traffic accounting per username with ipfw in 5.4 ? (more)

user user at dhp.com
Tue Oct 25 16:52:44 PDT 2005



On Tue, 25 Oct 2005, Andrew P. wrote:

> ipfw looks at the owner of a process, sshd in your
> case. If you really need to account the not-locally-
> initiated ssh traffic, start another sshd running as
> the user (on another port), and connect to that
> port [you can easily allow a user to connect only
> to a selected server by editing sshd_config's].
> 
> Anyway, try thinking logically. How ipfw could
> ever know what user traffic belongs to if all
> authentication is handled by sshd internally.
> Otherwise, it would be a security whole (though
> some actions can certainly be logged to limited-
> access log files).
> 
> Hassle-free solutions, i.e. complex accounting
> systems, come for money. Though, whatever
> problem you might have, I'm sure somehow that
> there's another way.


I am open to suggestions :)  Basically I have a system that is accessible
via ssh _only_, and I need to find out how much ssh traffic each
individual user is generating (both send and receive) over ssh.

There are a large enough population of users that one sshd/user is not
workable.

So, it turns out there is a patch for openSSH that does per-user traffic
accounting, which makes sense, since the sshd does know all that I am
trying to ask of it.  The only drawbacks are, the patch is unsupported
(apparently the openssh developer is philosophically opposed to traffic
counting in sshd (?)), and it does not count aborted transactions (so you
could upload a few gigs, and then drop off, and that doesn't get counted).

So that is one solution ... can you think of any other ways to count
per-user traffic, if it is a given that it is all only ssh ?

thanks.



More information about the freebsd-questions mailing list