FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 03-19-2008, 03:08 PM
Guy Fraser
 
Default SSH Logging

Add something like this near the top of your /etc/hosts.allow :

---snip---
sshd : .domain.tld
#.#.#.0/255.255.255.0
#.#.#.0/255.255.255.0
: severity auth.info
: allow
sshd : ALL
: severity auth.notice
: deny
---snip---

I will cause successful ssh attempts to be logged as well as the
failed attempts.


You can then write a script that scans the log file for anomalous
activity and send

you a daily report. I use a root crontab entry like :

---snip---
0 7 * * * /usr/bin/zgrep -vf /usr/local/etc/normal-ssh-access /var/log/
sshd.0.gz 2>&1 | /usr/bin/mail -s "$HOSTNAME ssh usage" user@domain.tld

---snip---

Where /usr/local/etc/normal-ssh-access is like :

---snip---
User root not allowed
refused connect from
logfile turned over
can't verify hostname
host name/name mismatch
Did not receive identification string from #.#.#.#
Accepted password for user-a from #.#.#.#
Accepted password for user-b from #.#.#.#
---snip---

NOTE: The strings in the file above are things that are normal usage and
can change for different versions of sshd. On servers that need to
have ssh
open in the firewall I do not watch for failed attempts, because they
are
tracked by a different tool that adds firewall blocks for multiple
failed

attempts from any IP not listed in a file. I periodically go through the
firewall list and aggregate the offending IP list into subnets when more
than a specified number of blocked IP addresses are from the same
class C

subnet.

On 2008-Mar-19, at 09:15, Steven W. Orr wrote:


On Monday, Mar 17th 2008 at 16:20 -0000, quoth Bill Davidsen:

=>Thomas Kappelmueller wrote:
=>> Thomas Kappelmueller wrote:
=>> > Mike wrote:
=>> > > On Mon, 17 Mar 2008, Thomas Kappelmueller wrote:
=>> > >
=>> > > > Hallo!
=>> > > >
=>> > > > Is there a easy way to log all the output of a SSH-Session?
=>> > >
=>> > > Is 'script' what your looking for?
=>> > >
=>>
=>> One thing that makes it not perfectly perfect is the fact
that you have

=>> to exit twice.
=>> I added an exit after the script command.
=>>
=>You can just "exec" the script command and avoid that.

Real men have a .profile (or .bash_profile) that just has one line:

exec emacs

;-)

--
Time flies like the wind. Fruit flies like a banana. Stranger things
have .0.
happened but none stranger than this. Does your driver's license say
Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We
are all- 000

individuals! What if this weren't a hypothetical question?
steveo at syslang.net

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list



--
Guy Fraser
Network Administrator
The Internet Centre
1-888-450-6787
(780)450-6787

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 

Thread Tools




All times are GMT. The time now is 07:36 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org