Hi, Are there any open source tools to keep track of ssh sessions? For example, if a specific user is ssh logging to remote server and what commands or scripts are being run. Basically, i need to log all users sessions. Thanks in Advance and i look forward to hearing from you. Best Regards, Kaushal
Hi Kaushal, I'm the author of ssh-mitm (https://github.com/jtesta/ssh-mitm), which is a penetration testing tool for man-in-the-middling SSH connections. If you can ARP spoof a client (or otherwise route connections for them), and if they ignore the changed host-key warning, then you can record the full connection stream. You will log their passwords as well (it doesn't work for key authentication, though). Full SFTP traffic is captured too. It might be overkill for what you're trying to do, but I thought I'd mention it. - Joe -- Joseph S. Testa II Founder & Principle Security Consultant Positron Security On 11/3/18 1:08 PM, Kaushal Shriyan wrote:> Hi, > > Are there any open source tools to keep track of ssh sessions? For example, > if a specific user is ssh logging to remote server and what commands or > scripts are being run. Basically, i need to log all users sessions. > > Thanks in Advance and i look forward to hearing from you. > > Best Regards, > > Kaushal > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
Well, one way might be to have strace active on the ssh process. You can only log program executions like this: strace -f -p <pid of process> -v -e execve -o <logfile> Though you'll need'l to know the parent/child relationships and user IDs, as well as file descriptors, so there should be fork,clone,open,close,openat,dup,dup2,setuid,seteuid,setreuid and perhaps a few others in the set of traced syscalls. I guess that a "restricted shell" might be another way; or, if you have cooperation of the users involved, a simple "force-command" involving "script" (1) might work as well. If you are not sure about users' cooperation, you'll need some protected process - like the strace running as uid 0.
Il giorno sab 3 nov 2018 alle ore 20:12 Joseph S. Testa II <jtesta at positronsecurity.com> ha scritto:> > Hi Kaushal, > > I'm the author of ssh-mitm (https://github.com/jtesta/ssh-mitm), > which is a penetration testing tool for man-in-the-middling SSH connections. > > If you can ARP spoof a client (or otherwise route connections for > them), and if they ignore the changed host-key warning, then you can > record the full connection stream. You will log their passwords as well > (it doesn't work for key authentication, though). Full SFTP traffic is > captured too. > > It might be overkill for what you're trying to do, but I thought I'd > mention it. > > - Joe > > -- > Joseph S. Testa II > Founder & Principle Security Consultant > Positron Security > > > On 11/3/18 1:08 PM, Kaushal Shriyan wrote: > > Hi, > > > > Are there any open source tools to keep track of ssh sessions? For example, > > if a specific user is ssh logging to remote server and what commands or > > scripts are being run. Basically, i need to log all users sessions. > > > > Thanks in Advance and i look forward to hearing from you. > > > > Best Regards, > > > > KaushalNormally the ssh daemon can log a lot of details of an ssh session, like authentication type, source IP, user name, spawned shell and the likes. What you are talking about is shell-related and won't be logged by a normal ssh daemon. You'd spoof on they pseudo-tty in order to record a full user tty session and is thus off-topic here. The MITM approach is something that surely works, at the price of making ssh security and privacy more similar to those of telnet. And the users will know you are eavesdropping on their sessions. -- Vincenzo Romano - NotOrAnd.IT Information Technologies -- NON QVIETIS MARIBVS NAVTA PERITVS
On Sat, 3 Nov 2018, Kaushal Shriyan wrote:> Hi, > > Are there any open source tools to keep track of ssh sessions? For example, > if a specific user is ssh logging to remote server and what commands or > scripts are being run. Basically, i need to log all users sessions.You should look at your operating system's audit functionality. E.g. Linux has an audit system that can be configured to log all command executions associated with a PTY (AFAIK). -d
