Add something like this near the top of your /etc/hosts.allow :
---snip---
sshd : .domain.tld \
#.#.#.0/255.255.255.0 \
#.#.#.0/255.255.255.0 \
: severity auth.info \
: allow
sshd : ALL \
: severity auth.notice \
: deny
---snip---
I will cause successful ssh attempts to be logged as well as the
failed attempts.
You can then write a script that scans the log file for anomalous
activity and send
you a daily report. I use a root crontab entry like :
---snip---
0 7 * * * /usr/bin/zgrep -vf /usr/local/etc/normal-ssh-access /var/log/
sshd.0.gz 2>&1 | /usr/bin/mail -s "$HOSTNAME ssh usage" user@xxxxxxxxxx
---snip---
Where /usr/local/etc/normal-ssh-access is like :
---snip---
User root not allowed
refused connect from
logfile turned over
can't verify hostname
host name/name mismatch
Did not receive identification string from #.#.#.#
Accepted password for user-a from #.#.#.#
Accepted password for user-b from #.#.#.#
---snip---
NOTE: The strings in the file above are things that are normal usage and
can change for different versions of sshd. On servers that need to
have ssh
open in the firewall I do not watch for failed attempts, because they
are
tracked by a different tool that adds firewall blocks for multiple
failed
attempts from any IP not listed in a file. I periodically go through the
firewall list and aggregate the offending IP list into subnets when more
than a specified number of blocked IP addresses are from the same
class C
subnet.
On 2008-Mar-19, at 09:15, Steven W. Orr wrote:
On Monday, Mar 17th 2008 at 16:20 -0000, quoth Bill Davidsen:
=>Thomas Kappelmueller wrote:
=>> Thomas Kappelmueller wrote:
=>> > Mike wrote:
=>> > > On Mon, 17 Mar 2008, Thomas Kappelmueller wrote:
=>> > >
=>> > > > Hallo!
=>> > > >
=>> > > > Is there a easy way to log all the output of a SSH-Session?
=>> > >
=>> > > Is 'script' what your looking for?
=>> > >
=>>
=>> One thing that makes it not perfectly perfect ;) is the fact
that you have
=>> to exit twice.
=>> I added an exit after the script command.
=>>
=>You can just "exec" the script command and avoid that.
Real men have a .profile (or .bash_profile) that just has one line:
exec emacs
;-)
--
Time flies like the wind. Fruit flies like a banana. Stranger things
have .0.
happened but none stranger than this. Does your driver's license say
Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We
are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
--
Guy Fraser
Network Administrator
The Internet Centre
1-888-450-6787
(780)450-6787
