Detailed logging of ssh sessions
paulh at bdug.org.au
Mon Jun 20 00:19:58 GMT 2005
Just as a side note, to help with people guessing a password, how about
having a script that monitors the auth.log file and when you get more than X
number of entries of username/password tries coming from one IP, it then
writes a firewall entry that blocks the IP. You could have a counter/timer,
that would release the IP after Y number of minutes (24 hours?). Of course,
you could exclude your usual admin IP's from being monitored.
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org] On Behalf Of Bill Moran
Sent: Sunday, 19 June 2005 11:39 PM
To: questions at freebsd.org
Subject: Detailed logging of ssh sessions
I've been researching this, and so far haven't found a way to do what I want
I have servers here and there, that should only be accessible by a limited
number of administrators via ssh (i.e. mail and web servers, firewalls).
As an added security measure, I'd like to start logging everything that
happens during any ssh login (since all our work on these machines is via
ssh). I understand, and frequently use script(1), but I want this to be
required. I have two goals:
1) If someone manages to guess a password and break in, I want a log
of what they're doing.
2) I want 100% guarantee that everything we do is recorded, to make
future debugging of configuration mistakes easier.
I've been researching sshd, and it doesn't seem as if it has this
capability. Web searches have not yet turned up anything ... I'm guessing
I'm not searching for the right phrases, since I can't believe I'm the only
one doing this.
Any advice or pointers are welcome.
freebsd-questions at freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions