From owner-freebsd-questions@FreeBSD.ORG Tue Jun 21 14:03:35 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C8B616A41C for ; Tue, 21 Jun 2005 14:03:35 +0000 (GMT) (envelope-from user@celeritystorm.com) Received: from mail.celeritystorm.com (mail.celeritystorm.com [213.247.62.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id EEABC43D48 for ; Tue, 21 Jun 2005 14:03:34 +0000 (GMT) (envelope-from user@celeritystorm.com) Received: by mail.celeritystorm.com (Postfix, from userid 106) id AF59F3D79CF; Tue, 21 Jun 2005 16:04:57 +0200 (CEST) Received: from [192.168.0.1] (unknown [81.84.174.234]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.celeritystorm.com (Postfix) with ESMTP id 68B933D7996 for ; Tue, 21 Jun 2005 16:04:54 +0200 (CEST) Message-ID: <42B81E31.2050708@celeritystorm.com> Date: Tue, 21 Jun 2005 15:03:29 +0100 From: - User-Agent: Mozilla Thunderbird 0.7.2 (X11/20040724) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <20050619113849.3ae5cbad.wmoran@potentialtech.com> <6.1.0.6.2.20050619165543.084b2b70@cobalt.antimatter.net> In-Reply-To: <6.1.0.6.2.20050619165543.084b2b70@cobalt.antimatter.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Detailed logging of ssh sessions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jun 2005 14:03:35 -0000 Try the termlog port, do some minor source changes so it doesn't spam the system logs. I use it to monitor shell server users, and works wonders. Even have a shell script that creates directories according to the current date, checks for "operation not permitted" and "permission denied", mails the results to me, and archives the logs in the folder (ie 21-06-2005). The only problem with this is a cat /dev/urandom can fill a partition up, because all output is logged :) I keep these logs in a separate partition. Glenn Dawson wrote: > At 08:38 AM 6/19/2005, Bill Moran wrote: > >> I've been researching this, and so far haven't found a way to do what I >> want to do. >> >> I have servers here and there, that should only be accessible by a >> limited >> number of administrators via ssh (i.e. mail and web servers, firewalls). >> >> As an added security measure, I'd like to start logging everything that >> happens during any ssh login (since all our work on these machines is >> via ssh). I understand, and frequently use script(1), but I want this >> to be required. I have two goals: >> 1) If someone manages to guess a password and break in, I want a log >> of what they're doing. >> 2) I want 100% guarantee that everything we do is recorded, to make >> future debugging of configuration mistakes easier. >> >> I've been researching sshd, and it doesn't seem as if it has this >> capability. Web searches have not yet turned up anything ... I'm >> guessing >> I'm not searching for the right phrases, since I can't believe I'm the >> only one doing this. >> >> Any advice or pointers are welcome. > > > This looks like it might do the trick for you: > http://honeypots.sourceforge.net/modified_script.html > > -Glenn > > >> -- >> Bill Moran >> Potential Technologies >> http://www.potentialtech.com >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" >