SSH & SFTP: Should I assign one port to each user to facilitate bandwidth monitoring?

Question

There is no easy way to track real-time per-user bandwidth usage for SSH and SFTP. I think assigning one port to each user may help, but I am wondering if my approach is workable.

Use case

Bob, with UID 1001, shall connect on port 31001.
Alice, with UID 1002, shall connect on port 31002.
John, with UID 1003, shall connect on port 31003.

(I do not want to lauch several sshd instances as proposed in question 247291.)

1. Setup for SFTP:

In /etc/ssh/sshd_config:

Port 31001
Port 31002
Port 31003
Subsystem sftp /usr/bin/sftp-wrapper.sh

The file sftp-wrapper.sh starts the sftp server only if the port is the correct one:

#!/bin/sh
mandatory_port=3`id -u`
current_port=`echo $SSH_CONNECTION | awk '{print $4}'`
if [ $mandatory_port -eq $current_port ]
then
  exec /usr/lib/openssh/sftp-server
fi

2. Additional setup for SSH:

A few lines in /etc/profile prevents the user from connecting on the wrong port:

if [ -n "$SSH_CONNECTION" ]
then
  mandatory_port=3`id -u`
  current_port=`echo $SSH_CONNECTION | awk '{print $4}'`
  if [ $mandatory_port -ne $current_port ]
  then
    echo "Please connect on port $mandatory_port."
    exit 1
  fi
fi

Benefits

Now it should be easy to monitor per-user bandwidth usage. A Rrdtool-based application could produce charts like this:

example per-user bandwidth graph

I know this won't be a perfect calculation of the bandwidth usage: for example, if somebody launches a bruteforce attack on port 31001, there will be a lot of traffic on this port although not from Bob. But this is not a problem to me: I do not need an exact computation of per-user bandwidth usage, but an indicator that is approximately correct in standard situations.

Questions

Is the idea of assigning one port for each user generally a good one? Or does it violate best practice?
If I have to open dozens of ports for many users, should I expect a performance drawback?

Sftp, I understand... But why the interest in ssh session stats? — ewwhite, Jun 08 '14 at 16:45
@ewwhite: I have a backup server with some users backuping over sftp, and some users backuping over ssh (with rsync). — BertS, Jun 08 '14 at 17:21

score 3 · Answer 1 · answered Jun 08 '14 at 14:57

3

I think a better solution is to monitor bandwidth usage per client port number. Then you can combine this monitoring with port numbers from auth.log to compute the sum of all connections from a user.

answered Jun 08 '14 at 14:57

kasperd

29,894
16
72
122

1

This should work, though you will have to actually write a program to watch the log for connections and figure out what port number who logged in with. – Michael Hampton Jun 08 '14 at 18:20
1

@MichaelHampton If you collect information about usage per port number over time, it should be entirely possible to combine the two data sources after the fact to produce the desired graph. I don't see any need to watch the log `auth.log` in real time. – kasperd Jun 08 '14 at 18:50
3

Sure, if you don't want the graphs in real time. :) And `auth.log` is a Debianism; the logs will be elsewhere on Red Hat type systems (`/var/log/secure`). – Michael Hampton Jun 08 '14 at 18:51