Hello, we are trying to monitor ssh logins on security-critical machines with a script that scans logfiles for the relevant entries. A problem ist that when the ssh connection is closed by a network interruption or by closing the window with the ssh client, we do not find a corresponding entry in the logs. "last" does not show this information either, at least on our systems which are RedHat Linux based. Is there any way to record a "User gone" or so ? At a certain point, the daemon closes the connection when the client has gone away; would it be possible to log this ? I would be grateful for a hint. Yours, Jakob Curdes
Jakob Curdes wrote:> we are trying to monitor ssh logins on security-critical machines with a > script that scans logfiles for the relevant entries. > A problem ist that when the ssh connection is closed by a network > interruption or by closing the window with the ssh client, we do not > find a corresponding entry in the logs.Which OpenSSH version, and is it a vendor-supplied package or self-compiled?> "last" does not show this > information either, at least on our systems which are RedHat Linux > based. Is there any way to record a "User gone" or so ? At a certain > point, the daemon closes the connection when the client has gone away; > would it be possible to log this ?I think sshd should update last on disconnects, if it doesn't it should be investigated.> I would be grateful for a hint.The optional audit code in 4.0p1 and will catch these disconnect events and syslog them if you enable it (configure --with-audit=debug). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On Wed, 2005-04-06 at 12:40 +0200, Jakob Curdes wrote:> Hello, > > we are trying to monitor ssh logins on security-critical machines with a > script that scans logfiles for the relevant entries. > A problem ist that when the ssh connection is closed by a network > interruption or by closing the window with the ssh client, we do not > find a corresponding entry in the logs. "last" does not show this > information either, at least on our systems which are RedHat Linux > based. Is there any way to record a "User gone" or so ? At a certain > point, the daemon closes the connection when the client has gone away; > would it be possible to log this ? > > I would be grateful for a hint.host sshd[pid]: (pam_unix) session opened for user myuser by (uid=0) host sshd[pid]: (pam_unix) session closed for user myuser Seems to work here just fine (killing the ssh connection with ~. or with kill) Last also logs the logouts here... myuser pts/4 ip Wed Apr 6 13:53 - 13:53 (00:00) myuser pts/4 ip Wed Apr 6 13:52 - 13:52 (00:00) myuser pts/4 ip Wed Apr 6 13:52 - 13:52 (00:00) This is on a debian system, and using PAM and key-based auth. -- Mark Janssen -- maniac(at)maniac.nl -- pgp: 0x357D2178 | ,''`. | Unix / Linux Open-Source and Internet Consultant @ Snow.nl | : :' : | Maniac.nl MarkJanssen.nl NerdNet.nl Unix.nl | `. `' | Skype: markmjanssen ICQ: 129696007 irc: FooBar on undernet | `- | -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050406/6136e9b4/attachment.bin
Hello, recently we experiance random login attempts with various user names such as test,guest,admin,root,http etc pp. all from the same IP in a short time. I observed this on different machines. We have limited access to ssh to 2 or 3 users on all our boxes, so I do not really feel a necessity to protect our machines better from misuse. Nevertheless I think it would be good to block an IP address after the 3rd or so login attempt with an illegal name or at least block an IP that tries to cycle user names like a merry-go-round. I experimented a bit with options for sshd like LoginGraceTime, MaxStartups but these do not really affect the sshd behavior in the case mentioned above. I also looked into PAM and tried to configure things there, but PAM is not really my daily speciality. Is someone willing to explain to me how I can limit login attempts via ssh? Is this related to UseLogin? Yours, Jakob Curdes
Jakob Curdes wrote: [...]> Is someone willing to explain to me how I can limit login > attempts via ssh?There was an extensive thread on this topic a while back: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=110728735306428 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.