How to be Notified of each SFTP access to server

martin MHC

Well-Known Member
Sep 14, 2016
317
71
78
UK
cPanel Access Level
Root Administrator
I have found various ways on line of using the ConfigServer Firewall to track (by means of an email to server admin) each SSH access to my servers.

I am now looking for ways to improve upon this by being able to get a notification email to the server admin email address stating the IP / approx. location, and time and account for each SFTP Cpanel account access (success or failure).


Further Details:
I have a working system for giving email notifications when a pure SSH connection (winSCP, WHM Terminal, etc.) is established to/on the server, however, when a SFTP (FTP over SSH) access is opened, such as with PhpStorm or FileZilla etc; this connection does not trigger the notification system. How can I report these sorts of connections by email?


I can't find any options for doing this on the standard WHM / ConfigServer Firewall, and more frustratingly my Internet Search Engine diggings only come up with similarly phrased but completely off-topic results (such as "how do I FTP to my server", etc. etc.) .

Many thanks for any clues to create this trackability.

Cheers

Martin

P.s> Success or failure of each SFTP connection is not important, it would be nice to report the status of each attempted connection (ie is it a valid login?) but this is secondary to knowing the connection is taking place.
 
Last edited:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
13,382
2,106
363
cPanel Access Level
Root Administrator
Hey there! I looked around for a bit as well, but I didn't find anything ready-made for this either. This sounds like a great idea for a feature request, though, and you can get that submitted using the link in my signature.
 

martin MHC

Well-Known Member
Sep 14, 2016
317
71
78
UK
cPanel Access Level
Root Administrator
I CPRex, I am currently researching writing a shim bash script to carry out this task, and will update if/when I get progress on doing this! Cheers
 

martin MHC

Well-Known Member
Sep 14, 2016
317
71
78
UK
cPanel Access Level
Root Administrator
A useful script for emailing these details when a SFTP connection is CLOSED is:

1. Upload the below code (adjusting as required)
2. Update the sshd_config file
3. Restart sshd (using WHM restart is fine)

....

Code:
#!/bin/bash
# Create a temporary log file

LOGFILE=$(/bin/mktemp /tmp/sftplog.XXXXXX)
# Redirect stderr to LOGFILE
exec 2>"$LOGFILE"

# Run the SFTP with logging to stderr
/usr/libexec/openssh/sftp-server -e -u 022 -l VERBOSE
exec >/dev/null

# Use some sendmail substitute to send an e-mail
/usr/sbin/sendmail -i [email protected] <<EOF
From: [email protected]
To: [email protected]
Subject: SFTP connection for user $LOGNAME

Hello,
User $LOGNAME just connected to the SFTP server from $SSH_CONNECTION.

Connection Variables:
$(printenv)

Connection log:
$(<"$LOGFILE")
EOF

# Delete the log
rm -f "$(LOGFILE)"

NOTE:
The file must have the same permissions set as the
Code:
/usr/libexec/openssh/sftp-server
THe file can be placed anywhere, say for example usr/local/bin/sftp-logger and then referenced from the etc/ssh/sshd_config file, for example;

Code:
# override default of no subsystems
#Subsystem    sftp    /usr/libexec/openssh/sftp-server
Subsystem sftp /usr/local/bin/sftp-logger
 
  • Like
Reactions: cPRex