Where can I find the logs for successful accesses over ssh-sftp?
journalctl -u sshd | grep accepted
This does not print anything, despite me having logged on and modified a bunch of files. I recently discovered that ssh-sftp does not require authentication by default, and anyone could have entered sftp://my-ip and browsed all of my files. I need to know who accessed my computer.
Thanks, I get some entries now, but they are all trusted logins from myself, no sftp related things. I also tried grepping for sftp but that returned no results.
I tried from a fresh browser before plugging the massive security hole, and I could just sftp://, which does not seem to have been logged.
No dice, and when grepping for ‘sftp’ I just get failed logon attempts of people who tried to log in as user sftp. (but it doesn’t say whether it went through sftp-server)
The weird thing is, I could just access pretty much everything from a browser without authenticating. But from thunar, I had to actually provide a password or keys to access the sftp.
There’s no relevant logs in /var/log/httpd/acces_log either.
You may wish for more verbosity with something like
Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
But it still should give connections by default … I wonder if there is no authentication maybe look for something like Feb 25 12:34:56 server sshd[1234]: pam_unix(sshd:session): session opened for user user by (uid=0)
So search for ‘session’ ?
So it seems that it wasn’t as big of a deal as I thought. Someone I knew helped me out and tried to sftp://my-ip, but he got a time out. So it seems that firefox, somehow, is able to connect through ssh. I’m not running ssh-agent on the connecting computer so I’m not sure how it’s able to do that. The firefox connections don’t show up in the logs either (journalctl _SYSTEMD_UNIT=sshd.service -e --follow) besides the time out, which shows as Connection closed by REMOTEHOST