#!/bin/sh # Author - Georgi Dimitrov Georgiev, Cuser: C5280383 CUST_USER='IO'; CUST_GROUP='sftponly'; CUSTOMER_DIR='customer'; BIND_MOUNT='1'; SUSE_VER[0]='11'; SUSE_VER[1]='12'; SFTP_PATH='/sftp'; chk_suse_v () { if [ $(grep "${SUSE_VER[0]}" /home/c5280383/issue.net|wc -l) == '1' ]; then CURR_SUSE_11='11'; CURR_SUSE_11=$CURR_SUSE_V fi if [ $(grep "${SUSE_VER[1]}" /home/c5280383/issue.net|wc -l) == '1' ]; then CURR_SUSE_12='12'; CURR_SUSE_12=$CURR_SUSE_V fi echo $CURR_SUSE_V; } chk_suse_v; create_sftp_root_d () { if [ ! -d $SFTP_PATH/dev ]; then echo mkdir -p $SFTP_PATH/dev fi if [ ! -d "/sftp/$CUSTOMER_DIR" ]; then echo mkdir /sftp/$CUSTOMER_DIR echo chmod 755 /sftp/ fi } # Create bind mount create_bind_mount () { if [ $BIND_MOUNT == '1' ]; then # create /etc/fstab records for bind mount if [ "${SUSE_CURR_11+x}" ]; then echo 11 if [ $(grep /interfaces/$CUSTOMER_DIR /home/c5280383/fstab) == '0' ]; then echo "/interfaces/$CUSTOMER_DIR $SFTP_PATH/$CUSTOMER_DIR bind 0 0" >> /home/c5280383/fstab fi fi ##echo ${SUSE_V[1]}; if [ -z "${SUSE_CURR_12+x}" ]; then echo 12 if [ $(grep "/interfaces/$CUSTOMER_DIR" /home/c5280383/fstab |wc -l) == '0' ]; then echo "/interfaces/$CUSTOMER_DIR $SFTP_PATH/$CUSTOMER_DIR none bind,_netdev 0 0" >> /home/c5280383/fstab fi fi fi } ##echo aaaa # mount customer sftp dir and set permissions set_sftp_dir_perm () { if [ -d $SFTP_PATH/$CUSTOMER_DIR ]; then echo mount $SFTP_PATH/$CUSTOMER_DIR else echo '$CUSTOMER_DIR not existing exiting !'; ##exit 1; fi if [ $(grep -i 11 /home/c5280383/issue.net|wc -l) == '1' ]; then df -ha --type=none fi if [ $(grep -i 12 /home/c5280383/issue.net|wc -l) == '1' ]; then grep sftp /proc/mounts fi ##grep /sftp /proc/mounts echo chown $CUST_USER:$CUST_GROUP $SFTP_PATH/$CUSTOMER_DIR echo chmod 755 $SFTP_PATH/$CUSTOMER_DIR } add_to_access_conf () { # check and add sftponly:ALL only if not existing in access.conf if [[ $(grep "$CUST_GROUP\:ALL" /home/c5280383/access.conf | wc -l) == '0' ]]; then echo 'Adding +:$CUST_GROUP:ALL to /etc/security/access.conf' perl -i -pe "BEGIN{undef $/;} s/^\+\:techusers\:ALL$/\+\:techusers\:ALL\n\+\:sftponly\:ALL/sgm" /home/c5280383/access.conf echo CCC fi } # Add to /etc/ssh/sshd_config sftp user rules add_to_sshd_config () { if [[ $(grep 'subsystem sftp /usr/lib64/ssh/sftp-server' /home/c5280383/ssh/sshd_config |wc -l) == '0' ]]; then echo -e "Adding substituting subsystem sftp /usr/lib64/ssh/sftp-server with\n Match Group sftponly ForceCommand internal-sftp -f AUTH -l VERBOSE ChrootDirectory $SFTP_PATH/ X11Forwarding no AllowTcpForwarding no\n to /etc/ssh/sshd_config " echo 'Creating /etc/ssh/sshd_config backup to user home' in case something goes wrong; cp -rpf /etc/ssh/sshd_config ~/sshd_config.bak.