Jump to content
Kartazion

Linux - Which files execute the first instructions when calling the sftp or ssh service on port 22?

Recommended Posts

Being on no computer forum, I try here to expose my problem. Indeed I want to create and manage a specific log file (we already have /var/log which runs it) but I want to intercept the bits/words of these instructions.

What are the files and the directory that starts the execution of the first instruction when we calling ssh or sftp?  Knowing that there are the sftp or ssh deamons that listen and the /bin/ssh or /bin/sftp scripts that start the service.

I thought it was just the files in the /bin directory that started when calling the service. This would therefore amount to recompliling the /bin files.

There may also be the solution of PID Process.

Thanks.

Share this post


Link to post
Share on other sites

Have you looked into Wireshark ? it's a network packet analysis program that lets you see all the bits moving in or out of your computer, or make a log of activity on a specific port.

Share this post


Link to post
Share on other sites

Normally I use tcpdump in shell which is like wireshark in graph. But these programs list the listening and give the IP as well as its destination port. But maybe you want me to understand that in the packets there would be the call of the file or the service on the server? Good idea.

I'm going to try on 127.0.0.1

Share this post


Link to post
Share on other sites
9 minutes ago, Kartazion said:

Normally I use tcpdump in shell which is like wireshark in graph. But these programs list the listening and give the IP as well as its destination port. But maybe you want me to understand that in the packets there would be the call of the file or the service on the server? Good idea.

I don't have Wireshark running on this machine, but i don't think it will show the files that are activated , only the service. I think you can get the  files from top or ps (ps -au maybe)

Share this post


Link to post
Share on other sites
18 minutes ago, moth said:

I don't have Wireshark running on this machine, but i don't think it will show the files that are activated , only the service. I think you can get the  files from top or ps (ps -au maybe)

A little later in the day I'll try just to see   tcpdump -i lo

But I think the solution comes from an SSHd type daemon https://en.wikipedia.org/wiki/Daemon_(computing)

Therefore I know it's PID

But not it's pidfile into /var/run

Share this post


Link to post
Share on other sites

Your question is ambiguous. I am wondering whether you're talking about instructions of TCP protocol or instruction like command-line or what else?

 

If you want to learn PID you can try:

Dump all active processes to a text file before running something,

dump it again after running something,

compare the differences between text files..

and you will know which processes were created by "something".

 

You can make a script. Dump, compare, display differences, wait 0.1-1s, repeat.

Share this post


Link to post
Share on other sites
23 minutes ago, Sensei said:

Your question is ambiguous. I am wondering whether you're talking about instructions of TCP protocol or instruction like command-line or what else?

Command line instructions. moth got the idea of TCP packet.

30 minutes ago, Sensei said:

If you want to learn PID you can try:

Dump all active processes to a text file before running something,

dump it again after running something,

compare the differences between text files..

and you will know which processes were created by "something".

 

You can make a script. Dump, compare, display differences, wait 0.1-1s, repeat.

I think I'll have to dissect init

init(en)

/etc/init.d/

or

/etc/rc.d/rc.local

Share this post


Link to post
Share on other sites

I think the solution is in /usr/sbin/sshd file. https://linux.die.net/man/8/sshd

So I recovered the source of it with:

wget -c https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz

and decompress with:

tar -xzf openssh-8.0p1.tar.gz

Now I try to see where I can insert my code before compilation with ./configure -h
There are several interesting files related to the deamon. If you have any idea which one...

The purpose of this manipulation is to be able to create a log list of the connection listening on a dot matrix printer.
IOW for each connection attempt, my printer lists the client's information into /dev/tcp/192.168.x.x
As said above we already have this information in /var/log. 
 

Share this post


Link to post
Share on other sites
On 10/11/2020 at 9:38 PM, Kartazion said:

As said above we already have this information in /var/log. 

If it is already in this file, why not to use e.g. grep on it, to extract it? or make Perl or Python or bash script to parse it..

 

Share this post


Link to post
Share on other sites
9 hours ago, steven111 said:

did you get the answer you actually wanted?

No. I haven't had time yet. That's why I was asking in case if somebody has an answer.

8 hours ago, Sensei said:

If it is already in this file, why not to use e.g. grep on it, to extract it? or make Perl or Python or bash script to parse it..

Excellent solution! But this is the same as periodically listing the log file when adding bytes.

The goal is to be able to intercept the kernel request at time t in order to be able to immediately inform about the connection. 
 

Share this post


Link to post
Share on other sites
40 minutes ago, Kartazion said:

Excellent solution! But this is the same as periodically listing the log file when adding bytes.

The goal is to be able to intercept the kernel request at time t in order to be able to immediately inform about the connection. 

If you have script checking log file *) every second you will have just one second delay between connection and information to user. User won't be even able to read information in such short time.. So tell me why such delay is a problem?

*) or use tail -f with grep. any update to a file will be printed to console.

https://shapeshed.com/unix-tail/#how-to-watch-a-file-for-changes

https://www.networkworld.com/article/3529891/watching-activity-on-linux-with-watch-and-tail-commands.html

 

You could also try TCP proxy. Original app should connect to your proxy, and proxy make connection for real. Then you can even make it interactive with user consent or rejection of the connection.

 

Edited by Sensei

Share this post


Link to post
Share on other sites
6 hours ago, Sensei said:

So tell me why such delay is a problem?

You are right. But I want to be able to approve the connection before it is established. For that I whish to work in C/C++ and eventually in sh/bash.

6 hours ago, Sensei said:

Great solution. Thank you.

6 hours ago, Sensei said:

You could also try TCP proxy. Original app should connect to your proxy, and proxy make connection for real. Then you can even make it interactive with user consent or rejection of the connection.

What do you mean by TCP proxy?

AFAIK the proxy server does not generate an ssh certificate, unless of course you install there specifically openssl on it.
But the proxy server is often an integral part of the firewall, and the service is useful from LAN to WAN.
My connections are on the LAN and without proxy service because I use the 22 ssh port and not the 443 https port.
But on the other hand you are right. Because my ssh connection crosses the WAN and the web, and this through I do not know how many servers to reach my destination. 
But all this is possible thanks to a VPN which creates a tunnel from LAN to LAN.

To check.

Share this post


Link to post
Share on other sites
6 minutes ago, Kartazion said:

You are right. But I want to be able to approve the connection before it is established.

That's job of personal firewall.

When I was using WinXP, in the past, I was using Sygate Personal Firewall. Unfortunately it does not work with any new Windows.

During making connection from unknown app, to the Internet, it was asking and blocking connection, showing user dialog, with question whether to make such connection with the all details about it, IP, port, protocol, packet details etc.

Packets could be logged, diagnosed, analyzed etc. etc.

 

Share this post


Link to post
Share on other sites
2 minutes ago, Sensei said:

That's job of personal firewall.

When I was using WinXP, in the past, I was using Sygate Personal Firewall. Unfortunately it does not work with any new Windows.

Yes. Now everyone uses pfSense.

This is why the manufacturers all make mini pc pfSense.

Share this post


Link to post
Share on other sites
4 hours ago, Kartazion said:

Yes. Now everyone uses pfSense.

This is why the manufacturers all make mini pc pfSense.

Configuration through web browser? Seriously?

Share this post


Link to post
Share on other sites
3 hours ago, Sensei said:

Configuration through web browser? Seriously?

It's because you told me about Sygate on windows.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.