Docker container sshd logs

Question

How to enable ssh connections log (/var/log/auth.log) in a Docker container with openssh-server?

The /var/log/auth.log not exists in my container.

• Docker version: 9.0
• Host: Ubuntu 13.10
• Container: Ubuntu 13.10

Answer 1

i solve the problem. Stay all time in the same directory. I made it so:
Dockerfile:

FROM ubuntu:latest

RUN apt-get update && apt-get install -y openssh-server

# Neuer User mit ssh Verzeichnis für id_rsa.pub und Rechtevergabe
RUN useradd -m -s /bin/bash test&& echo "test:123456" | chpasswd
RUN mkdir -p /home/test/.ssh && chown test:test/home/test/.ssh &&  chmod 700 /home/test/.ssh

# Verzeichnis für Logging erstellen
RUN mkdir -p /etc/ssh/logs && chown root:root /etc/ssh/logs && chmod 700 /etc/ssh/logs

# Behebe Fehlermeldung bei Start des Containers
RUN mkdir -p /run/sshd && chown root:root /run/sshd && chmod 700 /run/sshd

# Kopieren des Public-Keys in das Verzeichnis des Benutzers test mit Rechtevergabe
COPY id_rsa.pub /home/test/.ssh/authorized_keys
RUN chmod 644 /home/test/.ssh/authorized_keys

# Passwort-Authentifizierung deaktivieren
RUN sed -i '1i PasswordAuthentication no' /etc/ssh/sshd_config
# Leere Passwörter verbieten
RUN sed -i '1i PermitEmptyPasswords no' /etc/ssh/sshd_config
# Tastatur-Interaktive Authentifizierung deaktivieren
RUN sed -i '1i KbdInteractiveAuthentication no' /etc/ssh/sshd_config
# PAM-Authentifizierung aktivieren
RUN sed -i '1i UsePAM yes' /etc/ssh/sshd_config
# PublicKey Authentifizierung
RUN sed -i '1i PubkeyAuthentication yes' /etc/ssh/sshd_config
# X11-Weiterleitung aktivieren
RUN sed -i '1i X11Forwarding no' /etc/ssh/sshd_config
# PermitRootLogin auf no setzen
RUN sed -i '1i PermitRootLogin no' /etc/ssh/sshd_config
# Stimmen Dateirechte nicht, wird eine Verbindung verweigert
RUN sed -i '1i StrictModes yes' /etc/ssh/sshd_config

# LogLevel auf INFO setzen für Fail2Ban
RUN sed -i '1i LogLevel INFO' /etc/ssh/sshd_config

# Sicherheit erhöhen für sshd_config
RUN chmod 600 /etc/ssh/sshd_config

EXPOSE 22
CMD ["/usr/sbin/sshd", "-D", "-E", "/etc/ssh/logs/auth.log"]

Important to log are the lines:
RUN mkdir -p /etc/ssh/logs && chown root:root /etc/ssh/logs && chmod 700 /etc/ssh/logs
RUN sed -i '1i LogLevel INFO' /etc/ssh/sshd_config
"-E", "/etc/ssh/logs/auth.log"
I create my ssh keys with puttygen and copied the file id_rsa.pub in the same directory where i have the Dockerfile and docker-compose.yml

Create Image:

docker build -t sshd .

docker-compose.yml:

version: '3.9'

services:
  sshdocki:
    image: sshd
    container_name: sshdtest
    ports:
      - 22:22

    volumes:
      - ./logs:/etc/ssh/logs

Start docker compose:

docker-compose up -d

Now you can check your logs in ./logs/auth.log. this is very useful for Fail2Ban:

tail -f ./logs/auth.log

I build this ssh container, to get access to my database over ssh. I think that's a good solution for security. When you have better ideas, please tell me :)

Answer 2

Install the rsyslog package in the docker container:

$ apt-get install rsyslog

then start the daemon:

$ service rsyslog start

It seems a message such as below can be ignored, sshd logs to /var/log/auth.log anyway.

 * Starting enhanced syslogd rsyslogd                                                                                                                                                                                                           
rsyslogd: imklog: cannot open kernel log (/proc/kmsg): Operation not permitted.
rsyslogd: activation of module imklog failed [v8.32.0 try http://www.rsyslog.com/e/2145 ]

Answer 3

The auth log is managed by the Syslog service. This service itself is traditionally managed (started) by the init system (Upstart in your case). By default a container doesn't run an init system, meaning that you'd have to start rsyslog manually :

# rsyslogd

After that, you'll find your usual log files in /var/log.

NB: init systems are not fully compatible with Docker containers. A common practice is to use Supervisord to start multiple services/processes automatically.