Linux - Which files execute the first instructions when calling the sftp or ssh service on port 22?

[Kartazion]

Being on no computer forum, I try here to expose my problem. Indeed I want to create and manage a specific log file (we already have /var/log which runs it) but I want to intercept the bits/words of these instructions.

What are the files and the directory that starts the execution of the first instruction when we calling ssh or sftp?  Knowing that there are the sftp or ssh deamons that listen and the /bin/ssh or /bin/sftp scripts that start the service.

I thought it was just the files in the /bin directory that started when calling the service. This would therefore amount to recompliling the /bin files.

There may also be the solution of PID Process.

Thanks.

[moth]

Have you looked into Wireshark ? it's a network packet analysis program that lets you see all the bits moving in or out of your computer, or make a log of activity on a specific port.

[Kartazion]

Normally I use tcpdump in shell which is like wireshark in graph. But these programs list the listening and give the IP as well as its destination port. But maybe you want me to understand that in the packets there would be the call of the file or the service on the server? Good idea.

I'm going to try on 127.0.0.1

[moth]

9 minutes ago, Kartazion said:

Normally I use tcpdump in shell which is like wireshark in graph. But these programs list the listening and give the IP as well as its destination port. But maybe you want me to understand that in the packets there would be the call of the file or the service on the server? Good idea.

I don't have Wireshark running on this machine, but i don't think it will show the files that are activated , only the service. I think you can get the  files from top or ps (ps -au maybe)

[Kartazion]

18 minutes ago, moth said:

I don't have Wireshark running on this machine, but i don't think it will show the files that are activated , only the service. I think you can get the  files from top or ps (ps -au maybe)

A little later in the day I'll try just to see   tcpdump -i lo

But I think the solution comes from an SSHd type daemon https://en.wikipedia.org/wiki/Daemon_(computing)

Therefore I know it's PID

But not it's pidfile into /var/run

[Sensei]

Your question is ambiguous. I am wondering whether you're talking about instructions of TCP protocol or instruction like command-line or what else?

 

If you want to learn PID you can try:

Dump all active processes to a text file before running something,

dump it again after running something,

compare the differences between text files..

and you will know which processes were created by "something".

 

You can make a script. Dump, compare, display differences, wait 0.1-1s, repeat.

[Kartazion]

23 minutes ago, Sensei said:

Your question is ambiguous. I am wondering whether you're talking about instructions of TCP protocol or instruction like command-line or what else?

Command line instructions. moth got the idea of TCP packet.

30 minutes ago, Sensei said:

If you want to learn PID you can try:

Dump all active processes to a text file before running something,

dump it again after running something,

compare the differences between text files..

and you will know which processes were created by "something".

 

You can make a script. Dump, compare, display differences, wait 0.1-1s, repeat.

I think I'll have to dissect init

init(en)

/etc/init.d/

or

/etc/rc.d/rc.local

[Kartazion]

I think the solution is in /usr/sbin/sshd file. https://linux.die.net/man/8/sshd

So I recovered the source of it with:

wget -c https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz

and decompress with:

tar -xzf openssh-8.0p1.tar.gz

Now I try to see where I can insert my code before compilation with ./configure -h
There are several interesting files related to the deamon. If you have any idea which one...

The purpose of this manipulation is to be able to create a log list of the connection listening on a dot matrix printer.
IOW for each connection attempt, my printer lists the client's information into /dev/tcp/192.168.x.x
As said above we already have this information in /var/log. 
 

[steven111]

did you get the answer you actually wanted?

[Sensei]

On 10/11/2020 at 9:38 PM, Kartazion said:

As said above we already have this information in /var/log. 

If it is already in this file, why not to use e.g. grep on it, to extract it? or make Perl or Python or bash script to parse it..

 

[Kartazion]

9 hours ago, steven111 said:

did you get the answer you actually wanted?

No. I haven't had time yet. That's why I was asking in case if somebody has an answer.

8 hours ago, Sensei said:

If it is already in this file, why not to use e.g. grep on it, to extract it? or make Perl or Python or bash script to parse it..

Excellent solution! But this is the same as periodically listing the log file when adding bytes.

The goal is to be able to intercept the kernel request at time t in order to be able to immediately inform about the connection. 
 

[Sensei]

40 minutes ago, Kartazion said:

Excellent solution! But this is the same as periodically listing the log file when adding bytes.

The goal is to be able to intercept the kernel request at time t in order to be able to immediately inform about the connection. 

