localhost sshd[1580]: opendir "/home/" [postauth]
May 12 16:33:58 localhost sshd[1580]: closedir "/home/" [postauth]
或者
tail -f /var/log/messages
這個默認文件也有日志