How to log *outgoing* ssh connections

**CNBarnes** · 08-23-2007, 10:54 AM

I am looking into ways to harden the security on some of my linux boxes (mostly Debian). I've already gotten the sshd_config modifications that most everyone recommends (allowroot to "no", allow only specific users, etc).

On most of my machines, it's fairly rare that there would ever be an outgoing ssh connection to another machine (but no "never" - so I don't want to just turn it off). But I would like to be able to see when an outgoing ssh connection is made (and to what address).

Is there a way to log OUTGOING ssh connections?
I'm running OpenSSH 4.3p2 on a Debian 4.0 kernel (just updated it).

**ph34r** · 08-23-2007, 11:32 AM

In /etc/profile do

alias ssh=/usr/local/bin/l33t-ssh-logger

And in /usr/local/bin/l33t-ssh-logger do something like

Code:

#!/bin/bash
echo $* >> /var/log/ssh-out.log

/usr/sbin/ssh $*

**Modorf** · 08-23-2007, 05:32 PM

alternatively you can log which ip-tables all outgoing ssh connections.

**bwkaz** · 08-23-2007, 07:01 PM

And iptables logging would be better, since the alias won't necessarily be used. If somebody manages to exploit something on your machine, and gets it to run some kind of shellcode, they'll probably execute ssh directly. That won't be subject to the alias expansion, but the traffic would still get logged by iptables.

Thread: How to log outgoing ssh connections

Thread Tools

Display