sftp的服务在sshd_config中配置,具体目录为/etc/ssh/sshd_config
一般情况下使用的是sftp-server。由BSD系统管理器提供sftp-server的命令如下:
NAMEsftp-server -- SFTP server subsystemSYNOPSISsftp-server [-ehR] [-d start_directory] [-f log_facility] [-l log_level][-P blacklisted_requests] [-p whitelisted_requests][-u umask]sftp-server -Q protocol_featureDESCRIPTIONsftp-server is a program that speaks the server side of SFTP protocol tostdout and expects client requests from stdin. sftp-server is notintended to be called directly, but from sshd(8) using the Subsystemoption.Command-line flags to sftp-server should be specified in the Subsystemdeclaration. See sshd_config(5) for more information.Valid options are:-d start_directoryspecifies an alternate starting directory for users. The path-name may contain the following tokens that are expanded at run-time: %% is replaced by a literal '%', %d is replaced by the homedirectory of the user being authenticated, and %u is replaced bythe username of that user. The default is to use the user's homedirectory. This option is useful in conjunction with thesshd_config(5) ChrootDirectory option.-e Causes sftp-server to print logging information to stderr insteadof syslog for debugging.-f log_facilitySpecifies the facility code that is used when logging messagesfrom sftp-server. The possible values are: DAEMON, USER, AUTH,LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.The default is AUTH.-h Displays sftp-server usage information.-l log_levelSpecifies which messages will be logged by sftp-server. The pos-sible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG,DEBUG1, DEBUG2, and DEBUG3. INFO and VERBOSE log transactionsthat sftp-server performs on behalf of the client. DEBUG andDEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higherlevels of debugging output. The default is ERROR.-P blacklisted_requestsSpecify a comma-separated list of SFTP protocol requests that arebanned by the server. sftp-server will reply to any blacklistedrequest with a failure. The -Q flag can be used to determine thesupported request types. If both a blacklist and a whitelist arespecified, then the blacklist is applied before the whitelist.-p whitelisted_requestsSpecify a comma-separated list of SFTP protocol requests that arepermitted by the server. All request types that are not on thewhitelist will be logged and replied to with a failure message.Care must be taken when using this feature to ensure thatrequests made implicitly by SFTP clients are permitted.-Q protocol_featureQuery protocol features supported by sftp-server. At present theonly feature that may be queried is ``requests'', which may beused for black or whitelisting (flags -P and -p respectively).-R Places this instance of sftp-server into a read-only mode.Attempts to open files for writing, as well as other operationsthat change the state of the filesystem, will be denied.-u umaskSets an explicit umask(2) to be applied to newly-created filesand directories, instead of the user's default mask.On some systems, sftp-server must be able to access /dev/log for loggingto work, and use of sftp-server in a chroot configuration thereforerequires that syslogd(8) establish a logging socket inside the chrootdirectory.
修改ssh的配置
vim /etc/ssh/sshd_config#搜索Subsystem找到对应的行# Subsystem sftp /usr/libexec/openssh/sftp-server# 在其后面增加日志配置参数Subsystem sftp /usr/libexec/openssh/sftp-server -l DEBUG3 -f local5
修改rsyslog的配置
由上诉的sftp-server的命令帮助中可知,在某些系统上,sftp-server必须能够访问/dev/log才能进行日志记录,因此在chroot配置中使用sftp-server需要syslogd(8)在chroot目录内建立日志记录套接字。
vim /etc/rsyslog.conf# 在最后一行增加如下配置auth,authpriv.*,local5.* /var/log/sftp.log
重启服务
systemctl restart sshdsystemctl restart rsyslog
查看日志
#日志最终会记录到/var/log/sftp.log中。可以使用tailf,less,more等命令进行查看tailf /var/log/sftp.log
若有收获,就点个赞吧
0 人点赞
