How to get IP address of someone logging into the file manager?

Hi,

When someone logs into the Filemanager, we get notified of a SSH login via my PAM script, which notifies me with:

message="SSH login detected on $(hostname) at $(date) by user $(whoami) - $PAM_USER from $(echo $SSH_CONNECTION | awk '{print $1}')"

It looks like the filemanager updated the authorized_users file with a key, and then uses SFTP to connect. The problem is, the IP always comes back as 127.0.0.1 when pinging me.

Are there any logs for the filemanager, which give me more details? Basically I want to see who the IP accessing the Filemanager is, so I can decide if its malicious or not (and then act on it)

Thanks

Andy

It is the panel that logs in into the server from the localhost the user will never get acces via sftp / ssh

Hi,

Yeah, but is there a way to see the IP of the person using the panel, to get access to Filemanager? I’ve got the SSH ports locked down. I’m just not sure if someone is maliciously getting into the Filemanager to put stuff in. I just got pinged on one of my servers, and AFAIK nobody should be in there doing anything. I’ve looked for modified files in that users account, and can only find caching files (for WP’s w3TotalCache), but I just want to put my mind at rest as to who is accessing it

Annoyingly the customer wants it all enabled so they can upload stuff - but it adds the security risk of someone setting a folder to 777 and then uploading a script to run via the web. This is why I’m trying to be a bit on the ball with it :slight_smile:

Cheers

Andy

/var/log/hestia/auth.log you have a list successful / failed login attempts to the pannel.

You don’t need 777 permissions to upload files as we run php under the user permissions…

Thanks. The log file just shows:

Sep 24 10:38:49 earth sshd[599195]: Accepted publickey for vijftigplu from 127.0.0.1 port 48708 ssh2: RSA SHA256:xxxxxx

But not the IP of the person accessing the filemanager?

You don’t need 777 permissions to upload files as we run php under the user permissions…

Yeah I know - I was more saying that if someone used the filemanager to make a new public file (say /wp-content/test.php), and then set the wp-content folder to 777, then had some malicious code in that would execute a script to do something nasty when its run from the browser)

I was looking in the config code for the Filemanager - and see we have stuff like this:

$dist_config["services"]["Filegator\Services\Archiver\ArchiverInterface"] = [

"handler" => "\Filegator\Services\Archiver\Adapters\HestiaZipArchiver",

"config" => [],

];

In the configuration_sample.php, it has an example with the logger. I tried doing this, but can’t get it working:

 	'handler' => '\Filegator\Services\Logger\Adapters\MonoLogger',
 	"config" => [
 		'monolog_handlers' => [
 			function () {
 				return new \Monolog\Handler\StreamHandler(
 					__DIR__.'/private/logs/app.log',
 					\Monolog\Logger::DEBUG
 				);
 			},
 		]
 ];

I’m not really a PHP person - so maybe I’m doing something dumb!

It logs the ssh connection it never know the user ip…

Probally the easiest method is to tail /var/log/hestia/nginx-access.log or /vavr/log/hestia/auth.log

Aaahh yeah that did it!

81.174.134.133 - - [24/Sep/2023:10:58:44 +0000] GET /fm/ HTTP/2.0 “200” 727 “https://earth.xxxe.nl:9183/list/web/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36” “-”

Thanks :slight_smile: Maybe what I’ll do is s tail:

grep -E 'GET /fm/' /var/log/hestia/nginx-access.log | tail -n 1

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.