`date +%d-%m-%y` sed -e 's#$Subsystem sftp \/usr\/lib64\/ssh\/sftp\-server$#Subsystem sftp internal\-sftp$#g' /home/c5280383/ssh/sshd_config >> /home/c5280383/ssh/sshd1_config mv /home/c5280383/ssh/sshd1_config /home/c5280383/ssh/sshd_config cat <> /home/c5280383/ssh/sshd_config Match Group $CUST_GROUP ForceCommand internal-sftp -f AUTH -l VERBOSE ChrootDirectory $SFTP_PATH/ X11Forwarding no AllowTcpForwarding no EOT fi } ##perl -i -pe "BEGIN{undef $/;} s/^source src$/source sftp \{ \ninternal\(\)\;\n unix\-dgram\(\"/sftp/dev/log\\"\);\n\}\;/sgm" /home/c5280383/syslog-ng/syslog-ng.conf # add after source src in /etc/syslog-ng/syslog-ng.conf create_syslog_ng_conf () { if [ $(grep -i 11 /home/c5280383/issue.net|wc -l) == '1' ]; then echo 'Adding After after block: source src'; echo -e 'source sftp { internal(); unix-dgram("/sftp/dev/log"); };' echo 'Insert at EOF: # log SFTP messages to separate file and filter nss_ldap messages destination sftp { file("/var/log/sftp.log"); }; filter f_sftp { program("internal-sftp") and not match("nss_ldap"); }; log { source(sftp); filter(f_sftp); destination(sftp); };'; sed '/source-src/a\source sftp \{\n internal\(\);\n unix-dgram\(\"/sftp/dev/log\"\);\n \};\n' /home/c5280383/syslog-ng/syslog-ng.conf if [ $(grep 'log SFTP messages to separate file and filter nss_ldap messages' /home/c5280383/rsyslog-ng/syslog-ng.conf) == '0' ]; then cat <> /home/c5280383/rsyslog-ng/syslog-ng.conf # log SFTP messages to separate file and filter nss_ldap messages ' destination sftp { file("/var/log/sftp.log"); }; ' filter f_sftp { program("internal-sftp") and not match("nss_ldap"); };' log { source(sftp); filter(f_sftp); destination(sftp); }; EOT ##echo '# log SFTP messages to separate file and filter nss_ldap messages ' >> /home/c5280383/rsyslog-ng/syslog-ng.conf ##echo 'destination sftp { file("/var/log/sftp.log"); }; ' >> /home/c5280383/syslog-ng/rsyslog-ng.conf ##echo 'filter f_sftp { program("internal-sftp") and not match("nss_ldap"); };' >> /home/c5280383/syslog-ng/rsyslog-ng.conf ##echo 'log { source(sftp); filter(f_sftp); destination(sftp); };' >> /home/c5280383/syslog-ng/rsyslog-ng.conf fi fi } # add to etc/rsyslog.d/sftp.conf sftp.log directives create_sftp_conf () { if [ $(grep -i 12 /home/c5280383/issue.net|wc -l) == '1' ]; then if [ $(grep 'module(load="imuxsock")' /home/c5280383/etc/rsyslog.d/sftp.conf |wc -l) == '0' ]; then echo 'Adding to /home/c5280383/etc/rsyslog.d/sftp.conf module(load="imuxsock") input(type="imuxsock" Socket="/sftp/dev/log" CreatePath="on") local3.* /var/log/sftp.log & stop '; touch /home/c5280383/etc/rsyslog.d/sftp.conf cat <> /home/c5280383/etc/rsyslog.d/sftp.conf module(load="imuxsock") input(type="imuxsock" Socket="/sftp/dev/log" CreatePath="on") local3.* /var/log/sftp.log & stop EOT fi fi } # Restart sshd and rsyslog restart_ssh_syslog () { if [ $(grep -i 11 /home/c5280383/issue.net|wc -l) == '1' ]; then echo rcsshd reload echo rcsyslog restart # reload doesn't work as expected fi if [ $(grep -i 12 /home/c5280383/issue.net|wc -l) == '1' ]; then echo systemctl reload sshd.service echo systemctl restart rsyslog.service fi } final_print () { printf "\n\n\nTEST: Check sftp connection inside customer network:\n"; echo 'sftp @'; echo 'Check log file'; echo 'ls -l /var/log/sftp.log'; } main () { chk_suse_v; create_sftp_root_d; create_bind_mount; set_sftp_dir_perm; add_to_access_conf; add_to_sshd_config; create_syslog_ng_conf; create_sftp_conf; restart_ssh_syslog; final_print; } main;