[SOLVED] SSH login tracking and session activity Tracking
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am trying to set up detailed log system for SSH logins in the server. I am planning to do the following -
1. Use ssh keys instead of password logins.( I know how to do this.). Enable 2 factor auth on the same (dont know what I can do). The scenario will be like the login person will receive OTP on his phone and then he will login.
2. I want to know what machine exactly logged into the server(maybe using keys or something) - as public IP might be same for multiple machines.
3. I want to track all the activities performed during the SSH login session.
4. Everything should be open source.
5. I also want to display a file as someone ssh into the server - to state the reason of login - and then the file will be closed and saved for later my review.
Don't expect answers to rather uncommon questions after 50 minutes. By the way, when you add a comment to your thread, the thread is removed from the zero-reply threads list, and fewer people will read it.
You could have done a bit of googling and easily find some of the answers.
2. I want to know what machine exactly logged into the server(maybe using keys or something) - as public IP might be same for multiple machines.
You find that in a log file like /var/log/auth.log on Ubuntu. You could have read the sshd man page to figure this out.
Quote:
3. I want to track all the activities performed during the SSH login session.
Can be done using the shell's history mechanism, but the interactive user has control over history and can also opt for running a shell that has no history.
You may want to look into auditing or tracing.
Quote:
5. I also want to display a file as someone ssh into the server - to state the reason of login - and then the file will be closed and saved for later my review.
I would use the sshd log. I don't know what you mean by reason for login (perhaps the user is bored?) and how it can be figured out, but the client's IP address is logged. There must be ways to flash file content onto your screen, but personally I have not had that requirement and don't know how to achieve it.
Welcome... and slow down. Everyone here is a volunteer and we all live in different time zones. If your question is interesting to someone, you'll get an answer eventually.
Phones *ARE NOT* a second factor, just so you know. SIM spoofing is a technically trivial social engineering activity that costs almost nothing but some time. So if it is worth spending half an hour or so on, it can be done. Just ask social control media star Jack Dorsey about that.
With all that out of the way, as for question #1, you might look in the Ubuntu repository at otp in the package "heimdal-clients". It probably won't be hard to set up but there will be a lot of reading involved and you may have to delve into Pluggable Authentication Modules (PAM) in addition to the SSH server configuration to use OTP. If you are not giving out the single-use passwords in batches, then you might also have to script something in bash, perl, or python to send an SMS containing the active one-time password.
As for the auditing, look at the package auditd.
Last edited by Turbocapitalist; 09-03-2019 at 03:57 AM.
Reason: typos
As for questinon #5, you can make a shell script to ask your question and log the answer before processing the variable SSH_ORIGINAL_COMMAND. That can be forced for a group of accounts in /etc/sshd_config using the Match and ForceCommand configuration directives. You'll have to take into account the PTY status as well and whether SFTP is being used or allowed.
Instead of SSH keys you might look at SSH certificates to further limit access.
Thank you very much for your replies. This has definitely helped me get closer towards what I am trying to do : ) .
bernbausch - I did check google alot before coming to this forum. I know about the sshd logs - but I need some way to implement such that I will get reason of logging in to server and all the logs of that login session collectively in place - or some script that will do it for me. I can do some shell scripting. If you can tell me some opensource tools that would allow me to do so or something else you may suggest.
Turbocapitalist - Thanks alot for your reply. Now after some research I am dropping the idea of 2FA over SMS on phone to - email the 2FA code. (can be implemented for free. SMS 2FA costs money). If you could answer more of my above questions - I would be greatful.
As for #2, the SSH keys or SSH certificates should be tied to accounts and roles not machines, unless you are planning on setting up host-based authentication.
As for #3, what did your readings about auditd turn up?
I need some way to implement such that I will get reason of logging in to server
I probably misunderstood your point 5 - I thought you wanted a file to be displayed to YOU, the system administrator. You seem to require the client to enter the reason why they log on. I don't know how one can force the client to enter a reason, although Turbocapitalist seems to have a solution.
Don't worry. Everything we propose here is open-source, and most likely it's built into most Linux systems. I.e. no need to install something.
To display banner after login I am using a config file in sshd.
For 2 factor auth - I have setup a SMTP server and using a free linux email utility - mailutils to send emails( just mark mailutils mail as not spam in inboxes ). I have written a script.
To make user enter the reason before login to the server - I have written a script. Use trap logout in script if user does not write to file. or else ctrl + c will allow him to skip reason.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.