From owner-freebsd-questions@FreeBSD.ORG Sun Jun 19 23:59:03 2005 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0DEA616A41C for ; Sun, 19 Jun 2005 23:59:03 +0000 (GMT) (envelope-from glenn@antimatter.net) Received: from cobalt.antimatter.net (cobalt.antimatter.net [69.55.224.239]) by mx1.FreeBSD.org (Postfix) with ESMTP id E6CDD43D55 for ; Sun, 19 Jun 2005 23:59:02 +0000 (GMT) (envelope-from glenn@antimatter.net) Received: from glenn-mobile.antimatter.net (cpe-66-27-86-22.san.res.rr.com [66.27.86.22]) (authenticated bits=0) by cobalt.antimatter.net (8.13.4/8.13.4) with ESMTP id j5JNx1FG010687 (version=TLSv1/SSLv3 cipher=DES-CBC3-SHA bits=168 verify=NO); Sun, 19 Jun 2005 16:59:01 -0700 Message-Id: <6.1.0.6.2.20050619165543.084b2b70@cobalt.antimatter.net> X-Sender: lists@cobalt.antimatter.net X-Mailer: QUALCOMM Windows Eudora Version 6.1.0.6 Date: Sun, 19 Jun 2005 16:56:40 -0700 To: Bill Moran , questions@freebsd.org From: Glenn Dawson In-Reply-To: <20050619113849.3ae5cbad.wmoran@potentialtech.com> References: <20050619113849.3ae5cbad.wmoran@potentialtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: Subject: Re: Detailed logging of ssh sessions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2005 23:59:03 -0000 At 08:38 AM 6/19/2005, Bill Moran wrote: >I've been researching this, and so far haven't found a way to do what I >want to do. > >I have servers here and there, that should only be accessible by a limited >number of administrators via ssh (i.e. mail and web servers, firewalls). > >As an added security measure, I'd like to start logging everything that >happens during any ssh login (since all our work on these machines is >via ssh). I understand, and frequently use script(1), but I want this >to be required. I have two goals: >1) If someone manages to guess a password and break in, I want a log > of what they're doing. >2) I want 100% guarantee that everything we do is recorded, to make > future debugging of configuration mistakes easier. > >I've been researching sshd, and it doesn't seem as if it has this >capability. Web searches have not yet turned up anything ... I'm guessing >I'm not searching for the right phrases, since I can't believe I'm the >only one doing this. > >Any advice or pointers are welcome. This looks like it might do the trick for you: http://honeypots.sourceforge.net/modified_script.html -Glenn >-- >Bill Moran >Potential Technologies >http://www.potentialtech.com >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"