This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

SCP Issue

Go to solution
Anonymous
Not applicable

‎2013-12-15 02:10 AM

Anyone having issues with SCP'ing files into File Reader / Flat File drop zones?  I imported the public key properly into the sftp account's authorized_keys files because SFTP is working.  

 

Scenario 1 (SFTP) - WORKING

sftp -o IdentityFile=~./ssh/id_rsa sftp@logdecoder

sftp> cd upload

sftp> cd testlocation

sftp> cd testhost

 

Scenario 2 (SCP) - NOT WORKING

scp -o IdentityFile=~/.ssh/id_rsa hello.log sftp@logdecoder:/upload/testlocation/testhost

 

^^ it just hangs, even debug output shows that it hangs on running the SCP command.   I've even tried turning off our SSH banner.

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2014-01-24 04:18 AM

Hello,

 

Here a temporary solution for this issue :

 

The user sftp cannot scp because it's a restricted user (see sshd_config and /etc/passwd) and it's chroot.

So we created a new user, especially for scp with the cisco ironport :

useradd -c "Nw Cisco IronPort Upload User" -d /var/netwitness/logcollector/upload/cisco_ironport_wsa/ -s /bin/bash -u 502 scp_cisco

passwd scp_cisco

cd /var/netwitness/logcollector/upload/

mkdir cisco_ironport_wsa/.ssh/

touch cisco_ironport_wsa/.ssh/authorized_keys ==> (must contain the public keys, you don't add them by the gui)

chown scp_cisco cisco_ironport_wsa/

chown scp_cisco cisco_ironport_wsa/*

chown scp_cisco cisco_ironport_wsa/.ssh/authorized_keys

 

/etc/ssh/sshd_config :

Match User scp_cisco

    AllowTCPForwarding no

    PasswordAuthentication no

    X11Forwarding no


In cisco_ironport_wsa/.ssh/authorized_keys, before each public key, add these parameters to restrict the access :

no-X11-forwarding,no-agent-forwarding,no-port-forwarding,no-pty "public key"


Hope this can help.

View solution in original post

0 Likes
5 REPLIES 5

Go to solution
Anonymous
Not applicable

‎2014-01-20 08:16 AM

Hello,

 

Did you find a solution to your issue ?

I'am tryinig to integrate cisco ironport logs, which is via SCP and I think I'am facing the same problem as you ...

0 Likes

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2014-01-20 11:37 AM

I believe this will be handled by RSA later in a service pack release. We have not solved the issue and awaiting for RSA to fix it and deliver it through a software release.

 

Naushad A Kasu | Security Insight | 952.512.7930 | UHG, 400 South Hwy 169, St. Louis Park, MN 55426

 

Your work is going to fill a large part of your life, and the only way to be truly satisfied is to do what you believe is great work. And the only way to do great work is to love what you do. If you haven't found it yet, keep looking. Don't settle. – Steve Jobs

0 Likes

Go to solution
Anonymous
Not applicable

‎2014-01-20 12:00 PM

Dear Nkasu,

Did you try using //upload/testlocation/testhost? We had some problems with NIC SFTP Agent and we solve using //upload/xxx/xxxx as data directory. As you can see, you need to use two "/" before upload..I hope this works for you.

0 Likes

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2014-01-20 01:16 PM

This is an SCP issue and its been identified as missing and will be remediated by RSA I believe in future releases. The SFTP works just fine for us right now.

 

Naushad A Kasu | Security Insight | 952.512.7930 | UHG, 400 South Hwy 169, St. Louis Park, MN 55426

 

Your work is going to fill a large part of your life, and the only way to be truly satisfied is to do what you believe is great work. And the only way to do great work is to love what you do. If you haven't found it yet, keep looking. Don't settle. – Steve Jobs

0 Likes

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2014-01-24 04:18 AM

Hello,

 

Here a temporary solution for this issue :

 

The user sftp cannot scp because it's a restricted user (see sshd_config and /etc/passwd) and it's chroot.

So we created a new user, especially for scp with the cisco ironport :

useradd -c "Nw Cisco IronPort Upload User" -d /var/netwitness/logcollector/upload/cisco_ironport_wsa/ -s /bin/bash -u 502 scp_cisco

passwd scp_cisco

cd /var/netwitness/logcollector/upload/

mkdir cisco_ironport_wsa/.ssh/

touch cisco_ironport_wsa/.ssh/authorized_keys ==> (must contain the public keys, you don't add them by the gui)

chown scp_cisco cisco_ironport_wsa/

chown scp_cisco cisco_ironport_wsa/*

chown scp_cisco cisco_ironport_wsa/.ssh/authorized_keys

 

/etc/ssh/sshd_config :

Match User scp_cisco

    AllowTCPForwarding no

    PasswordAuthentication no

    X11Forwarding no


In cisco_ironport_wsa/.ssh/authorized_keys, before each public key, add these parameters to restrict the access :

no-X11-forwarding,no-agent-forwarding,no-port-forwarding,no-pty "public key"


Hope this can help.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.