Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > Scripting
Reload this Page Help needed to log X_FORWARDED_FOR IP addresses with authentication credentials.
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Rate Thread Display Modes
  #1  
Old 01-12-2021, 11:43 AM
sundarnut sundarnut is offline
Registered User
  
Join Date: Jan 2021
Posts: 1
Exclamation Help needed to log X_FORWARDED_FOR IP addresses with authentication credentials.
Hello folks at VanDyke,

In regard to the VShell SFTP server, we desire to implement one of these two things:

1) Log the external IP address behind the firewall/load balancer (via the X_FORWARDED_FOR headers inserted, like 207.82.250.251 instead of 10.11.12.13) and the credential name (like johndoeinc) when the server authenticates someone successfully. We can use this to build a threat model and map of individual credentials and their geo-location external IPs.

OR

2) Build a PAM that will extract this value and write it to a log file with a successful login event, if this does not exist as yet in the product.

What will be the process? This will help us mitigate a lot of threats as we are unsure of our partners managing their usernames/passwords and/or SSH keys securely and auditably.

Thanks very much! We love you folks!
Reply With Quote
  #2  
Old 01-12-2021, 01:04 PM
jdev's Avatar
jdev jdev is offline
VanDyke Technical Support
  
Join Date: Nov 2003
Location: Albuquerque, NM
Posts: 1,085
Hello sundarnut,

X-FORWARDED-FOR is an HTTP header.
SFTP is a subsystem of the SSH2 protocol.
SSH2 is built upon TCP (not HTTP).
  • How would you envision an HTTP header like X-FORWARDED-FOR having any applicability to SSH2/SFTP connections?
  • Does your firewall/load balancer send HTTP headers when forwarding non-HTTP connections?

You mentioned "PAM", as a possible solution. PAM can mean a lot of things in different contexts.
  • Are you running VShell (vshelld) on UNIX, and referring to PAM as Pluggable Authentication Module, or is your PAM referring to something else (please provide detail)?
If UNIX PAM (Pluggable Authentication Module) is what you mean, it's difficult for me to envision how PAM could potentially extract an X-FORWARDED-FOR value if the connection protocol isn't HTTP. It's highly likely I'm missing something obvious, so if you can fill in as many details as possible in relation to X-FORWARDED-FOR being present in anything but HTTP protocol-level connectivity, that would be very helpful.

If the higher-priority goal is building a threat model based on the actual source IP of incoming TCP connections, it would seem more appropriate to configure the forwarding behavior of your firewall/load balancer to not perform any NAT in the case of TCP-level forwards directed to the VShell SFTP service.

--Jake
__________________
Jake Devenport
VanDyke Software
Technical Support
YouTube Channel: https://www.youtube.com/vandykesoftware
Email: support@vandyke.com
Web: https://www.vandyke.com/support
Reply With Quote
Reply

Tags
authn authz ipaddress

« Previous Thread | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes Rate This Thread
Linear Mode Linear Mode
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -6. The time now is 12:55 AM.