Shell Programming and Scripting

Hello All,

We are recently migrated to a new server and we have transferred the public keys from old server to new server and communicated to all the systems to publish their files onto new serve. But stilll we are receiving a file onto our old server on daily basis at a particular time but we are not sure who is publishing this file.

Is there any way to find out who (from which server) is publishing the file?

Thanks in advance.

Use "ls -l <filename>" to find out which user/group the file belongs to. Then try the following:

Have a look in the crontab of this user and the root user, maybe the file is not "pushed" to the server, but "pulled". ("su" to the user and issue "crontab -l").

If you are using ssh/scp to connect between servers have a look in the users "authorized_keys" file (usually located in "~/.ssh", depending on ssh-configuration) and investigate the user/host combinations mentioned there. Check the crontabs of these users on the remote hosts too.

Set up "tcpdump" (read the manpage carefully, it can produce awful lots of output) to trace the incoming connection sending the file to its originating host, then investigate on this remote host. Start with the time around the timestamp of the file, probably its being sent every day at the same time.

I hope this helps.

bakunin

Thanks for reply.
The files are receiving from the different systems which are using the same userName.
All the files are getting published onto our server. We do not have any cronjob which will pull the files from the upstream systems.
We have almost 100+ entries in authorized_keys file and not sure which key belongs to this particular file. so much complicated as this is quite old system.

some doubts -
Will the 'tcpdump' setup work for 'SFTP'? How about 'netstat'?
Do you have any example to setup the same? Will it affect the performance of server as there will be huge output data ?

Thanks

Does the software you are using to provide the sftp service not have any logging features?

The users are using SFTP service at their end to transfer the files onto our Server. We need some kind of 'Tracking' system to check which are all the servers are connecting to our server which only I think possible either 'tcpdump' or 'netstat'. I am not sure whether it's possible with SFTP logging feature.

Well, exactly what are you using on the server to provide the service?

Sure, you can use tcpdump or wireshark or other similar tool to sniff network traffic at the approximate time that the file is being uploaded, but if your sftp server is keeping or can keep a log, it would be much easier to just look at that.