Home > ubuntu > How can I log SSH access attempts and keep track of what SSH users end up doing on my server?

How can I log SSH access attempts and keep track of what SSH users end up doing on my server?

September 8Hits:0
Advertisement

I've had a few security problems with a server of mine because a few SSH users have been causing problems.

So I would like to:

  • Track user logins and logouts
  • Track activity of these SSH users, in order to discover any malicious activity
  • Prevent users from deleting logs

Answers

The ssh daemon, sshd, has much of this built in and enabled. Here's are some sample lines from /var/log/secure on my machine (names and IP addresses changed):

Sep  7 08:34:25 myhost sshd[6127]: Failed password for illegal user root from 62.75.999.999 port 52663 ssh2
Sep  7 08:34:26 myhost sshd[7253]: User root not allowed because listed in DenyUsers
Sep  7 08:34:28 myhost sshd[7253]: Failed password for illegal user root from 62.75.999.999 port 53393 ssh2
Sep  7 11:55:18 myhost sshd[11672]: Accepted password for gooduser from 98.999.26.41 port 43104 ssh2
Sep  7 23:01:28 myhost sshd[22438]: Did not receive identification string from 999.56.32.999
Sep  8 06:31:30 myhost sshd[21814]: Accepted password for gooduser from 98.999.26.41 port 5978 ssh2

This example shows a couple attempts by somebody to ssh into this machine as root -- both were denied because root is forbidden. It also shows a successful login by the user named "gooduser".

To fine tune what you see and in which file, read more in the sshd_config man page -- specifically the options for LogLevel and SyslogFacility.

One a very complete way of tracking users is to use auditd. It's a kernel level way to track whatever you need to audit. It should be bundled with Ubuntu Server and if not already running, should be startable with sudo service auditd start.

There are plenty of configuration examples for it under /usr/share/doc/auditd/ or something similar to that, and of course if you Google for auditd tutorial, you'll be rewarded with many, many tutorials.

The reports generated by auditd are stored in /var/log/audit/ directory. They also can be parsed to more human-readable form with tools like aureport and ausearch, also should already be bundled with Ubuntu Server.

I wouldn't give out ssh-accounts, especially to distro-groups type people.

Here's a couple of things:

  • last, gives you a history of recent login-out's.
  • Harden the bash history to prevent wiping out the command history http://sock-raw.org/papers/bash_history

From http://superuser.com/questions/37576/can-history-files-be-unified-in-bash/37583#37583

Insert the command shopt -s histappend in your .bashrc.
This will append to the history file instead of overwriting it.
Also in your .bashrc, insert

PROMPT_COMMAND="$PROMPT_COMMAND;history -a; history -n"

and the history file will be re-written and re-read each time
bash shows the prompt.

Following up on what Doug Harris answered (and only addressing part of your question - this seems to be how I work), the Logwatch package will email you a daily summary of a number of server logs, including the SSHd log. I get a summary of who successfully logged in via SSH, how many times, and from where, as well as what IPs tried to log in unsuccessfully and what credentials they used. It gets long if someone tries a brute-force SSH attack on a host where I'm allowing password authentication (I try to avoid that, favoring RSA keys instead, but the customer is always right and doesn't always understand public-key authentication. Anyway.)

To install Logwatch (which is basically just a collection of Perl filters for digesting various log formats) on Ubuntu, use apt-get install logwatch and then edit /etc/cron.daily/00logwatch, replacing --output mail with --mailto [email protected]. You'll get one a day. You can add more flags to tune which logs Logwatch actually reads.

Related Articles

  • How can I log SSH access attempts and keep track of what SSH users end up doing on my server?September 8

    I've had a few security problems with a server of mine because a few SSH users have been causing problems. So I would like to: Track user logins and logouts Track activity of these SSH users, in order to discover any malicious activity Prevent users

  • Logging SSH access attemptsMay 1

    I've configured an ubuntu server with openssh in order to connect to it and execute commands from a remote system like a phone or a laptop. The problem is... I'm probably not the only one. Is there a way to know all the login attempts that have been

  • Where does Ubuntu 14.04 log SSH access attempts?June 25

    Trying to find out why fail2ban is not working. Where does Ubuntu 14.04 log SSH access attempts? --------------Solutions------------- All login attempts are logged to /var/log/auth.log Search for brute-force SSH logins Run this command: grep sshd.\*F

  • SSH access on public IP poolFebruary 25

    I am creating VPS solution and currently network policy for Virtual Machines provisioning provides each VM with one public IPv4 address from the reserved pool of 255 addresses. I will need to provide SSH access to these virtual machines. My SSH acces

  • How can I audit users and access attempts to SSH on my server?September 8

    I've had a few security problems with a server of mine, a few SSH users have been setting up fires aka giving problems. I would like to: Track user logins and logouts Track activity of these SSH, in order to discover any malicious activity Prevent us

  • I want to open up my default SSH port (22) to see how many unauthorized access attempts I receiveAugust 14

    I thought this would be a good place to ask this question: I want to open up my default SSH port (enable remote management in system settings and port forward my router) to see how many unauthorized access attempts I receive. Doing this as an experim

  • How can I share a desktop / log in graphically for an Ubuntu that I have ssh but not console access to?June 14

    http://www.ubuntugeek.com/share-your-ubuntu-desktop-using-remote-desktop.html tells how to share a desktop by setting multiple features from within a GUI. Is there such a HOWTO that is based on ssh command line access? I would like to know how I can

  • iptables log ssh successful attempts that match known ipsApril 15

    I am unsure of how to log successful ssh attempts that match an IP address from GOOD_IPS. So far I am only logging incoming and outgoing attempts whether or not the related IP addresses are allowed or not. How would I write a statement that logs all

  • Is there a way to log rejected file access attempts in the Linux file system?March 12

    It often happens when you install a new program or when you just configure something, that you hit issues with the file system permissions because you don't have the folder/file permissions set correctly. Normally such failures either fail silently,

  • How can I add http access to an existing svn repository without disabling svn+ssh access?July 21

    I am attempting to add read-only HTTP access to an existing svn repository while still allowing write access via svn+ssh. I have installed Apache, mod_dav_svn, etc. and pointed Apache at the svn repository, but when I attempt to access the repo via H

  • Log MySQL login attemptsSeptember 14

    From time to time there are failed login attempts in our MySQL production server (MySQL dashboard alerts us). Is there a way to log every single success and failed login to the MySQL server without enabling general_log? We think general_log is not an

  • I get 1 failing SSH connection attempt per second from different IP. What can i do?February 8

    I get a lot of SSH connection attempt from different IP on my server (with different username). 1 to 5 per seconds. It look like a brute force attack. What can I do to prevent that? Block the IP? change the SSH port? Something else? Thanks! ---------

  • SSH "Access denied" before I'm prompted for passwordJuly 17

    I recently set up a new CentOS 5 server, which has OpenSSH installed by default. When I connect with PuTTY, the SSH server tells me "access denied" before prompting me for a password. Once I provide the password I log in to my shell fine. It nev

  • How to secure the SSH access in ubuntu server.September 5

    I just installed Ubuntu Server on one of my computers. I use a Netgear router and it helped me to create a DynDNS account. I have a host name for my dynamic IP address and I have forwarded the ports to my computer's IP address. I can access my comput

  • SSH access for site userOctober 14

    I'm attempting to give SSH access for a site user and am being extremely unsuccessful. I've created the site and placed a check mark next to Shell Access. Under User & Email, I created a user and placed a check mark next to Administrator and Shell Ac

  • User denied ssh access while in AllowUsers listJanuary 11

    I've inherited the administration of a linux box in my workplace; it was set up by a colleague who is now gone. Recently, I added a new user to the system, and tried to give her ssh access as well; the way most people who use the machine access it. T

  • SSH login attempts per minute per IPJune 4

    How can i limit SSH login attempts per minute per IP ? I want to disable login attempts during 5 seconds after a failure. Is this possible ? I'm not talking about ban a user after parsing logs like Fail2ban. --------------Solutions------------- Quest

  • Monitor Server Logins / SSH Access? April 22

    I seem to have some suspicious activity happening on my server from time to time. Aside from changing passwords regularly, I would like to be emailed ( or logged ) each time a user accesses my apache server, either by logging in to the cPanel directl

  • Large number of ssh login attempts March 12

    This question already has an answer here: Is it normal to get hundreds of break-in attempts per day? 22 answers I logged into a CentOS box today to find the following" There were 11126 failed login attempts since the last successful login. Last login

  • Are many sshd/root processes listed by ps, brute force SSH hack attempt?March 16

    When doing a ps -efH I see lots of the following, where 14:24 is basically the current system time. These processes keep popping up every minute. root 6851 1 0 14:24 ? 00:00:00 sshd: root [priv] sshd 6852 6851 0 14:24 ? 00:00:00 sshd: root [net] root

Copyright (C) 2017 ceus-now.com, All Rights Reserved. webmaster#ceus-now.com 14 q. 0.678 s.