First version AT 2018-08-25 09:39:36 Updated AT 2019-11-08 14:36:29 for user separate syslog configuration.
Set up an account that will be used only to transfer files(and not to ssh to the system), you should setup SFTP Chroot Jail as explained in this article.
If you want to give sftp access on your system to outside vendors to transfer files, you should not use standard sftp. Instead, you should setup Chroot SFTP Jail as explained below.
chroot
A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children. Chroot SFTP means that the user can sftp to the system, and view only the directory that you’ve designated to perform sftp.
Test environment at CentOS 6.5.
groupadd sftpusers
useradd -g sftpusers -s /sbin/nologin sftpuser
passwd sftpuser
Subsystem sftp internal-sftpMatch Group sftpusersChrootDirectory /sftp/%uX11Forwarding noAllowTCPForwarding noPasswordAuthentication yes
mkdir -p /sftp/sftpuser/homechown sftpuser:sftpusers /sftp/sftpuser/home
service sshd restart
#!/bin/bash#@Junyangz AT 2018-08-25 09:41:50 for configure sftp and add sftp users.#@Configure part#########################sed -i "s/^Subsystem/#Subsystem/g" /etc/ssh/sshd_config#sed -i "/^#Subsystem/aSubsystem sftp internal-sftp" /etc/ssh/sshd_configgroupadd sftpusers#add follow to /etc/ssh/sshd_configcat >>/etc/ssh/sshd_config <<EOFSubsystem sftp internal-sftpKexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1Match Group sftpusersChrootDirectory /data1/sftp/%uForceCommand internal-sftp -f LOCAL0 -l INFOX11Forwarding noAllowTCPForwarding noPasswordAuthentication yesEOFservice sshd restart#@Add user part########################## create an sftp user and jail them, using username, password and CHROOT path provided as script args.if [ -z "$2" ]; thenecho "Usage: add-sftp-user.sh username password /data1"echo "Create sftp user with chroot at /data1/sftp/username and work directory at home."exit 1fiusername=$1 # get from script paramsegrep "^$username" /etc/passwd >/dev/nullif [ $? -eq 0 ]; thenecho "$username exists!"exit 1elsepassword=$2 # get this from script params#CHROOT_DIR=$3 # get this from script params#useradd -g sftpusers -d $CHROOT_DIR/sftp/$username -s /sbin/nologin $usernameuseradd -g sftpusers -M -s /sbin/nologin $username[ $? -eq 0 ] && echo "User has been added to system!" || echo "Failed to add a user!"echo "$username:$password" | chpasswdusermod -d /upload $usernamemkdir -p /data1/sftp/$username/uploadchown -R $username:sftpusers /data1/sftp/$username/upload#chmod 755 $CHROOT_DIR/sftp/$username/uploadfi
add to /etc/ssh/sshd_config
# Subsystem sftp internal-sftp -l VERBOSE -f LOCAL0# only need in Match group blockForceCommand internal-sftp -f LOCAL0 -l INFO
add to /etc/rsyslog.d/sftp.conf
# add sftp chroot log# %u represent sftp username# local0.* /var/log/sftp.log# $AddUnixListenSocket /data1/sftp/%u/dev/log#===above is old config===#input(type="imuxsock" HostName="sftp_username" Socket="/data1/sftp/sftp_username/dev/log" CreatePath="on")if $fromhost == 'sftp_username' then /var/log/sftp/sftp_username.log& stop
mkdir for socket file and touch sftp log
#%u represent sftp usernamemkdir /data1/sftp/%u/devchown %u:sftpusers /data1/sftp/%u/devmkdir /var/log/sftp/touch /var/log/sftp/sftp_username.log
restart sshd and rsyslog
service sshd restartservice rsyslog restart
SFTP log