-
How to log *outgoing* ssh connections
I am looking into ways to harden the security on some of my linux boxes (mostly Debian). I've already gotten the sshd_config modifications that most everyone recommends (allowroot to "no", allow only specific users, etc).
On most of my machines, it's fairly rare that there would ever be an outgoing ssh connection to another machine (but no "never" - so I don't want to just turn it off). But I would like to be able to see when an outgoing ssh connection is made (and to what address).
Is there a way to log OUTGOING ssh connections?
I'm running OpenSSH 4.3p2 on a Debian 4.0 kernel (just updated it).
-
In /etc/profile do
alias ssh=/usr/local/bin/l33t-ssh-logger
And in /usr/local/bin/l33t-ssh-logger do something like
Code:
#!/bin/bash
echo $* >> /var/log/ssh-out.log
/usr/sbin/ssh $*
-
alternatively you can log which ip-tables all outgoing ssh connections.
-
And iptables logging would be better, since the alias won't necessarily be used. If somebody manages to exploit something on your machine, and gets it to run some kind of shellcode, they'll probably execute ssh directly. That won't be subject to the alias expansion, but the traffic would still get logged by iptables.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|