LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-04-2007, 09:09 AM   #1
phatgeezer
LQ Newbie
 
Registered: Sep 2005
Posts: 2

Rep: Reputation: 0
SSH / SFTP session logging


We are in the process of migrating clients from vsftp (standard FTP) to SFTP to secure their login sessions. (Yes I know vsftp can do SSL if compiled to do so, but we have a client who is only prepared at the moment to do SFTP)

Auth key logins work just fine on the new server, but on our vsftp server we could get a log of every command issued by the client, and every response issued by the console, for troubleshooting. /var/log/secure even in verbose mode only seems to be recording authentications and not the sessions themselves. We need to be able to monitor what outside clients do while they are connected to our server.

Also, vsftp has a filexfer log that shows the status of all file transfers, whether they completed successfully or not. Is there a way to monitor this on SFTP? I know SFTP is basically just cp over an SSH connection, and not true FTP, but I can't be the only person who ever faced this issue.

All of the solutions I have seen seem to be directed at recording the session at the client end. I want a recording of the session on the server.

Anyone have a solution? Thanks!
 
Old 05-04-2007, 06:15 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,140
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
SSH sets up a remote shell so it should honour the shell set for a user in /etc/passwd. Substituting /bin/bash for say Rootsh (or any equivalent logging shell like Sudosh?) should get you logging. If that's not what you want maybe look at what SELinux or syscall-based logging could provide. As for xfers I don't think anything can provide you with that. You win some, lose some it's still the same to me
The pleasure is to play, it makes no difference what you say
I don't share your greed, the only card I need is
The Ace Of Spades
The Ace Of Spades

//don't take it personal, just had to finish with lyrics given it's friday
 
Old 05-07-2007, 10:42 AM   #3
haddel
LQ Newbie
 
Registered: Apr 2004
Location: Wackernheim (Germany)
Distribution: RedHat AS 3/4/5
Posts: 24

Rep: Reputation: 15
One way is to setup a little wrapper environment

Like the .profile (or .bash_profile) will start logging what the users doing. Short example:

ownership like
-rw-r--r-- 1 root other 191 May 3 11:59 .bash_profile

start of logging within the .bash_profile like

/usr/bin/script -a /var/log/login.log

Should the users only copy files?
If yes, choose scponly instead of a normal shell

Only short ideas.....

Last edited by haddel; 05-07-2007 at 11:00 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh -> perl -> spawn background proces hangs ssh session rhoekstra Programming 2 04-25-2006 01:05 AM
closing SSH session without killing the SFTP transfer on the remote machine stevec Linux - Software 2 04-20-2006 05:13 PM
SFTP and SSH XaViaR Linux - Security 5 07-20-2005 10:18 AM
X Terminal Session Logging phiw1123 Linux - Software 1 04-26-2005 03:15 PM
logging a terminal session Louis_Carole Linux - Newbie 1 11-16-2004 03:28 PM


All times are GMT -5. The time now is 03:31 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration