Find out Destination IP of SSH Connection

[DanTheMan]

Hello,

some of our clients have 2 NIC's and I would like to know, to which NIC the user tried to connect via SSH. 

Is there any file in linux which provide this information (eth0/eth1, x.x.x.a/x.x.x.b)?

Br Dan

[Jonathan Martín Valera]

Hi,

The kernel decides which TCP interface the packets should go through. In the case of SSH, it asks the kernel to open a connection to a certain IP address, and the kernel decides which interface is to be used by consulting the routing tables.

Note: The following assumes you’re on GNU/Linux although the general concept is the same for all Unices.

You can display the kernel routing tables with the commands route -n and/or ip route show.

For example, imagine that I have the following route table:

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    600    0        0 wlx0013eff61275
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.18.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-96df6de3f532
172.19.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-b14b3a1cfb00
172.31.0.0      10.10.0.1       255.255.0.0     UG    0      0        0 tun0

• If I try to SSH to IP 172.31.50.20, then the NIC tun0 would be used.
• If I try to SSH to IP 172.17.15.10 then the NIC docker0 would be used.
• …

I hope this information is helpful to you.

​

[DanTheMan]

Hi,

thank you very much for the fast answer.

I think it goes in the right direction. The idea behind my question is, that i want to add a rule, that is being triggered if one tries to connect, or is connected to a certain NIC/IP on one of these clients.

I'll try to figure out a way to monitor this. If you already know a method for this problem, I'd be very thankful if you can share it.

Br  

[Jonathan Martín Valera]

Hi,

Do you want to monitor if the host is accessed by SSH (incoming), or if the host accesses another host by SSH (outgoing)?

Note: In both cases below, I am using OpenSSH client and server.

In case of incoming

You can try to monitor the file where the authentications are logged. The path to this file may change depending on the type of system and/or distribution. For example, in Ubuntu it is located in /var/log/auth.log, in Amazon Linux /var/log/secure …

You will have to look for logs like the following:

Jan 18 11:56:36 hostname sshd[19245]: Accepted publickey for user_name from x.x.x.x port xxxxx ssh2: RSA SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Note: You will probably have to apply some generic regex for your use cases.

From this log, you can create the corresponding rule and generate alerts for the cases you want.

In case of outgoing

By default, when an SSH connection is established, the connection information goes to stderr. It is possible to tell it to log into the system logging file by adding these two flags -v -y. (reference https://en.wikibooks.org/wiki/OpenSSH/Logging_and_Troubleshooting). For example:

ssh -v -y -i <key> user...@x.x.x.x

cat /var/log/syslog

...
Jan 18 12:09:18 hostname ssh[19983]: debug1: Authenticating to x.x.x.x:22 as 'user_name'

After that, you can monitor the /var/log/syslog file and look for that regex.

As I said, this depends on the -v -y flag and will probably be annoying to use or forgotten. So you can define a permanent alias like the following:

alias ssh="ssh -v -y"

As you can see, for both cases the NIC being used is not indicated anywhere, only the IP and port. As I said, this is taken care of by the kernel itself, and I guess it depends on the type of SSH client or server you use, maybe there are some that log the NIC and others do not, but it seems that OpenSSH does not do it (or I have not seen how).

I hope this information is helpful :)

​

[DanTheMan]

Hi Jonathan,

Thank you!

I'm interested in incoming SSH connections. I have already considered monitoring the secure log, but it doesnt tell me to which NIC's the connection went.

Maybe I can specify my question a little bit more:

I have eth0 which is used for webservice like 172.16.1.1:80 and I have eth1 which is used for admin SSH connections like 10.1.1.1:22.

If anybody tries to connect to 172.16.1.1:22, it should trigger an alarm, because the admins only connect via 10.1.1.1:22. 

Br Dan 

[Jonathan Martín Valera]

Hi,

For the case you propose, instead of using the NIC, you can do a search using the IP and mask to which the NIC corresponds. It would be something like the following: Monitor all SSH accesses received, and in case you receive any with 172.16.1.1/24, then generate the alert.

For example, imagine that I have the following event that I have monitored:

Jan 19 13:29:06 hostname sshd[19630]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.1.5  user=username

(By default it would generate an alert for SSH login failure (rule 5503), but in this case, we are going to add a new condition to generate a different alert)

I add the following rule to /var/ossec/etc/rules/local_rules.xml

<rule id="100200" level="7">
    <if_sid>5503</if_sid>
    <srcip>172.16.1.1/24</srcip>
    <description>Unauthorized SSH</description>
</rule>

When I receive the event:

Jan 19 13:29:06 hostname sshd[19630]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.1.5  user=username

The following alert occurs (output from the /var/ossec/bin/wazuh-logtest tool)

**Phase 1: Completed pre-decoding.
        full event: 'Jan 19 13:29:06 hostname sshd[19630]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.1.5  user=username'
        timestamp: 'Jan 19 13:29:06'
        hostname: 'hostname'
        program_name: 'sshd'

**Phase 2: Completed decoding.
        name: 'pam'
        dstuser: 'username'
        euid: '0'
        srcip: '10.10.1.5'
        tty: 'ssh'
        uid: '0'

**Phase 3: Completed filtering (rules).
        id: '5503'
        level: '5'
        description: 'PAM: User login failed.'
        groups: '['pam', 'syslog', 'authentication_failed']'
        firedtimes: '1'
        gdpr: '['IV_35.7.d', 'IV_32.2']'
        gpg13: '['7.8']'
        hipaa: '['164.312.b']'
        mail: 'False'
        nist_800_53: '['AU.14', 'AC.7']'
        pci_dss: '['10.2.4', '10.2.5']'
        tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.

However, if I receive the following event (the IP corresponding to the other NIC has changed):

Jan 19 13:29:06 hostname sshd[19630]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.1.5  user=username

No such alert would be generated.

Note: This is an example for a failed password SSH login attempt. In case you would also like to generate alerts for successful accesses… more rules would have to be created.

I think this fits your needs. Try it and let us know.

​