Linux Bash Script – Detect and Notify New SFTP Connections


I am looking for help with a Linux server (CentOS) guide or script that can be used to send an email to a server account when a new SFTP connection is detected. For example, giving the connection name and the requesting IP address as well as connection authentication type (if possible) (such as SSH Key or a Password, etc.) .

I have next to no experience with Bash scripts, however I have successfully made exactly this which detects SSH connections; however I can't find out where to go to extend this to also notify the email address of SFTP Connections to the server,

Many thanks for any help on this.

I do realise this is pretty crappy question and I apologise, but search engine results are giving me lots of false results such as "how do I SFTP to my server?!" etc. which are clearly inappropriate.


Update 1

So the /var/logs/secure collects the SFTP connection information. I would like to be able to grab that information some how and throw it out in a basic email.

My current working SSH detector does this in .bashrc:

echo -e 'ALERT - SSH access detected:' `date` `ls -l \`tty\` | awk '{print $3}'` '\n\nConnection Details: ' `w -h` '\n\nList of WHO: ' `who --login` | mail -s "Alert: Server Access Email Subject"

This is called,triggered by CSF (ConfigServerFirewall)

I would like somehow to combine the two above so that when a info line is added to the /var/log/secure such as with:

Subsystem       sftp    /usr/libexec/openssh/sftp-server -l INFO

Then it will also be able to detect the line starts:

Accepted publickey for ….

That this line can then be thrown in an email out to the email address….

Update 2:

I may need to write my own Bash shim ….

Update 3:

Thanks to Piotr, my code for my shim is now:

# Create a temporary log file
LOGFILE=$(/bin/mktemp /tmp/sftplog.XXXXXX)
# Redirect stderr to LOGFILE
exec 2>"$LOGFILE"

# Run the SFTP with logging to stderr
/usr/libexec/openssh/sftp-server -e -u 022 -l VERBOSE

# Use some sendmail substitute to send an e-mail
/usr/sbin/sendmail -i root@localhost <<EOF
Subject: SFTP connection for user $(LOGNAME)

User $(LOGNAME) just connected to the SFTP server from $(SSH_CONNECTION).

Connection log:

# echo -e "Hello,\nUser $(LOGNAME) just connected to the SFTP server from $(SSH_CONNECTION).\n\nConnection log:\n$(<"$LOGFILE")" | mail -s "SFTP connection for user $(LOGNAME)"

# Delete the log
rm -f "$LOGFILE"

I have run the sendmail instruction from the command line and this works correctly, however new SFTP connections are resulting in EOF while reading packet.

Update 4

Reducing the script to :

# Create a temporary log file

# Run the SFTP with logging to stderr
/usr/libexec/openssh/sftp-server -e -u 022 -l INFO
exec >/dev/null

Still returns the EOF while reading packet issue when connecting.

Update 5:

Setting the file permissions to be identical to the permissions of the original subsystem file (/usr/libexec/openssh/sftp-server) resolves the issue and the script runs correctly.

Best Answer

The nice thing about ssh subsystems is that you can replace the default implementation (internal-sftp as Martin remarked) with another implementation, e.g. a wrapper script around /usr/lib/openssh/sftp-server.

A small example: create a file /usr/local/bin/sftp-logger with content:

# Create a temporary log file
LOGFILE=$(/bin/mktemp /tmp/sftplog.XXXXXX)
# Redirect stderr to LOGFILE
exec 2>$LOGFILE

# Run the SFTP with logging to stderr
/usr/lib/openssh/sftp-server -e -l INFO

# In case of chatty sendmail
exec >/dev/null

# Use some sendmail substitute to send an e-mail
/usr/sbin/sendmail -i root@localhost <<EOF
From: sshd@localhost
To: root@localhost
Subject: SFTP connection for user $LOGNAME

User $LOGNAME just connected to the SFTP server from $SSH_CONNECTION.

Connection log:

# Delete the log
rm -f $LOGFILE

Then you just have to replace the default SFTP server with your script in /etc/ssh/sshd_config:

Subsystem sftp /usr/local/bin/sftp-logger
Related Topic