SSH Logging

Guy Fraser guy at incentre.net
Wed Mar 19 16:08:08 UTC 2008 

Add something like this near the top of your /etc/hosts.allow :

---snip---
sshd : .domain.tld \
         #.#.#.0/255.255.255.0 \
         #.#.#.0/255.255.255.0 \
         : severity auth.info \
         : allow
sshd : ALL \
         : severity auth.notice \
         : deny
---snip---

I will cause successful ssh attempts to be logged as well as the  
failed attempts.

You can then write a script that scans the log file for anomalous  
activity and send
you a daily report. I use a root crontab entry like :

---snip---
0 7 * * * /usr/bin/zgrep -vf /usr/local/etc/normal-ssh-access /var/log/ 
sshd.0.gz 2>&1 | /usr/bin/mail -s "$HOSTNAME ssh usage" user at domain.tld
---snip---

Where /usr/local/etc/normal-ssh-access is like :

---snip---
User root not allowed
refused connect from
logfile turned over
can't verify hostname
host name/name mismatch
Did not receive identification string from #.#.#.#
Accepted password for user-a from #.#.#.#
Accepted password for user-b from #.#.#.#
---snip---

NOTE: The strings in the file above are things that are normal usage and
can change for different versions of sshd. On servers that need to  
have ssh
open in the firewall I do not watch for failed attempts, because they  
are
tracked by a different tool that adds firewall blocks for multiple  
failed
attempts from any IP not listed in a file. I periodically go through the
firewall list and aggregate the offending IP list into subnets when more
than a specified number of blocked IP addresses are from the same  
class C
subnet.

On 2008-Mar-19, at 09:15, Steven W. Orr wrote:

> On Monday, Mar 17th 2008 at 16:20 -0000, quoth Bill Davidsen:
>
> =>Thomas Kappelmueller wrote:
> =>> Thomas Kappelmueller wrote:
> =>> > Mike wrote:
> =>> > > On Mon, 17 Mar 2008, Thomas Kappelmueller wrote:
> =>> > >
> =>> > > > Hallo!
> =>> > > >
> =>> > > > Is there a easy way to log all the output of a SSH-Session?
> =>> > >
> =>> > > Is 'script' what your looking for?
> =>> > >
> =>>
> =>> One thing that makes it not perfectly perfect ;) is the fact  
> that you have
> =>> to exit twice.
> =>> I added an exit after the script command.
> =>>
> =>You can just "exec" the script command and avoid that.
>
> Real men have a .profile (or .bash_profile) that just has one line:
>
> exec emacs
>
> ;-)
>
> -- 
> Time flies like the wind. Fruit flies like a banana. Stranger things  
> have  .0.
> happened but none stranger than this. Does your driver's license say  
> Organ ..0
> Donor?Black holes are where God divided by zero. Listen to me! We  
> are all- 000
> individuals! What if this weren't a hypothetical question?
> steveo at syslang.net
>
> -- 
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>

-- 
Guy Fraser
Network Administrator
The Internet Centre
1-888-450-6787
(780)450-6787

More information about the fedora-list mailing list