?
Solved

Tracking source IP addresses Sftp clients are connecting from

Posted on 2014-01-13
10
Medium Priority
?
891 Views
Last Modified: 2014-01-17
We used sftp with password authentication & I'm suspecting that
our sftp password is being shared with users who are connecting
from IP addresses that we can track down.

Q1:
As I'm newbie to Redhat Linux (5.x, 6.x) , can name me the logfile names
 (Linux syslogs?  Sftp logs?) & the directories of the logs  that will show the
 source IP addresses that the sftp clients are connecting from?

Q2:
I was told by the Linux sysadmin that the sftp logs are encrypted.
Any idea which freeware sftp server auto-encrypts its sftp logs?
The sysadmin chap can't comment.

Q3:
Is there any Linux command, say "last" that will indicate the source
IP addresses that sftp clients connect from & the date/timings they
connect?  Let me know the qualifiers if any (for Redhat 5.x/6.x)
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 79

Accepted Solution

by:
arnold earned 1256 total points
ID: 39778407
if you know the IPs from which your users should be coming from, you could use tcpwrapper rules

hosts.allow
sshd:internalIPSegment
sshd:authorized_remotelocations
hosts.deny
sshd:all

note sftp is part of SSL.  not sure there is a specific SFTP. Once you add the sshd:all in the hosts.deny, only connections matching the hosts.allow entries will be permitted to connect.  Do not try these changes offsite (just in case there is a typo that will lock you completely out). A way to manage might be to setup another instance of sshd that will be bound and listening on a different port accessible only internally.  note however that the tcpwrapper (hosts.allow, hosts.deny) will apply to it unless you compile your own sshd version that would not include tcpwrapper libraries.)

if your sshd_config configured to log events, look there/ you can parse the log to extract the usernames and the connection source.

Those sftp users can then ssh into your system?
0
 
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 280 total points
ID: 39778605
SFTP is Not part of SSL, it is part of SSH which is a completely different encryption method.
0
 

Author Comment

by:sunhux
ID: 39778618
Thanks richrumble.

hosts.allow
sshd:internalIPSegment
sshd:authorized_remotelocations
hosts.deny
sshd:all
I can't implement the suggestion of blocking because the users
are given their own ssh id to do sftp but somehow we suspect
a sysadmin has inadvertently shared an sftp admin password
with the users.  Is there any configuration in sftp to permit
based on a combination of ssh userid & IP address they're
connecting from?
0
How To Install Bash on Windows 10

Windows’ budding partnership with Canonical has certainly led to some great improvements. One of them being the ability to use Bash on your Windows machine without third party applications! This might be one of the greatest things a cloud engineer in a Windows environment can do!

 

Author Comment

by:sunhux
ID: 39778649
Suppose users' subnet is from 172.16.12.0, can
I put the following commands into the .bash_profile
 or the .profile of that sftp admin id :

who am i | grep -i "172.16.12."
if [ test $? -eq 0 ]
then
        exit
fi

Pls comment/review if the 'exit' statement is sufficient
to logout the unauthorized user's sftp session.
0
 

Author Comment

by:sunhux
ID: 39778657
or do we need "exit 1" or "kill ..." command?


Correction:
> if [ test $? -eq 0 ]
   should be
if [ $? -eq 0 ]
0
 

Author Comment

by:sunhux
ID: 39778694
agree, Dave is right, sftp is an ssh protocol ; it's not ssl
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 384 total points
ID: 39778855
sftp logins are ssh logins - they should be in the usual /var/log/messages (or whatever the syslog target is) with login successes and fails logged
0
 
LVL 79

Assisted Solution

by:arnold
arnold earned 1256 total points
ID: 39779359
Yes, typo'd.


There is an SSHD rule that you can add to sshd_config
The line is
AllowUsers username@ipaddress
The above example will restrict user login attempts to the ipaddress.
AllowUsers username@192.168.0.?
the above line will restrict the username to the 192.168.0/24 segment
http://ubuntuforums.org/showthread.php?t=1416730

You should test whether it will take a CIDR notation 192.168.0.0/24 or 192.168.0. might work as well.

note for these changes to take effect, the sshd daemon needs to be restarted.
0
 

Author Comment

by:sunhux
ID: 39784785
Would those lines of Shell commands placed into .profile or
.bash_profile work?
0
 
LVL 79

Assisted Solution

by:arnold
arnold earned 1256 total points
ID: 39785557
A while back there was/were options that you can add into authorized_keys, that would limit the source of the connection using public keys.
I do not believe outside the main service configuration (sshd_config) that there is a way to restrict the user login.

The issue is when someone sftps I do not .profile, .bash_profile is processed.


Another issue is that .login/.bash_profile might be terminated by the user hitting ctrl-c.

The change will only would with ssh logins, you can "replace" the shell with a wrapper script that will test for the ssh client information and then validate the IP against a rule (applicable to all or you need to check which user is running it), and then either pass the connection to the shell or exit.

You seem to be in search of a workaround, there is the direct way.
Advise your fellow admins, change the password on the account.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Secure Shell (SSH) is a network protocol for secure data communication, mainly used to administer remote Unix / Linux servers via command line. But it also allows the user to open a secure tunnel between a client and a server where he can send any k…
Have you ever been frustrated by having to click seven times in order to retrieve a small bit of information from the web, always the same seven clicks, scrolling down and down until you reach your target? When you know the benefits of the command l…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question