Solved

Tracking source IP addresses Sftp clients are connecting from

Posted on 2014-01-13
10
782 Views
Last Modified: 2014-01-17
We used sftp with password authentication & I'm suspecting that
our sftp password is being shared with users who are connecting
from IP addresses that we can track down.

Q1:
As I'm newbie to Redhat Linux (5.x, 6.x) , can name me the logfile names
 (Linux syslogs?  Sftp logs?) & the directories of the logs  that will show the
 source IP addresses that the sftp clients are connecting from?

Q2:
I was told by the Linux sysadmin that the sftp logs are encrypted.
Any idea which freeware sftp server auto-encrypts its sftp logs?
The sysadmin chap can't comment.

Q3:
Is there any Linux command, say "last" that will indicate the source
IP addresses that sftp clients connect from & the date/timings they
connect?  Let me know the qualifiers if any (for Redhat 5.x/6.x)
0
Comment
Question by:sunhux
10 Comments
 
LVL 78

Accepted Solution

by:
arnold earned 314 total points
ID: 39778407
if you know the IPs from which your users should be coming from, you could use tcpwrapper rules

hosts.allow
sshd:internalIPSegment
sshd:authorized_remotelocations
hosts.deny
sshd:all

note sftp is part of SSL.  not sure there is a specific SFTP. Once you add the sshd:all in the hosts.deny, only connections matching the hosts.allow entries will be permitted to connect.  Do not try these changes offsite (just in case there is a typo that will lock you completely out). A way to manage might be to setup another instance of sshd that will be bound and listening on a different port accessible only internally.  note however that the tcpwrapper (hosts.allow, hosts.deny) will apply to it unless you compile your own sshd version that would not include tcpwrapper libraries.)

if your sshd_config configured to log events, look there/ you can parse the log to extract the usernames and the connection source.

Those sftp users can then ssh into your system?
0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 70 total points
ID: 39778605
SFTP is Not part of SSL, it is part of SSH which is a completely different encryption method.
0
 

Author Comment

by:sunhux
ID: 39778618
Thanks richrumble.

hosts.allow
sshd:internalIPSegment
sshd:authorized_remotelocations
hosts.deny
sshd:all
I can't implement the suggestion of blocking because the users
are given their own ssh id to do sftp but somehow we suspect
a sysadmin has inadvertently shared an sftp admin password
with the users.  Is there any configuration in sftp to permit
based on a combination of ssh userid & IP address they're
connecting from?
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 

Author Comment

by:sunhux
ID: 39778649
Suppose users' subnet is from 172.16.12.0, can
I put the following commands into the .bash_profile
 or the .profile of that sftp admin id :

who am i | grep -i "172.16.12."
if [ test $? -eq 0 ]
then
        exit
fi

Pls comment/review if the 'exit' statement is sufficient
to logout the unauthorized user's sftp session.
0
 

Author Comment

by:sunhux
ID: 39778657
or do we need "exit 1" or "kill ..." command?


Correction:
> if [ test $? -eq 0 ]
   should be
if [ $? -eq 0 ]
0
 

Author Comment

by:sunhux
ID: 39778694
agree, Dave is right, sftp is an ssh protocol ; it's not ssl
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 96 total points
ID: 39778855
sftp logins are ssh logins - they should be in the usual /var/log/messages (or whatever the syslog target is) with login successes and fails logged
0
 
LVL 78

Assisted Solution

by:arnold
arnold earned 314 total points
ID: 39779359
Yes, typo'd.


There is an SSHD rule that you can add to sshd_config
The line is
AllowUsers username@ipaddress
The above example will restrict user login attempts to the ipaddress.
AllowUsers username@192.168.0.?
the above line will restrict the username to the 192.168.0/24 segment
http://ubuntuforums.org/showthread.php?t=1416730

You should test whether it will take a CIDR notation 192.168.0.0/24 or 192.168.0. might work as well.

note for these changes to take effect, the sshd daemon needs to be restarted.
0
 

Author Comment

by:sunhux
ID: 39784785
Would those lines of Shell commands placed into .profile or
.bash_profile work?
0
 
LVL 78

Assisted Solution

by:arnold
arnold earned 314 total points
ID: 39785557
A while back there was/were options that you can add into authorized_keys, that would limit the source of the connection using public keys.
I do not believe outside the main service configuration (sshd_config) that there is a way to restrict the user login.

The issue is when someone sftps I do not .profile, .bash_profile is processed.


Another issue is that .login/.bash_profile might be terminated by the user hitting ctrl-c.

The change will only would with ssh logins, you can "replace" the shell with a wrapper script that will test for the ssh client information and then validate the IP against a rule (applicable to all or you need to check which user is running it), and then either pass the connection to the shell or exit.

You seem to be in search of a workaround, there is the direct way.
Advise your fellow admins, change the password on the account.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
question on local dns entry 5 146
Hardening guide / standard used on ATM machines 4 367
Linux Login using LDAP or Active Directory 4 149
UNIX SCP 5 87
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
The purpose of this article is to demonstrate how we can upgrade Python from version 2.7.6 to Python 2.7.10 on the Linux Mint operating system. I am using an Oracle Virtual Box where I have installed Linux Mint operating system version 17.2. Once yo…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question