Solved

Tracking source IP addresses Sftp clients are connecting from

Posted on 2014-01-13
10
700 Views
Last Modified: 2014-01-17
We used sftp with password authentication & I'm suspecting that
our sftp password is being shared with users who are connecting
from IP addresses that we can track down.

Q1:
As I'm newbie to Redhat Linux (5.x, 6.x) , can name me the logfile names
 (Linux syslogs?  Sftp logs?) & the directories of the logs  that will show the
 source IP addresses that the sftp clients are connecting from?

Q2:
I was told by the Linux sysadmin that the sftp logs are encrypted.
Any idea which freeware sftp server auto-encrypts its sftp logs?
The sysadmin chap can't comment.

Q3:
Is there any Linux command, say "last" that will indicate the source
IP addresses that sftp clients connect from & the date/timings they
connect?  Let me know the qualifiers if any (for Redhat 5.x/6.x)
0
Comment
Question by:sunhux
10 Comments
 
LVL 76

Accepted Solution

by:
arnold earned 314 total points
Comment Utility
if you know the IPs from which your users should be coming from, you could use tcpwrapper rules

hosts.allow
sshd:internalIPSegment
sshd:authorized_remotelocations
hosts.deny
sshd:all

note sftp is part of SSL.  not sure there is a specific SFTP. Once you add the sshd:all in the hosts.deny, only connections matching the hosts.allow entries will be permitted to connect.  Do not try these changes offsite (just in case there is a typo that will lock you completely out). A way to manage might be to setup another instance of sshd that will be bound and listening on a different port accessible only internally.  note however that the tcpwrapper (hosts.allow, hosts.deny) will apply to it unless you compile your own sshd version that would not include tcpwrapper libraries.)

if your sshd_config configured to log events, look there/ you can parse the log to extract the usernames and the connection source.

Those sftp users can then ssh into your system?
0
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 70 total points
Comment Utility
SFTP is Not part of SSL, it is part of SSH which is a completely different encryption method.
0
 

Author Comment

by:sunhux
Comment Utility
Thanks richrumble.

hosts.allow
sshd:internalIPSegment
sshd:authorized_remotelocations
hosts.deny
sshd:all
I can't implement the suggestion of blocking because the users
are given their own ssh id to do sftp but somehow we suspect
a sysadmin has inadvertently shared an sftp admin password
with the users.  Is there any configuration in sftp to permit
based on a combination of ssh userid & IP address they're
connecting from?
0
 

Author Comment

by:sunhux
Comment Utility
Suppose users' subnet is from 172.16.12.0, can
I put the following commands into the .bash_profile
 or the .profile of that sftp admin id :

who am i | grep -i "172.16.12."
if [ test $? -eq 0 ]
then
        exit
fi

Pls comment/review if the 'exit' statement is sufficient
to logout the unauthorized user's sftp session.
0
 

Author Comment

by:sunhux
Comment Utility
or do we need "exit 1" or "kill ..." command?


Correction:
> if [ test $? -eq 0 ]
   should be
if [ $? -eq 0 ]
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:sunhux
Comment Utility
agree, Dave is right, sftp is an ssh protocol ; it's not ssl
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 96 total points
Comment Utility
sftp logins are ssh logins - they should be in the usual /var/log/messages (or whatever the syslog target is) with login successes and fails logged
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 314 total points
Comment Utility
Yes, typo'd.


There is an SSHD rule that you can add to sshd_config
The line is
AllowUsers username@ipaddress
The above example will restrict user login attempts to the ipaddress.
AllowUsers username@192.168.0.?
the above line will restrict the username to the 192.168.0/24 segment
http://ubuntuforums.org/showthread.php?t=1416730

You should test whether it will take a CIDR notation 192.168.0.0/24 or 192.168.0. might work as well.

note for these changes to take effect, the sshd daemon needs to be restarted.
0
 

Author Comment

by:sunhux
Comment Utility
Would those lines of Shell commands placed into .profile or
.bash_profile work?
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 314 total points
Comment Utility
A while back there was/were options that you can add into authorized_keys, that would limit the source of the connection using public keys.
I do not believe outside the main service configuration (sshd_config) that there is a way to restrict the user login.

The issue is when someone sftps I do not .profile, .bash_profile is processed.


Another issue is that .login/.bash_profile might be terminated by the user hitting ctrl-c.

The change will only would with ssh logins, you can "replace" the shell with a wrapper script that will test for the ssh client information and then validate the IP against a rule (applicable to all or you need to check which user is running it), and then either pass the connection to the shell or exit.

You seem to be in search of a workaround, there is the direct way.
Advise your fellow admins, change the password on the account.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Have you ever been frustrated by having to click seven times in order to retrieve a small bit of information from the web, always the same seven clicks, scrolling down and down until you reach your target? When you know the benefits of the command l…
The purpose of this article is to demonstrate how we can upgrade Python from version 2.7.6 to Python 2.7.10 on the Linux Mint operating system. I am using an Oracle Virtual Box where I have installed Linux Mint operating system version 17.2. Once yo…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now