Where is my user connecting from - Security

This is a discussion on Where is my user connecting from - Security ; Hi all, I tried this in c.u.shell, but figured you people might have a brighter idea. I have a user connecting from some IP address via SSH. This user does not have root access. This user is connecting in "batch" ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: Where is my user connecting from

  1. Where is my user connecting from

    Hi all,

    I tried this in c.u.shell, but figured you people might have a brighter
    idea.

    I have a user connecting from some IP address via SSH.

    This user does not have root access.

    This user is connecting in "batch" mode, i.e. submitting a command and
    then disconnecting (apologies if "batch" mode is not the convential
    term; I welcome education).

    Is there a way that I can determine what that user's IP address is,
    when they connect?

    I thought a combination of "who -m", "sed", "host" and "cut" would
    help, but "who -m" returns nothing in "batch" mode.
    Someone suggested "netstat -ntp", but this doesn't offer a way to tie
    the current SSH connection to a specific IP address.

    Any suggestions?

    Thanks,

    Dan Rumney


  2. Re: Where is my user connecting from

    On 2006-08-20, danrumney@warpmail.net wrote:
    > Hi all,
    >
    > I tried this in c.u.shell, but figured you people might have a brighter
    > idea.
    >
    > I have a user connecting from some IP address via SSH.
    >
    > This user does not have root access.
    >
    > This user is connecting in "batch" mode, i.e. submitting a command and
    > then disconnecting (apologies if "batch" mode is not the convential
    > term; I welcome education).
    >
    > Is there a way that I can determine what that user's IP address is,
    > when they connect?
    >
    > I thought a combination of "who -m",


    Why are you using -m?

    > "sed", "host" and "cut" would help, but "who -m" returns nothing in
    > "batch" mode.


    who | awk -v user=$USER '
    $1 == user && length($6) { gsub( /[()]/,""); print $6 }'

    --
    Chris F.A. Johnson, author |
    Shell Scripting Recipes: | My code in this post, if any,
    A Problem-Solution Approach | is released under the
    2005, Apress | GNU General Public Licence

  3. Re: Where is my user connecting from

    In article <1156113007.095110.75040@m79g2000cwm.googlegroups.c om>,
    wrote:
    :Hi all,
    :
    :I tried this in c.u.shell, but figured you people might have a brighter
    :idea.
    :
    :I have a user connecting from some IP address via SSH.
    :
    :This user does not have root access.
    :
    :This user is connecting in "batch" mode, i.e. submitting a command and
    :then disconnecting (apologies if "batch" mode is not the convential
    :term; I welcome education).
    :
    :Is there a way that I can determine what that user's IP address is,
    :when they connect?
    :
    :I thought a combination of "who -m", "sed", "host" and "cut" would
    :help, but "who -m" returns nothing in "batch" mode.
    :Someone suggested "netstat -ntp", but this doesn't offer a way to tie
    :the current SSH connection to a specific IP address.

    What Linux distribution are you running? On my Fedora Core systems,
    sshd logs the connecting IP in an entry in /var/log/messages .

    --
    Bob Nichols AT comcast.net I am "RNichols42"

  4. Re: Where is my user connecting from

    On 2006-08-20, Robert Nichols wrote:
    > wrote:
    >:Hi all,
    >:
    >:I tried this in c.u.shell, but figured you people might have a brighter
    >:idea.
    >:
    >:I have a user connecting from some IP address via SSH.
    >:
    >:This user does not have root access.
    >:
    >:This user is connecting in "batch" mode, i.e. submitting a command and
    >:then disconnecting (apologies if "batch" mode is not the convential
    >:term; I welcome education).
    >:
    >:Is there a way that I can determine what that user's IP address is,
    >:when they connect?
    >:
    >:I thought a combination of "who -m", "sed", "host" and "cut" would
    >:help, but "who -m" returns nothing in "batch" mode.
    >:Someone suggested "netstat -ntp", but this doesn't offer a way to tie
    >:the current SSH connection to a specific IP address.
    >
    > What Linux distribution are you running? On my Fedora Core systems,
    > sshd logs the connecting IP in an entry in /var/log/messages .
    >

    How about using

    last username

    For me on my Ubuntu, it shows the ip address.

    Cheers,
    Chris

  5. Re: Where is my user connecting from

    danrumney@warpmail.net wrote:
    > I have a user connecting from some IP address via SSH.
    >
    > This user does not have root access.
    >
    > This user is connecting in "batch" mode, i.e. submitting a command and
    > then disconnecting (apologies if "batch" mode is not the convential
    > term; I welcome education).
    >
    > Is there a way that I can determine what that user's IP address is,
    > when they connect?


