[prev in list] [next in list] [prev in thread] [next in thread]
List: dante-misc
Subject: Re: [dante-misc] How to log client IP/ login when using dante over SSH
From: "Gregory Charot (EVENIUM)" <gcharot () evenium ! com>
Date: 2012-06-15 9:31:15
Message-ID: 4FDB00E3.1010700 () evenium ! com
[Download RAW message or body]
Le 15/06/2012 07:32, Michael Shuldman a écrit :
> Gregory Charot wrote,
>> But sure i'm following you but "ssh -v" is on the client side, I
>> don't want to rely on the client.
> Hello, a pity about libwrap not providing the portnumber, only the
> IP address. Seems a bit silly and I was not aware of that.
Maybe there is some extra variables i haven't tried...
>
>
> One thing that might be relevant but is not clear to me from your
> description is whether each user creates his own ssh tunnel from
> his workstation to the bastion host? From re-reading your email I
> get the impression this might be the case.
Yep each user uses his own tunnel !
>
> If so, an idea from my colleague Karl-Andre' was that perhaps
> requiring rfc931 (ident) in sockd.conf and making sure identd is
> running on the bastion host will provide what you want?
> The Dante server will then contact the identd server on the machine
> that connected to it (localhost), which should report the username
> that owns the ssh tunnel.
It actually works ! Thanks ! I've got the following entries in the logs :
Jun 15 11:14:06 (1339751646) danted[10894]: pass(2): tcp/connect [:
rfc931%greg@127.0.0.1.55690 -> 192.168.10.244.443
Jun 15 11:14:59 (1339751699) danted[10894]: block(3): tcp/connect [:
rfc931%greg@127.0.0.1.55708 -> 173.194.41.181.443
The only drawback is the use of identd (oidentd in my case) which is not
a secure solution. However, I have restricted the access from localhost
only with the "-a 127.0.0.1" option. I guess it will fit our requirements.
Thanks again for your help !
Greg
PS : Here is the full danted config in case somebody has the same issue :
logoutput: /var/log/dante.log
# Listen on Loopback only
internal: 127.0.0.1 port = 1080
# Outgoing NIC
external: eth0
method: rfc931
user.notprivileged: nobody
client pass {
from: 127.0.0.1/32 port 1-65535 to: 127.0.0.1/32
log: connect error
}
client block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}
block {
from: 0.0.0.0/0 to: 127.0.0.0/8
log: connect error
}
# Access to ADMIN VLANs only
pass {
from: 127.0.0.1/32 to: 192.168.0.0/16
protocol: tcp udp
log: connect error
}
# Block everything else
block {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect error
}
>
> Regards,
>
>
>> Thanks !
>> Regards,
>> Greg
>>
>> On 06/14/2012 12:21 AM, Karl-Andre' Skevik wrote:
>>> If you can send the output from 'ssh -v' to your netstat script you
>>> can do any required log filtering there. The script can then limit
>>> logging to the information you require to identify users.
>>>
>>> With kind regards,
>>>
>>> Karl-Andre' Skevik
>>> Inferno Nettverk A/S
>>>
>>> "Gregory Charot (EVENIUM)"<gcharot@evenium.com> writes:
>>>
>>>> Running SSH in verbose mode is not possible in my case as this server
>>>> is also used as SSH gateway; the amount of log would be way to
>>>> heavy...
>>>>
>>>> I guess i'm kind of stuck here :-(
>>>>
>>>> Thanks for you help !
>>>> Regards,
>>>> Greg
>>>>
>>>> Le 13/06/2012 13:27, Karl-Andre' Skevik a écrit :
>>>>> Ok, I see. If by destination address you mean the external address
>>>>> that the client wishes to connect to, this value is not available. It
>>>>> also looks like libwrap only allows the client IP address to be given
>>>>> as an argument (not the port number), so unfortunately it looks like
>>>>> this approach will not work.
>>>>>
>>>>> An alternative would be run ssh with -v and pipe the forwarding
>>>>> related log output to a script that runs netstat. The output from ssh
>>>>> appears to include the destination address so this might provide the
>>>>> information required.
>>>>>
>>>>> With kind regards,
>>>>>
>>>>> Karl-Andre' Skevik
>>>>> Inferno Nettverk A/S
>>>>>
>>>>> gcharot@evenium.com writes:
>>>>>
>>>>>> Hello Karl,
>>>>>>
>>>>>> I don't quite understand what you mean. I had a look to the link you
>>>>>> mentioned.
>>>>>>
>>>>>> What i need to get is either the real client IP address (would be to
>>>>>> easy), or at least the client port and destination address so i can run a
>>>>>> script with these two variables as input.
>>>>>>
>>>>>> libwrap: spawn myscript.sh $SOURCE_PORT $DESTINATION_ADDR
>>>>>>
>>>>>> the script can then netstat the source_port, get the process IP and then
>>>>>> ps to find out who owns this process.
>>>>>>
>>>>>> Any other idea ?
>>>>>>
>>>>>> Cheers !
>>>>>> Greg
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> Take a look at the example on this page:
>>>>>>>
>>>>>>> http://www.inet.no/dante/doc/latest/config/libwrap.html
>>>>>>>
>>>>>>> Redirection is not possible so it is necessary to run a script that
>>>>>>> handles output itself.
>>>>>>>
>>>>>>> With kind regards,
>>>>>>>
>>>>>>> Karl-Andre' Skevik
>>>>>>> Inferno Nettverk A/S
>>>>>>>
>>>>>>> Gregory Charot<gcharot@evenium.com> writes:
>>>>>>>
>>>>>>>> Thanks for the suggestion Michael !
>>>>>>>>
>>>>>>>> I did give a try with no sucess :
>>>>>>>>
>>>>>>>> pass {
>>>>>>>> from: 127.0.0.1/32 to: 192.168.0.0/16
>>>>>>>> protocol: tcp udp
>>>>>>>> log: connect
>>>>>>>> libwrap: spawn echo "Test - %a - %A - %c - %p">>
>>>>>>>> /var/log/dante-netstat.logfile
>>>>>>>> }
>>>>>>>>
>>>>>>>>
>>>>>>>> The output is :
>>>>>>>> Test - 127.0.0.1 - 127.0.0.1 - 127.0.0.1 - 24294
>>>>>>>>
>>>>>>>> 24294 is the danted PID. I don't event get the destination IP address
>>>>>>>> (192.168.x.y)
>>>>>>>>
>>>>>>>> I tried various variables combinations from :
>>>>>>>> http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-tcpwrappers.html
>>>>>>>>
>>>>>>>> Greg
>>>>>>>>
>>>>>>>> On 06/13/2012 05:50 AM, Michael Shuldman wrote:
>>>>>>>>> Gregory Charot wrote,
>>>>>>>>>> Hello folks !
>>>>>>>>>>
>>>>>>>>>> Sorry if this question has already been posted, not sure it is
>>>>>>>>>> possible to solve it though....
>>>>>>>>>>
>>>>>>>>>> I'm planning to use dante server in order to proxy connections to my
>>>>>>>>>> private admin network. Danted is installed on a system which we can
>>>>>>>>>> call a bastion (please see conf at the bottom of the post).
>>>>>>>>>>
>>>>>>>>>> Connection to the bastion is made with SSH for
>>>>>>>>>> authentication/security. The connection is then forwarded to the
>>>>>>>>>> local danted server listening on 127.0.0.1:1080.
>>>>>>>>>>
>>>>>>>>>> So on the admin workstation i use :
>>>>>>>>>> $ ssh -L 8080:127.0.0.1:1080 $IP_BASTION
>>>>>>>>>>
>>>>>>>>>> Then i configure my firefox or whatever to use SOCKS5 proxy on
>>>>>>>>>> 127.0.0.1:8080
>>>>>>>>>>
>>>>>>>>>> Up to now, everything works like a charm.
>>>>>>>>>>
>>>>>>>>>> My problem is to track down who is accessing what (in case of
>>>>>>>>>> trouble only), there is indeed logs but as the connection go through
>>>>>>>>>> a SSH tunnel, log looks like :
>>>>>>>>>> Jun 12 19:21:13 (1339521673) danted[26407]: pass(2): tcp/connect [:
>>>>>>>>>> 127.0.0.1.35680 -> 192.168.10.240.80
>>>>>>>>>>
>>>>>>>>>> From theses logs I can't tell who was trying to connect to
>>>>>>>>>> 192.168.10.240
>>>>>>>>>>
>>>>>>>>>> If the SSH tunnel is still up, I can netstat/grep port 35680 and
>>>>>>>>>> found out which process is using these client source port. However
>>>>>>>>>> as soon as the SSH tunnel is down, i'm completely blind :-(
>>>>>>>>>>
>>>>>>>>>> Is there anybody who knows how i can found out who was doing what
>>>>>>>>>> once the SSH tunnel is down ? I don't need an explicit log entry, i
>>>>>>>>>> can grep multiple logs file if needed.
>>>>>>>>> If your Dante installation was compiled with libwrap/tcp_wrapper
>>>>>>>>> support (a thirdparty library available on many platforms), possibly
>>>>>>>>> you could use that to have Dante run a fitting shell command each
>>>>>>>>> time a new client connects?
>>>>>>>>>
>>>>>>>>> E.g., if you change the below rule:
>>>>>>>>>> pass {
>>>>>>>>>> from: 127.0.0.1/32 to: 192.168.0.0/16
>>>>>>>>>> protocol: tcp udp
>>>>>>>>>> }
>>>>>>>>> to something like like:
>>>>>>>>> pass {
>>>>>>>>> from: 127.0.0.1/32 to: 192.168.0.0/16
>>>>>>>>> protocol: tcp udp
>>>>>>>>> libwrap: spawn netstat -n |grep %a>>dante-netstat.logfile
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> I have not tested the above so perhaps you will need to tweak things
>>>>>>>>> a little, or maybe it will not work at all. If you get it to work,
>>>>>>>>> perhaps you can contribute an entry to the Dante faq at
>>>>>>>>> "http://www.inet.no/dante/doc/faq.html".
>>>>>>>>>
>>>>>>>>> You can find more information about the libwrap commands involved
>>>>>>>>> in the manpages for e.g., hosts.allow and hosts_options, part of
>>>>>>>>> the libwrap package.
>>>>>>>>>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic