LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 05-16-2008, 01:57 AM   #1
frenchn00b
Senior Member
 
Registered: Jun 2007
Location: E.U., Mountains :-)
Distribution: Debian, Etch, the greatest
Posts: 2,546

Rep: Reputation: 57
How to 'netstat -nat + host ' at every time a user logs into SSH daemon ?


How to 'netstat -nat + host ' at every time a user logs into SSH daemon ?
Would someone has any idea ?
 
Old 05-16-2008, 04:56 AM   #2
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
The only thing I know is to put it into something like /etc/profile (assuming a bash shell). Have it conditional on one of the SSH* environmental variables being present.
 
Old 05-16-2008, 12:23 PM   #3
frenchn00b
Senior Member
 
Registered: Jun 2007
Location: E.U., Mountains :-)
Distribution: Debian, Etch, the greatest
Posts: 2,546

Original Poster
Rep: Reputation: 57
Quote:
Originally Posted by blackhole54 View Post
The only thing I know is to put it into something like /etc/profile (assuming a bash shell). Have it conditional on one of the SSH* environmental variables being present.
Hence adding :
netstat -nat >> /var/log/logs_ssh
and certainly play with chattr to be only appendable .... (right?)

cat /etc/profile
Code:
# /etc/profile: system-wide .profile file for the Bourne shell (sh(1))
# and Bourne compatible shells (bash(1), ksh(1), ash(1), ...).

if [ "`id -u`" -eq 0 ]; then
  PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11"
else
  PATH="/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games"
fi

if [ "$PS1" ]; then
  if [ "$BASH" ]; then
    PS1='\u@\h:\w\$ '
  else
    if [ "`id -u`" -eq 0 ]; then
      PS1='# '
    else
      PS1='$ '
    fi
  fi
fi

export PATH

umask 022
[[ -f "/etc/autopackage/paths-bash" ]] && . "/etc/autopackage/paths-bash"
 
Old 05-17-2008, 01:33 AM   #4
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
Quote:
Originally Posted by frenchn00b View Post
Hence adding :
netstat -nat >> /var/log/logs_ssh
and certainly play with chattr to be only appendable .... (right?)
The command will be run as the user logging in. Normally users don't have write permssion to files in /var/log. If you are planning on making /var/log/logs_ssh world writable then what you say would work. Of course, after login the users would still be able to append arbitrary content to /var/log/logs_ssh. They just wouldn't be able to delete anything.

I wan't aware you were wanting to log the result. There is another possibility where (I think) you could have the logging done by root rather than the user. If sshd uses PAM for authentication I think (with enough effort) you could write a PAM module to do what you want and then modify /etc/pam.d/sshd. But that is way beyond my expertise.

EDIT: You might want to look into logger(1) doing the logging for you. This way it can still be done by a user (in /etc/profile) w/o granting users writing priviledge to a log file. You may wish to use one of the local[0-7] "facilities" for directing to a specific log file.

Last edited by blackhole54; 05-17-2008 at 01:45 AM.
 
Old 05-17-2008, 05:54 AM   #5
frenchn00b
Senior Member
 
Registered: Jun 2007
Location: E.U., Mountains :-)
Distribution: Debian, Etch, the greatest
Posts: 2,546

Original Poster
Rep: Reputation: 57
Quote:
Originally Posted by blackhole54 View Post
The only thing I know is to put it into something like /etc/profile (assuming a bash shell). Have it conditional on one of the SSH* environmental variables being present.
oh well, in that case, it's a quick information, there is any bash since it is a sftp server (jailed).
Hence since no bash, what is the possibility ?
 
Old 05-18-2008, 02:32 AM   #6
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
Quote:
Originally Posted by frenchn00b View Post
Hence since no bash, what is the possibility ?
I can only think of two things, probably both of which would require some work and maybe experimentation.

You could try to write and use a PAM module for this. Or you could try to intercept the call to sftp-server by altering the Subsystem sftp line in /etc/ssh/sshd_config. Both of those possibilities are way beyond anything I have ever tried.
 
Old 05-18-2008, 04:39 AM   #7
frenchn00b
Senior Member
 
Registered: Jun 2007
Location: E.U., Mountains :-)
Distribution: Debian, Etch, the greatest
Posts: 2,546

Original Poster
Rep: Reputation: 57
Quote:
Originally Posted by blackhole54 View Post
I can only think of two things, probably both of which would require some work and maybe experimentation.

You could try to write and use a PAM module for this. Or you could try to intercept the call to sftp-server by altering the Subsystem sftp line in /etc/ssh/sshd_config. Both of those possibilities are way beyond anything I have ever tried.
I see the line, in the /etc/ssh/sshd_config

Code:
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes
Well Subsystem sftp /usr/lib/openssh/sftp-server would require then to code the source code of the SSH, and to add:

Code:
execlp( "myscript", "myscript", "-f", "login", 0);
with my script doing a logs job...


For PAM, I am not sure if we remain secured ...
 
Old 05-19-2008, 02:55 AM   #8
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
Quote:
Originally Posted by frenchn00b View Post
Well Subsystem sftp /usr/lib/openssh/sftp-server would require then to code the source code of the SSH, and to add:

Code:
execlp( "myscript", "myscript", "-f", "login", 0);
with my script doing a logs job...
I was thinking more of a wrapper for sftp-server which first did what you've shown above and then executes sftp-server. I am not posting any code on this because am far too rusty (out of practice) to do so off the top of my head.


Quote:
For PAM, I am not sure if we remain secured ...
Yes, you need to make sure you don't break security. I am sure it can be done, but you need to make sure you understand what you are doing. This is also true for calling myscript above. In the case of the script you would probably be well advised to make sure it gets a very limited (safe) environment (porbably pass it a specific PATH vriable and nothing else).

I repeat that this is way beyond anything I have done.
 
Old 05-19-2008, 04:54 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
Quote:
Originally Posted by frenchn00b View Post
How to 'netstat -nat + host ' at every time a user logs into SSH daemon ?
Why would you want that? Or, what gives you the idea your system or the service doesn't already do that?
 
Old 05-19-2008, 02:22 PM   #10
frenchn00b
Senior Member
 
Registered: Jun 2007
Location: E.U., Mountains :-)
Distribution: Debian, Etch, the greatest
Posts: 2,546

Original Poster
Rep: Reputation: 57
Quote:
Originally Posted by unSpawn View Post
Why would you want that? Or, what gives you the idea your system or the service doesn't already do that?
thank you Unspawn;
Well, ... in /var/log/auth.log you only get an IP address and nothing more
("Success"
"Fail"
"invalid user" ... )
 
Old 05-26-2008, 06:20 AM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590Reputation: 3590
Weird. Doesn't any of your logs give "sshd[$PID]: Accepted publickey for $USER from $HOST port $PORT ssh$PROTO" lines? And if this is about blocking hosts then maybe check http://www.linuxquestions.org/questi...tempts-340366/
 
Old 05-30-2008, 01:25 AM   #12
frenchn00b
Senior Member
 
Registered: Jun 2007
Location: E.U., Mountains :-)
Distribution: Debian, Etch, the greatest
Posts: 2,546

Original Poster
Rep: Reputation: 57
Quote:
Originally Posted by unSpawn View Post
Weird. Doesn't any of your logs give "sshd[$PID]: Accepted publickey for $USER from $HOST port $PORT ssh$PROTO" lines? And if this is about blocking hosts then maybe check http://www.linuxquestions.org/questi...tempts-340366/
nope to block them. I just would like to trace them.
(blocking is already programed).
I would like to as in the title do " netstat -nat ; host ", in realtime at every trial of connections
It's weird that we cannot do that in Linux, no one thought about that? That's so important.
Certainly Fedora or BSD have that since they are the most secured Linux/Unix.

Last edited by frenchn00b; 05-30-2008 at 01:26 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
nis user login failure from remote host (ssh,sshd) freeindy Linux - Networking 1 01-18-2008 07:16 AM
nis user login failure from remote host (ssh,sshd) freeindy Linux - Security 1 01-17-2008 04:21 PM
auto mail to root when a particular user logs in via ssh tanveer Linux - General 1 05-15-2007 08:35 PM
using netstat -nat shipon_97 Linux - Newbie 1 04-23-2007 03:03 PM
How can I log every time a certain user logs in? uman Linux - Security 1 12-27-2004 04:07 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 12:32 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration