Page 1 of 2 12 Last
  • Jump to page:
    #1
  1. funky munky
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jul 2001
    Location
    UK
    Posts
    1,446
    Rep Power
    15

    Logging ssh shell sessions


    I'm wanting to log all logins to my sshd by some means and am unsure how to achieve this. I've read through the man pages for sshd, login, utmp, wtmp etc etc and can't seem to find the relevant info.

    I've added this to syslog.conf:
    Code:
    # sshd:
    !sshd
    *.*						/var/log/sshd/sshd.log
    but of course this only logs messages created by the sshd system (ie when the daemon starts, creates new keys etc), when I really want to log the times users login, where they login from, how long they were logged in for and when they logged out. Is this possible?

    Further is it worth keeping a log of all user's login sessions to check for abuse/misuse and if so, how would this be achieved. I have compiled support for the snoop tty device and was thoroughly impressed by the 'watch' utility which allows a superuser to watch another user's teletype session (and even interact with it, very cool for helping people in trouble). Would it be feasible to log user's login sessions using watch (or otherwise), and if so how would I initiate the watch command line to pipe a login session to a log file (ie how can I execute commands once a user has logged in such that the user has no control over the execution of the commands)?

    Many thanks in advance,
    Jez
    Last edited by munkfish; February 10th, 2002 at 12:06 PM.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2001
    Posts
    310
    Rep Power
    13
    You should check in your /etc/ssh/sshd_config.. My looks like this follows:

    #--------------------------------------------------------------
    # Logging
    #--------------------------------------------------------------
    SyslogFacility SSHDLOG
    LogLevel DEBUG

    My sshd is logging to the SSHDLOG facility, so I add the following lines to my /etc/syslog.conf file..

    # Log SSH daemon messages to own file
    !sshd
    sshdlog.* /var/log/sshd.log

    You can change from SSHDLOG to whatever what you wish it to be..
  4. #3
  5. funky munky
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jul 2001
    Location
    UK
    Posts
    1,446
    Rep Power
    15
    Cool, thanks mezz - I did add a line 'auth.* /var/log/auth/auth.log' to my syslog.conf file, but it wasn't as verbose as I wanted... I think I'll try increasing the verbosity of it in the 'LogLevel' param in sshd_config, see how that works out.

    I like the ability to change the name of the syslogd facility name used by sshd, nice one that (seems by default it's just 'auth').

    Do you have any idea about the logging of user's login sessions to file at all?

    I can log a user's tty session manually using 'watch <flags> <tty> > output_file.txt', but this is very cumbersome - I'd settle for being able to grep through my user's .history files... trouble is I'm not sure how easy it is for user's to execute commands in a way that bypasses logging to their .history files.
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2001
    Posts
    310
    Rep Power
    13
    I recently tried on FreeBSD and it doesn't works.. It used to work long time ago when I had Linux...

    Oh well, I am using auth so it's fine with me.. I don't know what else to help, so sorry.. Maybe, you can search in the google to see if you can find the luck there..
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    5
    Rep Power
    0
    syslogd probably can't do what you want. I run sshd from tcpserver and here is the run script:

    /var/djb/ssh/run
    Code:
    #!/bin/sh
    PATH=/usr/local/bin:/usr/bin:/bin
    export PATH
    exec tcpserver -vRp -l www.mydomain.com -x root/ssh.cdb \
    -c5 -u0 -g0 0 22 /usr/local/sbin/sshd -eiD4 2>&1
    My sshd version is: OpenSSH_3.0.2p1
    From man 8 sshd -> sshd [-deiqtD46]
    I am not sure if default sshd with 4.5-STABLE supports those options since I have been using latest sshd from the ports tree. As for 4.4-STABLE, the default version doesn't support every option as deiqtD46. So check your sshd and make sure.
    Here is the list of those options that I used for sshd:
    Code:
    -e      When this option is specified, sshd will send the output to the
                 standard error instead of the system log.
    -i      Specifies that sshd is being run from inetd.  sshd is normally
                 not run from inetd because it needs to generate the server key
                 before it can respond to the client, and this may take tens of
                 seconds.  Clients would have to wait too long if the key was
                 regenerated every time.  However, with small key sizes (e.g.,
                 512) using sshd from inetd may be feasible.
    -D      When this option is specified sshd will not detach and does not
                 become a daemon.  This allows easy monitoring of sshd.
    BTW I installed openssh-portable-3.0.2p1 instead of openssh-3.0.2.
    It's possible to use recordio in front of sshd in the run script to get more verbose logs. Normally qmail people would use recordio for troubleshooting because it captures everything including the entire email message and the SMTP session.
    Last edited by freebsd; February 11th, 2002 at 04:30 AM.
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2001
    Posts
    310
    Rep Power
    13
    >> My sshd version is: OpenSSH_3.0.2p1

    Well, does it means you have to install OpenSSH 3.0.2p1 at every time when you do the CVSUP/buildworld or you just don't bother to do the CVSUP/buildworld for long time? I am asking, because when I tried to upgrade OpenSSH to 3.xxx, but after CVSUP and buildworld then it brings the default version (downgrade to 2.9) back...
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    5
    Rep Power
    0
    No, you just need to echo "NO_OPENSSH=true" >> /etc/make.conf so buildworld doesn't build it any longer.
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2001
    Posts
    310
    Rep Power
    13
    w0w, I didn't know about it.. Thanks freebsd!!
  16. #9
  17. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    5
    Rep Power
    0
    Not only that, you can add a lot more. Check /usr/ports/Mk/*, /usr/share/mk/* and /etc/defaults/make.conf. Like Sendmail, I don't run it so just NO_SENDMAIL=true to /etc/make.conf. Though cvsup will fetch the latest src but buildworld just won't build it.
  18. #10
  19. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2001
    Posts
    310
    Rep Power
    13
    Thanks for more tips..

    Ummm, when I tried to upgrade openssh 2.9 to 3.0.2p1 then I typed "sshd -V" but it says 2.9 ever thought I already installed from ports.

    At first, I killed sshd by follows killall -HUP sshd then upgrade it from ports. Do I have to remove freebsd's default ssh first by manual before I use ports to install newest version?
  20. #11
  21. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    5
    Rep Power
    0
    >> Do I have to remove freebsd's default ssh first

    No but afterward because once it's installed it doesn't launch automatically. Here is what you need to do afterward:
    1) chmod 0 and mv it with a .bak extension or whatever to the following files:
    Code:
    /usr/bin:
                ssh-add
                ssh-agent
                ssh-keygen
                ssh
    /usr/libexec:
                sftp-server
    /usr/sbin:
                sshd
    2) rm -f the old manpage and catpage of above binaries
    /usr/share/man/man1,8/*
    /usr/share/man/cat1,8/*
    3) Remove sshd_enable="YES" from /etc/rc.conf (if supervise). If running it standlone, you can use the script in /usr/local/etc/rc.d/ or append sshd_program="/usr/local/sbin/sshd" to /etc/rc.conf.
    Last edited by freebsd; February 12th, 2002 at 04:49 AM.
  22. #12
  23. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2001
    Posts
    310
    Rep Power
    13
    Thanks freebsd.. Here what I put in shell script follows:

    remove whole man of ssh
    Code:
    #!/bin/sh
    
    log=/var/tmp/_$$rmmanssh.log
    /bin/rm -rf /var/tmp/_*rmmanssh.log
    
    for i in                                        \
            /usr/share/man/cat1/ssh-keygen.1.gz     \
            /usr/share/man/cat1/ssh.1.gz            \
            /usr/share/man/cat8/sshd.8.gz           \
            /usr/share/man/man1/ssh.1.gz            \
            /usr/share/man/man1/ssh-add.1.gz        \
            /usr/share/man/man1/ssh-agent.1.gz      \
            /usr/share/man/man1/ssh-keygen.1.gz     \
            /usr/share/man/man8/sshd.8.gz           \
    
    do
            if [ -e $i ]; then
                    echo "/bin/rm -f $i" >> $log
                    /bin/rm -f $i
            else
                    echo "$i does not exist." >> $log
            fi
    done
    Another script for killall, chmod 0 and mv to .bak follows:
    Code:
    #!/bin/sh
    
    log=/var/tmp/_$$mvssh.log
    /bin/rm -rf /var/tmp/_*mvssh.log
    
    for i in                                \
            /usr/bin/ssh                    \
            /usr/bin/ssh-add                \
            /usr/bin/ssh-agent              \
            /usr/bin/ssh-keygen             \
            /usr/sbin/sshd                  \
            /usr/libexec/sftp-server        \
    
    do
            if [ -e $i ]; then
                    echo "/bin/mv $i $i.bak" >> $log
                    /usr/bin/killall -HUP sshd
                    /bin/chmod 0 $i
                    /bin/mv $i $i.bak
            else
                    echo "$i does not exist." >> $log
            fi
    done
    Both shell scripts seem work perfectly, so I am going to install openssh again then modify to get startup works..

    Thanks again,
    Mezz
  24. #13
  25. funky munky
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Jul 2001
    Location
    UK
    Posts
    1,446
    Rep Power
    15
    mezz:
    I recently tried on FreeBSD and it doesn't works.. It used to work long time ago when I had Linux...

    If you're referring to the watch utility, you need to compile in support for the snoop device into the kernel - this is very very simple to do and afaik doesn't add any massive overhead to things, plus it's quite useful if you have mates who aren't sure what they're doing in UNIX because it even lets you interact on the command-line with an already established login on a given tty (so you can 'help' users out as they work!). Good fun, bit of a toy, although as I say it's also nice in that it allows you to log a tty session to a file.

    Anyway, there's a simple howto for building in support for snoop device at this place: http://freebsdhowtos.com/86.html

    freebsd:
    djb tools again! I've been back to the site many times now, although I still haven't downloaded anything as yet - the tool kit sounds very useful and I'll have to grab it and read through the docs. I must admit I hadn't thought of running sshd via a wrapper (in fact I've not even touched on the use of wrappers at all as yet), so I'll have a go at running sshd as you mention via djb's tcp-server util (ditto with the other service I currently run via inetd, so long inetd!).

    Further the recordio tool at djb that you mention sounds very interesting, another avenue I'll look at. Am I being too paranoid in worrying what users are/will be doing on my server? What is the best strategy to deploy in watching for 'bad/abusive behaviour' from users?

    Thanks in advance,
    Jez
  26. #14
  27. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2001
    Posts
    310
    Rep Power
    13
    Thanks munkfish for the link..

    BTW: freebsd, I had to put sshd_enable="YES" in /etc/rc.conf to make it works. Without it then it will not startup as well. I found one link in freebsd.org, but it's non-english so it works very well with sshd_enable="YES".. http://www.freebsd.org.pl/?q=sshd

    Anyway, thanks for help..
  28. #15
  29. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    5
    Rep Power
    0
    >> ditto with the other service I currently run via inetd

    inetd, being the top three most vulernable software (among the others: BIND and Sendmail), should be disabled and look for replacement.
    tcpserver, on the other hand, will never suffer DoS attack because you can control the limit and how many simultaneous connection and many others.
    Just remember one thing: djb is the best UNIX software developer in the world.

    >> the recordio tool at djb that you mention sounds very interesting

    I'm still unsure whether recordio can really capture everything. Here is a smtp run script:
    Code:
    #!/bin/sh
    PATH=/var/qmail/bin:/usr/local/bin:/usr/bin:/bin 
    export PATH
    exec 2>&1
    exec envdir ./env sh -c '
     exec softlimit -m32768000 \
    tcpserver -vR -l mail.mydomain.com -x root/smtp.cdb -c30 -u82 -g81 0 25 \
    rblsmtpd -r inputs.orbz.org -r outputs.orbz.org \
    -r "rbl.mydomain.com:Sorry. Spamming is not allowed! - %IP%" qmail-smtpd
    '
    If you need to insert recordio, it will then be:
    Code:
    #!/bin/sh
    PATH=/var/qmail/bin:/usr/local/bin:/usr/bin:/bin 
    export PATH
    exec 2>&1
    exec envdir ./env sh -c '
     exec softlimit -m32768000 \
    tcpserver -vR -l mail.mydomain.com -x root/smtp.cdb -c30 -u82 -g81 0 25 \
    rblsmtpd -r inputs.orbz.org -r outputs.orbz.org \
    -r "rbl.mydomain.com:Sorry. Spamming is not allowed! - %IP%" recordio qmail-smtpd
    '
    When your qmail-smtpd is TLS-aware, you can't use recordio and smtpd will choke. Though you can still try it with sshd+supervise+tcpserver.

    >> Am I being too paranoid

    Yes and you are invading the privacy of your users.
Page 1 of 2 12 Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo