Hi,
The kernel decides which TCP interface the packets should go through. In the case of SSH, it asks the kernel to open a connection to a certain IP address, and the kernel decides which interface is to be used by consulting the routing tables.
Note: The following assumes you’re on GNU/Linux although the general concept is the same for all Unices.
You can display the kernel routing tables with the commands route -n
and/or ip route show
.
For example, imagine that I have the following route table:
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.1 0.0.0.0 UG 600 0 0 wlx0013eff61275
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
172.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-96df6de3f532
172.19.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-b14b3a1cfb00
172.31.0.0 10.10.0.1 255.255.0.0 UG 0 0 0 tun0
172.31.50.20
, then the NIC tun0
would be used.172.17.15.10
then the NIC docker0
would be used.I hope this information is helpful to you.
Hi,
Do you want to monitor if the host is accessed by SSH (incoming), or if the host accesses another host by SSH (outgoing)?
Note: In both cases below, I am using OpenSSH client and server.
In case of incoming
You can try to monitor the file where the authentications are logged. The path to this file may change depending on the type of system and/or distribution. For example, in Ubuntu it is located in /var/log/auth.log
, in Amazon Linux /var/log/secure
…
You will have to look for logs like the following:
Jan 18 11:56:36 hostname sshd[19245]: Accepted publickey for user_name from x.x.x.x port xxxxx ssh2: RSA SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Note: You will probably have to apply some generic regex for your use cases.
From this log, you can create the corresponding rule and generate alerts for the cases you want.
In case of outgoing
By default, when an SSH connection is established, the connection information goes to stderr
. It is possible to tell it to log into the system logging file by adding these two flags -v -y
. (reference https://en.wikibooks.org/wiki/OpenSSH/Logging_and_Troubleshooting). For example:
ssh -v -y -i <key> user...@x.x.x.x
cat /var/log/syslog
...
Jan 18 12:09:18 hostname ssh[19983]: debug1: Authenticating to x.x.x.x:22 as 'user_name'
After that, you can monitor the /var/log/syslog
file and look for that regex.
As I said, this depends on the -v -y
flag and will probably be annoying to use or forgotten. So you can define a permanent alias like the following:
alias ssh="ssh -v -y"
As you can see, for both cases the NIC being used is not indicated anywhere, only the IP and port. As I said, this is taken care of by the kernel itself, and I guess it depends on the type of SSH client or server you use, maybe there are some that log the NIC and others do not, but it seems that OpenSSH does not do it (or I have not seen how).
I hope this information is helpful :)
Hi,
For the case you propose, instead of using the NIC
, you can do a search using the IP and mask to which the NIC corresponds. It would be something like the following: Monitor all SSH accesses received, and in case you receive any with 172.16.1.1/24
, then generate the alert.
For example, imagine that I have the following event that I have monitored:
Jan 19 13:29:06 hostname sshd[19630]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.1.5 user=username
(By default it would generate an alert for SSH login failure (rule 5503
), but in this case, we are going to add a new condition to generate a different alert)
I add the following rule to /var/ossec/etc/rules/local_rules.xml
<rule id="100200" level="7">
<if_sid>5503</if_sid>
<srcip>172.16.1.1/24</srcip>
<description>Unauthorized SSH</description>
</rule>
When I receive the event:
Jan 19 13:29:06 hostname sshd[19630]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.1.5 user=username
The following alert occurs (output from the /var/ossec/bin/wazuh-logtest
tool)
**Phase 1: Completed pre-decoding.
full event: 'Jan 19 13:29:06 hostname sshd[19630]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.1.5 user=username'
timestamp: 'Jan 19 13:29:06'
hostname: 'hostname'
program_name: 'sshd'
**Phase 2: Completed decoding.
name: 'pam'
dstuser: 'username'
euid: '0'
srcip: '10.10.1.5'
tty: 'ssh'
uid: '0'
**Phase 3: Completed filtering (rules).
id: '5503'
level: '5'
description: 'PAM: User login failed.'
groups: '['pam', 'syslog', 'authentication_failed']'
firedtimes: '1'
gdpr: '['IV_35.7.d', 'IV_32.2']'
gpg13: '['7.8']'
hipaa: '['164.312.b']'
mail: 'False'
nist_800_53: '['AU.14', 'AC.7']'
pci_dss: '['10.2.4', '10.2.5']'
tsc: '['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
However, if I receive the following event (the IP corresponding to the other NIC has changed):
Jan 19 13:29:06 hostname sshd[19630]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.1.5 user=username
No such alert would be generated.
Note: This is an example for a failed password SSH login attempt. In case you would also like to generate alerts for successful accesses… more rules would have to be created.
I think this fits your needs. Try it and let us know.