When someone logs into the Filemanager, we get notified of a SSH login via my PAM script, which notifies me with:
message="SSH login detected on $(hostname) at $(date) by user $(whoami) - $PAM_USER from $(echo $SSH_CONNECTION | awk '{print $1}')"
It looks like the filemanager updated the authorized_users file with a key, and then uses SFTP to connect. The problem is, the IP always comes back as 127.0.0.1 when pinging me.
Are there any logs for the filemanager, which give me more details? Basically I want to see who the IP accessing the Filemanager is, so I can decide if its malicious or not (and then act on it)
Yeah, but is there a way to see the IP of the person using the panel, to get access to Filemanager? I’ve got the SSH ports locked down. I’m just not sure if someone is maliciously getting into the Filemanager to put stuff in. I just got pinged on one of my servers, and AFAIK nobody should be in there doing anything. I’ve looked for modified files in that users account, and can only find caching files (for WP’s w3TotalCache), but I just want to put my mind at rest as to who is accessing it
Annoyingly the customer wants it all enabled so they can upload stuff - but it adds the security risk of someone setting a folder to 777 and then uploading a script to run via the web. This is why I’m trying to be a bit on the ball with it
Sep 24 10:38:49 earth sshd[599195]: Accepted publickey for vijftigplu from 127.0.0.1 port 48708 ssh2: RSA SHA256:xxxxxx
But not the IP of the person accessing the filemanager?
You don’t need 777 permissions to upload files as we run php under the user permissions…
Yeah I know - I was more saying that if someone used the filemanager to make a new public file (say /wp-content/test.php), and then set the wp-content folder to 777, then had some malicious code in that would execute a script to do something nasty when its run from the browser)