Re: Detailed logging of ssh sessions
Try the termlog port, do some minor source changes so it doesn't spam the system logs. I use it to monitor shell server users, and works wonders. Even have a shell script that creates directories according to the current date, checks for operation not permitted and permission denied, mails the results to me, and archives the logs in the folder (ie 21-06-2005). The only problem with this is a cat /dev/urandom can fill a partition up, because all output is logged :) I keep these logs in a separate partition. Glenn Dawson wrote: At 08:38 AM 6/19/2005, Bill Moran wrote: I've been researching this, and so far haven't found a way to do what I want to do. I have servers here and there, that should only be accessible by a limited number of administrators via ssh (i.e. mail and web servers, firewalls). As an added security measure, I'd like to start logging everything that happens during any ssh login (since all our work on these machines is via ssh). I understand, and frequently use script(1), but I want this to be required. I have two goals: 1) If someone manages to guess a password and break in, I want a log of what they're doing. 2) I want 100% guarantee that everything we do is recorded, to make future debugging of configuration mistakes easier. I've been researching sshd, and it doesn't seem as if it has this capability. Web searches have not yet turned up anything ... I'm guessing I'm not searching for the right phrases, since I can't believe I'm the only one doing this. Any advice or pointers are welcome. This looks like it might do the trick for you: http://honeypots.sourceforge.net/modified_script.html -Glenn -- Bill Moran Potential Technologies http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Detailed logging of ssh sessions
Bill Moran wrote: I'd like to start logging everything that happens during any ssh login (since all our work on these machines is via ssh). I understand, and frequently use script(1), but I want this to be required. I have two goals: 1) If someone manages to guess a password and break in, I want a log of what they're doing. 2) I want 100% guarantee that everything we do is recorded, to make future debugging of configuration mistakes easier. I've been researching sshd, and it doesn't seem as if it has this capability. I think you're looking in the wrong place for this functionality. SSH is just a point-to-point connector. The functionality you want should come in some way from the login shell. Whether some shell out there already does this, or whether you could just use script itself somehow, I couldn't tell you. I'd just experiment with using script in some way -- perhaps writing a C program to be the shell which forks and execs script with suitable parameters such as a filename based on the date, tty, user etc. Or starting with script and modifying it to work as a login shell which did that stuff. If you really want this to be secure, the log files ought to be on a read-only medium. If someone hacks root they can delete the trace --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Detailed logging of ssh sessions
Alex Zbyslaw [EMAIL PROTECTED] wrote: Bill Moran wrote: I'd like to start logging everything that happens during any ssh login (since all our work on these machines is via ssh). I understand, and frequently use script(1), but I want this to be required. I have two goals: 1) If someone manages to guess a password and break in, I want a log of what they're doing. 2) I want 100% guarantee that everything we do is recorded, to make future debugging of configuration mistakes easier. I've been researching sshd, and it doesn't seem as if it has this capability. I think you're looking in the wrong place for this functionality. SSH is just a point-to-point connector. The functionality you want should come in some way from the login shell. I suspected that might be the way to go, but I've been unable to get anything working so far. snip If you really want this to be secure, the log files ought to be on a read-only medium. If someone hacks root they can delete the trace Logging is done both on and off-machine (i.e. syslog logs locally, and sends the logs to a dedicated logging machine as well) As long as I can use syslog for the logging, I've got my secure logs. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Detailed logging of ssh sessions
At 08:38 AM 6/19/2005, Bill Moran wrote: I've been researching this, and so far haven't found a way to do what I want to do. I have servers here and there, that should only be accessible by a limited number of administrators via ssh (i.e. mail and web servers, firewalls). As an added security measure, I'd like to start logging everything that happens during any ssh login (since all our work on these machines is via ssh). I understand, and frequently use script(1), but I want this to be required. I have two goals: 1) If someone manages to guess a password and break in, I want a log of what they're doing. 2) I want 100% guarantee that everything we do is recorded, to make future debugging of configuration mistakes easier. I've been researching sshd, and it doesn't seem as if it has this capability. Web searches have not yet turned up anything ... I'm guessing I'm not searching for the right phrases, since I can't believe I'm the only one doing this. Any advice or pointers are welcome. This looks like it might do the trick for you: http://honeypots.sourceforge.net/modified_script.html -Glenn -- Bill Moran Potential Technologies http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Detailed logging of ssh sessions
Hi Bill, Just as a side note, to help with people guessing a password, how about having a script that monitors the auth.log file and when you get more than X number of entries of username/password tries coming from one IP, it then writes a firewall entry that blocks the IP. You could have a counter/timer, that would release the IP after Y number of minutes (24 hours?). Of course, you could exclude your usual admin IP's from being monitored. Cheers, Paul Hamilton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Moran Sent: Sunday, 19 June 2005 11:39 PM To: [EMAIL PROTECTED] Subject: Detailed logging of ssh sessions I've been researching this, and so far haven't found a way to do what I want to do. I have servers here and there, that should only be accessible by a limited number of administrators via ssh (i.e. mail and web servers, firewalls). As an added security measure, I'd like to start logging everything that happens during any ssh login (since all our work on these machines is via ssh). I understand, and frequently use script(1), but I want this to be required. I have two goals: 1) If someone manages to guess a password and break in, I want a log of what they're doing. 2) I want 100% guarantee that everything we do is recorded, to make future debugging of configuration mistakes easier. I've been researching sshd, and it doesn't seem as if it has this capability. Web searches have not yet turned up anything ... I'm guessing I'm not searching for the right phrases, since I can't believe I'm the only one doing this. Any advice or pointers are welcome. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]