Logging of SFTP in a chrooted environment (Centos 7)

This was horrible.


So, it is quite easy to set up a chroot environment for some SFTP users.




Make an sftp-only group
sudo groupadd sftp-only
(I changed it to group id 500)


Add your user, along with an 'authorized_keys' file for public key authentication


cd /opt/chroot
sudo useradd --base-dir /opt/chroot --gid 500 --create-home --shell /sbin/nologin newsftpuser
sudo usermod -U newsftpuser
sudo mkdir newsftpuser/in
sudo chown root:root newsftpuser/
sudo chmod 755 newsftpuser/
sudo chown newsftpuser:sftp-only newsftpuser/in/
sudo mkdir newsftpuser/.ssh
sudo chown newsftpuser:sftp-only .ssh/
sudo touch newsftpuser/.ssh/authorized_keys
sudo chmod 700 newsftpuser/.ssh
sudo chmod 600 newsftpuser/.ssh/authorized_keys
sudo chown newsftpuser:sftp-only .ssh/authorized_keys
sudo restorecon -Rv newsftpuser/.ssh




Alter SSHD config file to enable chroot with authorized keys
/etc/ssh/sshd_config


AuthorizedKeysFile      .ssh/authorized_keys


Subsystem sftp internal-sftp -f AUTH -l INFO
Match Group sftp-only
        ChrootDirectory /opt/chroot/%u
        AllowTCPForwarding no
        X11Forwarding no
        ForceCommand internal-sftp -f AUTH -l INFO




Restart sshd
sudo systemctl restart sshd




That was the easy part.




But if you want to log those user's activities???






You have to edit rsyslog to create a socket to enable logging for each chrooted sftp user (because the chroot environment doesn't have permission to write to logs normally)...


/etc/rsyslog.conf
#### RULES ####
$AddUnixListenSocket /opt/chroot/newsftpuser/dev/log
:programname, isequal, "internal-sftp" -/var/log/sftp.log
:programname, isequal, "internal-sftp" stop




Then make a dev within each user's chroot directory
sudo mkdir newsftpuser/dev 
sudo chmod 755 newsftpuser/dev 
sudo chown root.root newsftpuser/dev




Restart rsyslog
sudo systemctl restart rsyslog




And it doesn't work. Of course. Because SElinux. /var/log/audit/audit.log shows it denying write access:
type=AVC msg=audit(1444444444.559:14128): avc:  denied  { write } for  pid=19999 comm="rsyslogd" name="dev" dev="dm-1" ino=1234567 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=dir




Turning off SElinux and restarting rsyslog then gets sftp logged to /var/log/sftp.log
sudo setenforce 0
sestatus
sudo systemctl restart rsyslog


But that isn't a good solution for when doing things 'properly'. So, I realised that I needed to set the context for /opt/chroot/newsftpuser/dev and /opt/chroot/newsftpuser/dev/log but the actual context seems to be a big secret, with people warning you need to configure SElinux to let rsyslog set up a socket in the chroot, but no-one telling how to configure it. Example: https://access.redhat.com/articles/1374633




Anyway, I finally found it thanks to a single article I found from 6 years ago by a Paul Howarth (http://www.redhat.com/archives/fedora-selinux-list/2009-September/msg00088.html)


sudo chcon -t device_t /opt/chroot/newsftpuser/dev
sudo chcon -t devlog_t /opt/chroot/newsftpuser/dev/log
sudo systemctl restart rsyslog


Turn SElinux back on!
sudo setenforce 1


And woohoo, chrooted sftp users now log to /var/log/sftp.log




Now to just set up the SElinux policy to make this change permanent, and of course set up logrotate on /var/log/sftp.log

Useful mysql commands

So, using MySQL on the command line I faced the annoyance that any tables I completed were not subject to autocomplete during that session. It really is so much quicker when table names and columns autocomplete.


It was one of the more challengingly obscure thing to find on google since I wasn't really sure what I was looking for.

Finally discovered it was called 'rehashing'.


Slashdot suggests that you can set up auto-rehash by either opening the client using the command

mysql --auto-rehash -u root -p

or putting it into the my.cnf file:

[mysql]
auto-rehash

source: http://stackoverflow.com/questions/8332338/mysql-console-autocomplete-names


To do it in an active session I finally found the commands
\# 
or
rehash

source: http://kedar.nitty-witty.com/blog/5-useful-mysql-command-options-pager-prompt-rehash-tee-system 






update - another one (23/10/2015). to view one screen of results at a time, you can use less:
pager less;


to revert back to standard output
pager;

Bash shortcuts

works in MySQL too:  

CTRL-a - Moves the cursor the start of the line
CTRL-e - Moves the cursor to the end of the line

Benchmarking Perl functions

 Benchmark is outstanding for comparing performance of perl functions.

#!/usr/bin/perl
use Benchmark qw(:all) ;

cmpthese(10000, {
        'Trial 1' => sub{
                my $i=0;
                for(my $j=1; $j<100; $j++){
                        $i=$j;
                }
        },

        'Trial 2' => sub{
                my $i=99;
        },

});

print "Done\n";



Gives output:

          Rate Trial 1 Trial 2
Trial 1  977/s      --    -86%
Trial 2 6803/s    597%      --
Done


Through this I was able to determine that for high speed use you shouldn't bother testing the existence of a key in a hash table.

I was also able to determine that nested ifs are better than multiple conditions in a single if.

I.e.
if(A && B && C && D){
}
is worse than
if(A){
  if(B){
    if(C){
      if(D){
      }
    }
  }
}



*best not doing this in an Amazon ec2 micro instance as repeated tests may put a limit on CPU usage and skew results*

Man in the middle (MITM) attacks

It's bloody hard to set up sslsniff.

After trying Fiddler, Burp and Charles, I found Charles the most useful and used it for my totally legal experiments.

www.charlesproxy.com

(I bought it too, to thank them for the effort they saved me)