I’ve configured an ubuntu server with openssh in order to connect to it and execute commands from a remote system like a phone or a laptop. The problem is… I’m probably not the only one.
Is there a way to know all the login attempts that have been made to the server?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
On Ubuntu servers, you can find who logged in when (and from where) in the file /var/log/auth.log. There, you find entries like:
May 1 16:17:02 owl CRON[9019]: pam_unix(cron:session): session closed for user root May 1 16:17:43 owl sshd[9024]: Accepted publickey for root from 192.168.0.101 port 37384 ssh2 May 1 16:17:43 owl sshd[9024]: pam_unix(sshd:session): session opened for user root by (uid=0)
Method 2
On Red Hat based distros such as Fedora/CentOS/RHEL you can check for the users logged in inside the file /var/log/secure.
If you want more information read this SuperUser Q&A titled: How can I log SSH access attempts and keep track of what SSH users end up doing on my server?.
Method 3
Note that the default configuration on Ubuntu is to NOT log ssh logins to the /var/log/auth file. This is the INFO logging level.
If you want to have it include login attempts in the log file, you’ll need to edit the /etc/ssh/sshd_config file (as root or with sudo) and change the LogLevel from INFO to VERBOSE.
After that, restart the sshd daemon with
sudo service rsyslog restart
After that, the ssh login attempts will be logged into the /var/log/auth.log file.
Method 4
On Ubuntu you can log in via SSH and use the Linux tail command to display the last x number of lines of your /var/log/auth.log file. When you’re logged in via SSH use the following command to view 100 last lines of your SSH log:
tail /var/log/auth.log -n 100
or even cleaner
tail -100 /var/log/auth.log | grep 'sshd'
Method 5
My recommendation is to use auditd.
This is logging using the linux kernel’s audit subsystem and in my opinion the proper way to do it if you are serious.
And given the nature of the question {security related} you should be using PAM as well. At the default level of just having auditd and PAM installed, you should automatically be getting all successful and unsuccessful SSH attempts logged in your audit.log file. So you really don’t have to configure anything, just have auditd and PAM installed. I know this first hand for SLES. And would bet RHEL and any other enterprise version of linux would operate similarly.
http://manpages.ubuntu.com/manpages/precise/man8/auditd.8.html
within the raw audit log generated by auditd you can use either use something like aureport to filter it which is described in the auditd man pages, write your own text parser, or just use VI and search for keywords.
here is an except of my /var/log/audit/audit.log file with me ssh’ing into my linux server.
node=shark type=CRED_DISP msg=audit(1480622612.317:2211277): user pid=117768 uid=0 auid=23456 ses=2201 msg='op=PAM:setcred acct="ron" exe="/usr/sbin/sshd" (hostname=abc415.mycompany.us, addr=172.16.152.5, terminal=ssh res=success)'
- from the above, my server name is shark.
- many lines like this are in audit.log, I want this one based on exe=”/usr/sbin/sshd”
- the uid of the account being ssh’d into is the value of auid, which is 23456 for this example
- the name of the user account associated with auid is specified by acct=”ron”
- most times the audit system will record the dns hostname of the system trying to connect, but it always has it’s ip address
- the date of the entry which is in epoch time, so you’ll have to convert that via something like
date --date @1480622612.317which results inThu Dec 1 15:03:32 EST 2016and is when I ssh’d into my server.
When res=failed is when you want to investigate those ip addresses and hostnames to see what systems were trying to connect, under what attempted user name. And obviously the successful ssh attempts to understand what’s happening on your system – for example your coworker bob who sits at same desk everyday with hostname=bobscomputer and ip address=192.168.5.5; if you see a successful ssh attempt at 2am yesterday under his username from ip address 10.10.5.6 for example then it might be in your best interest to talk to bob to investigate. Possible hack attempt by someone else? And shortly after are there su attempts to root in audit log from bob’s account?
when you see repetitive res=failed and auid=0 and acct=root then that’s someone trying to ssh into your box into the root account, and is when you modify /etc/hosts.deny with that IP address for SSHD.
Method 6
I know this is old but I wrote something to monitor successful and failed ssh connections/attempts. As well as banned IPs if you’re using sshguard. The software is written in Python. It will email you when someone successfully connects via ssh, when someone gets the ssh password wrong or when someone is banned due to to many failed attempts. Hopefully this will help someone in the future who searches for this issue and finds my code!
https://github.com/amboxer21/SSHMonitor
For the python script, I wrote a bash script to monitor the process. It checks if it’s running every minute via root cron task. If it is not running, it starts another process. Which is called by a root cron task every minute.
Method 7
The best thing i have ever come across for SSH commands logging is rootsh
this tool allow administrator get every command from every sessions with extensive level of logging.
I have written a script to install and configure ROOTSH in ubuntu and CentOS/RHEL
download from github here is the link
https://gist.githubusercontent.com/mansurali901/e1e3acc7dca13aeca25b68a69571c60f/raw/b1b16f73ec9a974486e4c0c0d65a7d41f2eca718/setup_rootssh.sh chmod +x setup_rootssh.sh ; sudo ./setup_rootssh.sh
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0