SSH sftp succesful logons

Where can I find the logs for successful accesses over ssh-sftp?

journalctl -u sshd | grep accepted

This does not print anything, despite me having logged on and modified a bunch of files. I recently discovered that ssh-sftp does not require authentication by default, and anyone could have entered sftp://my-ip and browsed all of my files. I need to know who accessed my computer.

On my Debian-Server, I have it on /var/log/auth.log

this file does not exist on manjaro. From my own research sshd is entirely logged through journalctl.

grep is case-sensitive unless you use the -i flag, and I believe the logs show ‘Accepted’.

journalctl -u sshd | grep -i Accepted

Thanks, I get some entries now, but they are all trusted logins from myself, no sftp related things. I also tried grepping for sftp but that returned no results.

I tried from a fresh browser before plugging the massive security hole, and I could just sftp://, which does not seem to have been logged.

In /etc/ssh/sshd_config, comment out:

Subsystem      sftp    /usr/lib/ssh/sftp-server

Any ideas what I could grep for?

Maybe try (I just threw in a bunch of strings)

journalctl _SYSTEMD_UNIT=sshd.service | grep -iE "Succ|Fail|Accept|Denied|Deny"

No dice, and when grepping for ‘sftp’ I just get failed logon attempts of people who tried to log in as user sftp. (but it doesn’t say whether it went through sftp-server)

The weird thing is, I could just access pretty much everything from a browser without authenticating. But from thunar, I had to actually provide a password or keys to access the sftp.

There’s no relevant logs in /var/log/httpd/acces_log either.

Hm I know sftp logging is sparse to begin with.

You may wish for more verbosity with something like

Subsystem      sftp    /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO

But it still should give connections by default … I wonder if there is no authentication maybe look for something like
Feb 25 12:34:56 server sshd[1234]: pam_unix(sshd:session): session opened for user user by (uid=0)
So search for ‘session’ ?

So it seems that it wasn’t as big of a deal as I thought. Someone I knew helped me out and tried to sftp://my-ip, but he got a time out. So it seems that firefox, somehow, is able to connect through ssh. I’m not running ssh-agent on the connecting computer so I’m not sure how it’s able to do that. The firefox connections don’t show up in the logs either (journalctl _SYSTEMD_UNIT=sshd.service -e --follow) besides the time out, which shows as Connection closed by REMOTEHOST

Unless you have enabled the ssh daemon on the system you want to connect to - you cannot connect to a system using sftp.

when you enable ssh daemon you can connect using - ssh, scp and sftp.