help setting up ssh logging appropriately
Hi guys, a couple days ago my office laptop was broken into via ssh password guessing (girlfriend was amanda/amanda!)
I have reinstalled ubuntu on that machine and have locked down(I hope) by using the UsersAllow option, PermitRootLogin option, changing the ssh port, and in the event of a compromise restricting the outgoing connections so I at least wont cause more trouble. So I think I have that machine in good shape, does anyone have more suggestions?
However, I'm interested in what was done to that machine. So I have an old powermac G4 set up on my home network that I just installed lenny on. Nothing else on it. I want to set this machine up with a few easy to guess usernames, open up the ssh port, close down the outgoing connections, and see what happens when people break in (I figure it shouldn't take long).
How can I do this? Specifically, I want to know what usernames were guessed,what the passwords guessed were, all successes/failures, times etc.
In the event of success, I want to be able to see all the commands executed, along with times.
So, I want a little more info than auth.log and .bash_history will give me, but I don't think I need a full fledged honeypot like honeyd. Plus most of the honeypot software looks fairly complicated to manage. I'm just curious.
Does anyone have suggestions for me?