Re: SSH Logging

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Add something like this near the top of your /etc/hosts.allow :

---snip---
sshd : .domain.tld \
        #.#.#.0/255.255.255.0 \
        #.#.#.0/255.255.255.0 \
        : severity auth.info \
        : allow
sshd : ALL \
        : severity auth.notice \
        : deny
---snip---

I will cause successful ssh attempts to be logged as well as the failed attempts.

You can then write a script that scans the log file for anomalous activity and send
you a daily report. I use a root crontab entry like :

---snip---
0 7 * * * /usr/bin/zgrep -vf /usr/local/etc/normal-ssh-access /var/log/ sshd.0.gz 2>&1 | /usr/bin/mail -s "$HOSTNAME ssh usage" user@xxxxxxxxxx
---snip---

Where /usr/local/etc/normal-ssh-access is like :

---snip---
User root not allowed
refused connect from
logfile turned over
can't verify hostname
host name/name mismatch
Did not receive identification string from #.#.#.#
Accepted password for user-a from #.#.#.#
Accepted password for user-b from #.#.#.#
---snip---

NOTE: The strings in the file above are things that are normal usage and
can change for different versions of sshd. On servers that need to have ssh open in the firewall I do not watch for failed attempts, because they are tracked by a different tool that adds firewall blocks for multiple failed
attempts from any IP not listed in a file. I periodically go through the
firewall list and aggregate the offending IP list into subnets when more
than a specified number of blocked IP addresses are from the same class C
subnet.

On 2008-Mar-19, at 09:15, Steven W. Orr wrote:

On Monday, Mar 17th 2008 at 16:20 -0000, quoth Bill Davidsen:

=>Thomas Kappelmueller wrote:
=>> Thomas Kappelmueller wrote:
=>> > Mike wrote:
=>> > > On Mon, 17 Mar 2008, Thomas Kappelmueller wrote:
=>> > >
=>> > > > Hallo!
=>> > > >
=>> > > > Is there a easy way to log all the output of a SSH-Session?
=>> > >
=>> > > Is 'script' what your looking for?
=>> > >
=>>
=>> One thing that makes it not perfectly perfect ;) is the fact that you have
=>> to exit twice.
=>> I added an exit after the script command.
=>>
=>You can just "exec" the script command and avoid that.

Real men have a .profile (or .bash_profile) that just has one line:

exec emacs

;-)

--
Time flies like the wind. Fruit flies like a banana. Stranger things have .0. happened but none stranger than this. Does your driver's license say Organ ..0 Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list


--
Guy Fraser
Network Administrator
The Internet Centre
1-888-450-6787
(780)450-6787


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux