Monitoring SSHFS connections
How does one monitor SSHFS connections?
I hope I am overlooking something obvious. I am not looking for information about malicious hacking. Just normal monitoring. When connecting directly through SSH, the shell history reveals the user's commands. Not so with SSHFS. Files can be changed through SSHFS and the shell history is never touched. The /var/log/secure (audit.log) shows who connected but not any activity. Thanks. :) |
Since sshfs provides a local mount of a remote file system, wouldn't any activity be reflected in the local history/logs?
I woudn't expect the remote system to know anything about activity, although of course a change (add/remove/edit) of a file on the local system would be visible (but not logged) on the remote system. |
Quote:
At the moment, looks like I might have to learn about the built-in kernel auditing. |
Quote:
I think you want an intrusion detection system. Alternatively, you could audit exec and open system calls. |
Quote:
Quote:
Quote:
|
sshfs is the fuse file system for sftp which is a subsystem of ssh. You need to enable sftp log level in your server's sshd_config file. I believe the logs will be in the system log file which depends on the distribution.
Assuming your not using a chroot user try this: Subsystem sftp /usr/libexec/openssh/sftp-server -l VERBOSE I don't know if anything is logged on the client. |
check syslog
|
Quote:
also fuse can probably be tweaked somehow to output informational messages. lastly sshfs has some options of its own too. another of these questions that wouldn't have been asked if OP had done their research, or at the very least RTFM (read the fruitful manual). |
Quote:
Code:
Subsystem sftp /usr/libexec/openssh/sftp-server -f LOCAL4 -l VERBOSE |
Funny how priority lists get changed. I finally was able to get back to this task.
Thanks much for the friendly nudging about SSHFS being a FUSE subsystem and being related to SFTP. For the moment I am using INFO logging details on a test system. I decided to dump the output to the SSH authentication log. Working fine, although I had to tweak rsyslog.conf. Oddly, authpriv.* was defined but not auth.*, which I added. In summary, * Edit /etc/ssh/sshd_config: Code:
Subsystem sftp /usr/libexec/openssh/sftp-server -l info -f auth Code:
authpriv.* /var/log/secure Quote:
|
All times are GMT -5. The time now is 03:21 PM. |