From owner-freebsd-questions@FreeBSD.ORG Mon Jun 20 00:19:58 2005 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70AEB16A41C for ; Mon, 20 Jun 2005 00:19:58 +0000 (GMT) (envelope-from paulh@bdug.org.au) Received: from mail.bdug.org.au (mail.bdug.org.au [202.72.170.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C4BE43D53 for ; Mon, 20 Jun 2005 00:19:57 +0000 (GMT) (envelope-from paulh@bdug.org.au) Received: from w2k2 (unknown [192.168.0.102]) by mail.bdug.org.au (Postfix) with ESMTP id 72F8A4C; Mon, 20 Jun 2005 08:20:44 +0800 (WST) From: "Paul Hamilton" To: "'Bill Moran'" , Date: Mon, 20 Jun 2005 08:22:26 +0800 Message-ID: <007e01c5752e$22e38a50$6600a8c0@w2k2> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 In-Reply-To: <20050619113849.3ae5cbad.wmoran@potentialtech.com> Importance: Normal Cc: Subject: RE: Detailed logging of ssh sessions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jun 2005 00:19:58 -0000 Hi Bill, Just as a side note, to help with people guessing a password, how about having a script that monitors the auth.log file and when you get more = than X number of entries of username/password tries coming from one IP, it then writes a firewall entry that blocks the IP. You could have a = counter/timer, that would release the IP after Y number of minutes (24 hours?). Of = course, you could exclude your usual admin IP's from being monitored. Cheers, Paul Hamilton -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Bill Moran Sent: Sunday, 19 June 2005 11:39 PM To: questions@freebsd.org Subject: Detailed logging of ssh sessions I've been researching this, and so far haven't found a way to do what I = want to do. I have servers here and there, that should only be accessible by a = limited number of administrators via ssh (i.e. mail and web servers, firewalls). As an added security measure, I'd like to start logging everything that happens during any ssh login (since all our work on these machines is = via ssh). I understand, and frequently use script(1), but I want this to be required. I have two goals: 1) If someone manages to guess a password and break in, I want a log of what they're doing. 2) I want 100% guarantee that everything we do is recorded, to make future debugging of configuration mistakes easier. I've been researching sshd, and it doesn't seem as if it has this capability. Web searches have not yet turned up anything ... I'm = guessing I'm not searching for the right phrases, since I can't believe I'm the = only one doing this. Any advice or pointers are welcome. --=20 Bill Moran Potential Technologies http://www.potentialtech.com = _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org"