On 11/03/2018 06:08 PM, Kaushal Shriyan wrote:> Are there any open source tools to keep track of ssh sessions? For example, > if a specific user is ssh logging to remote server and what commands or > scripts are being run. Basically, i need to log all users sessions.Which part of the remote connection is the one you need audited? The system(s) your users are ssh'ing *out* of, resp. the users themselves ("we need to review what our staff did to whatever customer system they did support on"), the ones they're ssh'ing *into*, or just some subset ("privileged commands") of the activity on the latter? For the last case, the use of individual accounts, "sudo", suitable configurations(*), and the "sudoreplay" tool might give you out of the box what OpenSSH alone would need to be heavily modified to do. (*) Namely, making sshd log enough information to identify the incoming users and making sudo use an I/O logging plugin. https://www.sudo.ws/man/1.8.25/sudoers.man.html#I/O_LOG_FILES Regards, -- Jochen Bern Systemingenieur www.binect.de www.facebook.de/binect -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4278 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20181105/bd6f2384/attachment-0001.p7s>
Hi, Did you check out log-user-session [1]? It can be used to record the output of ssh shell sessions in a tamper-prof way. And it is open source. Cheers Konrad [1] https://github.com/open-ch/log-user-session Am 03.11.18 um 18:08 schrieb Kaushal Shriyan:> Hi, > > Are there any open source tools to keep track of ssh sessions? For example, > if a specific user is ssh logging to remote server and what commands or > scripts are being run. Basically, i need to log all users sessions. > > Thanks in Advance and i look forward to hearing from you. > > Best Regards, > > Kaushal > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev?mc_phishing_protection_id=45427-bfetfluuab2o0p3j90ng >-- konrad bucheli principal systems engineer open systems ag raeffelstrasse 29 ch-8045 zurich t: +41 58 100 10 10 f: +41 58 100 10 11 kb at open.ch http://www.open.ch -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4238 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20181122/8a18037a/attachment-0001.p7s>
Hello, Konrad Bucheli writes:> Hi, > > Did you check out log-user-session [1]? It can be used to record > the output of ssh shell sessions in a tamper-prof way. And > it is open source. > ... > [1] https://github.com/open-ch/log-user-sessionWell, using a SUID-binary in that way partially eliminates the benefits of tamper-proof logging by increasing the attack surface, e.g. by allowing each user to create arbitrary files using directory traversal and symlink attacks, e.g. by calling SSH_CLIENT="169.254.0.1/../../../../tmp/ 1234 22" /usr/local/bin/log-user-session 'echo "* * * * * root /usr/bin/touch /dead.txt"' to start the directory traversal and lead to the problematic open missing O_NOFOLLOW 5885 openat(AT_FDCWD, "/var/log/user-session/localhost-build-20181122-140817-169.254.0.1/../../../../tmp/-5883.log", O_WRONLY|O_CREAT|O_APPEND, 0400) = 3 Without symlink protection, linking the "-[guessable pid].log" file to "/etc/cron.d/dead" will give you root easily. Even with protection, something should be possible ... I am currently also writing a tool for a similar reason. To be really tamper-proof, my solution is preloaded into SSH to intercept the encryption master key for each session, sends it to a daemon, that will use a public key to encrypt it and offload it to another machine. Together with the full-packet-captures of all SSH connections done by the network infrastructure, I would hope for a tamper-proof but still secure solution BUT (ha, ha, ha) - it is not ready yet. Best regards, hd> Am 03.11.18 um 18:08 schrieb Kaushal Shriyan: >> Hi, >> >> Are there any open source tools to keep track of ssh sessions? >> For example, if a specific user is ssh logging to remote server >> and what commands or scripts are being run. Basically, i need >> to log all users sessions. >> >> Thanks in Advance and i look forward to hearing from you. >> >> Best Regards, >> >> Kaushal _______________________________________________ >> openssh-unix-dev mailing list openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev?mc_phishing_protection_id=45427-bfetfluuab2o0p3j90ng >> > > -- konrad bucheli principal systems engineer > > open systems ag raeffelstrasse 29 ch-8045 zurich > > t: +41 58 100 10 10 f: +41 58 100 10 11 kb at open.ch > > http://www.open.ch