    Yes, OpenSSH sets various environment vars:

    Try this:

    ssh somehost export |grep SSH

    I think you'll be interested in $SSH_CLIENT and/or $SSH_CONNECTION.

    That way, you have no need for external programs.

    It *may* be that this behaviour has to be configured in sshd,
    it's on by default, I think. Of course, PAM may think it's a
    bright idea to munge it. Then I'd recommend the friendly manual.


    Regards & HTH,
    Tobias

    --
    You don't need eyes to see, you need vision.

  6. Re: Where is my user connecting from

    > Try this:
    >
    > ssh somehost export |grep SSH
    >
    > I think you'll be interested in $SSH_CLIENT and/or $SSH_CONNECTION.
    >


    Thanks Tobias,

    That did the trick. Using who is no good unless you actually get to the
    command line, but these variables appear to be set early on enough that
    they are usable in .bashrc

    Much obliged,

    Dan Rumney


  7. Re: Where is my user connecting from

    In article ,
    Chris wrote:
    :On 2006-08-20, Robert Nichols wrote:
    :> wrote:
    :>:Hi all,
    :>:
    :>:I tried this in c.u.shell, but figured you people might have a brighter
    :>:idea.
    :>:
    :>:I have a user connecting from some IP address via SSH.
    :>:
    :>:This user does not have root access.
    :>:
    :>:This user is connecting in "batch" mode, i.e. submitting a command and
    :>:then disconnecting (apologies if "batch" mode is not the convential
    :>:term; I welcome education).
    :>:
    :>:Is there a way that I can determine what that user's IP address is,
    :>:when they connect?
    :>:
    :>:I thought a combination of "who -m", "sed", "host" and "cut" would
    :>:help, but "who -m" returns nothing in "batch" mode.
    :>:Someone suggested "netstat -ntp", but this doesn't offer a way to tie
    :>:the current SSH connection to a specific IP address.
    :>
    :> What Linux distribution are you running? On my Fedora Core systems,
    :> sshd logs the connecting IP in an entry in /var/log/messages .
    :>
    :How about using
    :
    :last username
    :
    :For me on my Ubuntu, it shows the ip address.

    I think you'll find that if the user gives a command argument to ssh,
    then there is no login shell and no entry in lastlog. I think that's
    what the OP was describing as "batch mode."

    --
    Bob Nichols AT comcast.net I am "RNichols42"

  8. Re: Where is my user connecting from

    On 20 Aug 2006 15:30:07 -0700, danrumney@warpmail.net wrote:
    >
    > I have a user connecting from some IP address via SSH.
    > This user does not have root access.
    >
    > This user is connecting in "batch" mode, i.e. submitting a command and
    > then disconnecting (apologies if "batch" mode is not the convential
    > term; I welcome education).
    >
    > Is there a way that I can determine what that user's IP address is,
    > when they connect?


    Is it _you_ the SysAdmin that needs to know? Or, is it the user thjat
    would like to know?

    For the user:

    $ nslookup `who -m | sed -e 's/^.*(//' -e 's/)//'` | grep -i Name

    works on FreeBSD. I should think this could be re-hacked to supply
    the user's ip to/for the SysAdmin.

    Jonesy
    --
    Marvin L Jones | jonz | W3DHJ | linux
    38.24N 104.55W | @ config.com | Jonesy | OS/2

  9. Re: Where is my user connecting from

    On 25 Aug 2006, in the Usenet newsgroup comp.os.linux.security, in article
    , Allodoxaphobia wrote:

    >On 20 Aug 2006 15:30:07 -0700, danrumney@warpmail.net wrote:


    >> I have a user connecting from some IP address via SSH.
    >> This user does not have root access.


    >> Is there a way that I can determine what that user's IP address is,
    >> when they connect?


    >Is it _you_ the SysAdmin that needs to know? Or, is it the user thjat
    >would like to know?


    Not very clear - agreed

    >For the user:


    s/the user/the _remote_ user/

    > $ nslookup `who -m | sed -e 's/^.*(//' -e 's/)//'` | grep -i Name
    >
    > works on FreeBSD. I should think this could be re-hacked to supply
    >the user's ip to/for the SysAdmin.


    Assumption 1: 'nslookup' (part of bind or bind-utils) is installed
    Assumption 2: The "remote" host is identifiable by DNS
    Assumption 3: The local "login" made an entry in /etc/utmp

    'nslookup' is not always installed, and ignores /etc/hosts files and NIS.
    Not all connection processes are going to put an entry in /etc/utmp.

    Otherwise, yes, the command should work on any Linux. Possibly more
    universal would simply be 'netstat -tan' which can be run on the client
    or server, but assumes you know what port on the server you are using,
    and if there are multiple clients, 'netstat' on the server will return
    multiple answers.

    Old guy

+ Reply to Thread