2

I am looking for help with a Linux server (CentOS) guide or script that can be used to send an email to a server account when a new SFTP connection is detected. For example, giving the connection name and the requesting IP address as well as connection authentication type (if possible) (such as SSH Key or a Password, etc.) .

I have next to no experience with Bash scripts, however I have successfully made exactly this which detects SSH connections; however I can't find out where to go to extend this to also notify the email address of SFTP Connections to the server,

Many thanks for any help on this.

I do realise this is pretty crappy question and I apologise, but search engine results are giving me lots of false results such as "how do I SFTP to my server?!" etc. which are clearly inappropriate.

Cheers

Update 1

So the /var/logs/secure collects the SFTP connection information. I would like to be able to grab that information some how and throw it out in a basic email.

My current working SSH detector does this in .bashrc:

echo -e 'ALERT - SSH access detected:' `date` `ls -l \`tty\` | awk '{print $3}'` '\n\nConnection Details: ' `w -h` '\n\nList of WHO: ' `who --login` | mail -s "Alert: Server Access Email Subject" email@address.com

This is called,triggered by CSF (ConfigServerFirewall)

I would like somehow to combine the two above so that when a info line is added to the /var/log/secure such as with:

Subsystem       sftp    /usr/libexec/openssh/sftp-server -l INFO

Then it will also be able to detect the line starts:

Accepted publickey for ....

That this line can then be thrown in an email out to the email address....

Update 2:

I may need to write my own Bash shim ....

Update 3:

Thanks to Piotr, my code for my shim is now:

#!/bin/bash
# Create a temporary log file
LOGFILE=$(/bin/mktemp /tmp/sftplog.XXXXXX)
# Redirect stderr to LOGFILE
exec 2>"$LOGFILE"

# Run the SFTP with logging to stderr
/usr/libexec/openssh/sftp-server -e -u 022 -l VERBOSE

# Use some sendmail substitute to send an e-mail
/usr/sbin/sendmail -i root@localhost <<EOF
From: email@localaddress.co.uk
To: email@localaddress.co.uk
Subject: SFTP connection for user $(LOGNAME)

Hello,
User $(LOGNAME) just connected to the SFTP server from $(SSH_CONNECTION).

Connection log:
$(<"$LOGFILE")
EOF

# echo -e "Hello,\nUser $(LOGNAME) just connected to the SFTP server from $(SSH_CONNECTION).\n\nConnection log:\n$(<"$LOGFILE")" | mail -s "SFTP connection for user $(LOGNAME)" email@localaddress.co.uk

# Delete the log
rm -f "$LOGFILE"

I have run the sendmail instruction from the command line and this works correctly, however new SFTP connections are resulting in EOF while reading packet.

Update 4

Reducing the script to :

#!/bin/bash
# Create a temporary log file

# Run the SFTP with logging to stderr
/usr/libexec/openssh/sftp-server -e -u 022 -l INFO
exec >/dev/null

Still returns the EOF while reading packet issue when connecting.

Update 5:

Setting the file permissions to be identical to the permissions of the original subsystem file (/usr/libexec/openssh/sftp-server) resolves the issue and the script runs correctly.

Community
  • 1
Martin
  • 177
  • 1
  • 2
  • 13
  • 2
    Hi Martin, this discussion may be helpful to reach your goal and give you useful information to the modification you have to make in the configuration file and in your script: https://serverfault.com/questions/73319/sftp-logging-is-there-a-way – AtomiX84 Dec 30 '19 at 15:31
  • Thanks @AtomiX84 that looks useful. – Martin Dec 30 '19 at 16:07

1 Answers1

6

The nice thing about ssh subsystems is that you can replace the default implementation (internal-sftp as Martin remarked) with another implementation, e.g. a wrapper script around /usr/lib/openssh/sftp-server.

A small example: create a file /usr/local/bin/sftp-logger with content:

#!/bin/bash
# Create a temporary log file
LOGFILE=$(/bin/mktemp /tmp/sftplog.XXXXXX)
# Redirect stderr to LOGFILE
exec 2>$LOGFILE

# Run the SFTP with logging to stderr
/usr/lib/openssh/sftp-server -e -l INFO

# In case of chatty sendmail
exec >/dev/null

# Use some sendmail substitute to send an e-mail
/usr/sbin/sendmail -i root@localhost <<EOF
From: sshd@localhost
To: root@localhost
Subject: SFTP connection for user $LOGNAME

Hello,
User $LOGNAME just connected to the SFTP server from $SSH_CONNECTION.

Connection log:
$(<$LOGFILE)
EOF

# Delete the log
rm -f $LOGFILE

Then you just have to replace the default SFTP server with your script in /etc/ssh/sshd_config:

Subsystem sftp /usr/local/bin/sftp-logger
Piotr P. Karwasz
  • 5,292
  • 2
  • 9
  • 20
  • 2
    Nice trick +1 – Though note that `sftp-server` is no longer default, it's `internal-sftp`, which won't work with this trick. See [OpenSSH: Difference between internal-sftp and sftp-server](https://serverfault.com/q/660160/168875). – Martin Prikryl Dec 31 '19 at 07:48
  • Yes, I should probably rephrase it as "_one of the standard implementations_". – Piotr P. Karwasz Dec 31 '19 at 09:29
  • @PiotrP.Karwasz thanks for the swift reply. I had tried to use the sendmail from the command line and it didn't end, I had put in the lines as examples on your answer but the system wasn't reacting... was maybe expecting more(?). Ctrl+C aborted it. Hence I also tried the code with the `echo` statement and `mail`. Cheers – Martin Dec 31 '19 at 15:40
  • In my case `sendmail` is actually a symlink to `exim4`. Maybe your `sendmail` expects a `.` alone on a newline to mark the end of the message. – Piotr P. Karwasz Dec 31 '19 at 15:43
  • @PiotrP.Karwasz sending the email via the command line works correctly when coipy/pasted. The email sending is successful but the SFTP connection remains with the "EOF while reading packet" error. – Martin Dec 31 '19 at 15:58
  • Some command must be printing something on stdout. Try with an `exec >/dev/null` just after the `sftp-server` line. – Piotr P. Karwasz Dec 31 '19 at 16:25
  • @PiotrP.Karwasz thanks for your continued support here. I added that line; nothing changed. I removed all the email code from the source file and the same error remained. I am editing the file in Notepad++ ; do you think it's an issue with file line endings or similar file encoding? (currently UTF-8 non-BOM) – Martin Dec 31 '19 at 16:41
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/102728/discussion-between-piotr-p-karwasz-and-martin). – Piotr P. Karwasz Dec 31 '19 at 16:45