I have configured my SFTP server to run on the default SSH port 22 and another port (X). I want to monitor the traffic on my server in the default port to check if anyone is still using port 22.
I have tried checking the logs in var/log, but they do not show which port the user is being used. Just to be clear, my only requirement is to get all the users trying to connect to port 22. Thanks in advance!
You mentioned var/log (did you mean /var/log?), so I guess your OS is Linux. I assume you're using OpenSSH.
my only requirement is to get all the users trying to connect to port 22.
Disable the port and see who complains. :D
A simple solution is to increase the LogLevel from the default INFO to VERBOSE in /etc/ssh/sshd_config:
LogLevel VERBOSE
Remember the first obtained value will be used.
Reload sshd (in my Debian: systemctl reload sshd.service). From now on sshd will send more information to the syslogd (in my Debian: rsyslogd). It depends on the configuration of the syslogd (in my Debian: /etc/rsyslog.conf) where this information gets ultimately written to (in my Debian: /var/log/auth.log).
From now on, lines like
… sshd[…]: Connection from … port … on … port …
will appear. In your case the latter port will be 22 or X. Unfortunately, to tell if the connection successfully authenticated, as what user, and if it used SFTP, you'll need to analyze lines that follow. These lines won't contain the port. A sane filter is
grep -F ' sshd[' /var/log/auth.log
to filter out lines not related to sshd, but it's not a trivial task to filter this further.
If you are interested in SFTP users only, then you'd like logs from the SFTP server better, not all logs from the entire SSH server. In your sshd_config there's a line like
Subsystem sftp internal-sftp
or
Subsystem sftp /usr/lib/sftp-server
Both internal-sftp and sftp-server can be configured to be verbose by appending -l VERBOSE, but even then they won't show you the port you're interested in.
Alternatively create a wrapper over sftp-server that will log what you want. Like this:
#!/bin/sh
/usr/bin/logger -p auth.info "SFTP connected: $SSH_CONNECTION"
exec /usr/lib/sftp-server "$@"
Name it sftp-server-wrapper. It should be owned by root and its mode should be 755. Place it in a directory any SFTP user can reach (mind directory permissions).
Now tell your sshd to use the wrapper instead of sftp-server or internal-sftp. In sshd_config find the Subsystem sftp … line and make it:
Subsystem sftp /path/to/sftp-server-wrapper
where /path/to/ is the right path. Reload sshd.
From now on any successful connection that requests sftp subsystem will log its parameters. The port you want to know will be at the very end. Useful filter:
grep 'SFTP connected: ' /var/log/auth.log
or even:
grep 'SFTP connected: .* 22$' /var/log/auth.log
Notes:
internal-sftp.sftp subsystem will not be logged.