If you have script checking log file *) every second you will have just one second delay between connection and information to user. User won't be even able to read information in such short time.. So tell me why such delay is a problem?

*) or use tail -f with grep. any update to a file will be printed to console.

https://shapeshed.com/unix-tail/#how-to-watch-a-file-for-changes

https://www.networkworld.com/article/3529891/watching-activity-on-linux-with-watch-and-tail-commands.html

 

You could also try TCP proxy. Original app should connect to your proxy, and proxy make connection for real. Then you can even make it interactive with user consent or rejection of the connection.

 

Edited October 19, 2020 by Sensei

[Kartazion]

6 hours ago, Sensei said:

So tell me why such delay is a problem?

You are right. But I want to be able to approve the connection before it is established. For that I whish to work in C/C++ and eventually in sh/bash.

6 hours ago, Sensei said:

*) or use tail -f with grep. any update to a file will be printed to console.

https://shapeshed.com/unix-tail/#how-to-watch-a-file-for-changes

https://www.networkworld.com/article/3529891/watching-activity-on-linux-with-watch-and-tail-commands.html

Great solution. Thank you.

6 hours ago, Sensei said:

You could also try TCP proxy. Original app should connect to your proxy, and proxy make connection for real. Then you can even make it interactive with user consent or rejection of the connection.

What do you mean by TCP proxy?

AFAIK the proxy server does not generate an ssh certificate, unless of course you install there specifically openssl on it.
But the proxy server is often an integral part of the firewall, and the service is useful from LAN to WAN.
My connections are on the LAN and without proxy service because I use the 22 ssh port and not the 443 https port.
But on the other hand you are right. Because my ssh connection crosses the WAN and the web, and this through I do not know how many servers to reach my destination. 
But all this is possible thanks to a VPN which creates a tunnel from LAN to LAN.

To check.

[Sensei]

6 minutes ago, Kartazion said:

You are right. But I want to be able to approve the connection before it is established.

That's job of personal firewall.

When I was using WinXP, in the past, I was using Sygate Personal Firewall. Unfortunately it does not work with any new Windows.

During making connection from unknown app, to the Internet, it was asking and blocking connection, showing user dialog, with question whether to make such connection with the all details about it, IP, port, protocol, packet details etc.

Packets could be logged, diagnosed, analyzed etc. etc.

 

[Kartazion]

2 minutes ago, Sensei said:

That's job of personal firewall.

When I was using WinXP, in the past, I was using Sygate Personal Firewall. Unfortunately it does not work with any new Windows.

Yes. Now everyone uses pfSense.

This is why the manufacturers all make mini pc pfSense.

[Sensei]

4 hours ago, Kartazion said:

Yes. Now everyone uses pfSense.

This is why the manufacturers all make mini pc pfSense.

Configuration through web browser? Seriously?

[Kartazion]

3 hours ago, Sensei said:

Configuration through web browser? Seriously?

It's because you told me about Sygate on windows.

[Kartazion]

I found on the Internet the solution to be able to send an email after each connection in SSH. It is easily possible to insert whatever you want from your sh executable file in shell.

Create the executable file my_file.sh in the directory of your choice (for example /etc/my_file.sh). Do not forget to give the executable permissions with: chmod +x my_file.sh

#!/bin/sh

SENDER="your@email.com"
EMAIL_FROM="your@sever.com"
SUBJECT="SSH Login Notify"

MESSAGE="You have a new SSH connection
Username: ${PAM_USER}
IP Address: ${PAM_RHOST}"

if [ ${PAM_TYPE} = "open_session" ]; then
	echo "${MESSAGE}" | mail -n -r "${EMAIL_FROM}" -s "${SUBJECT}" "${SENDER}"
fi

exit 0

Add the following line to indicate the file to be executed to /etc/pam.d/sshd:

session optional pam_exec.so /etc/my_file.sh

That's it.

PS: For information sshd (OpenSSH Daemon) is the daemon program and listens for connections from clients. It can be configured using command-line options or a configuration file by default /etc/ssh/sshd_config

[Sensei]

@Kartazion

If your machine has HTTP/HTTPS server, you can make simple PHP script which will make/update file by file_put_contents() somewhere, and examine date and time of the last access of the file from bash script. If access time is more than 5 minutes ago, refuse SSH connection. So procedure of logging would be: open browser on mobile or so, visit your top secret PHP script location, then login to SSH or whatever else. If somebody does not have idea that must visit website with the right URI with script first, will be rejected.

Edited July 4, 2021 by Sensei