Monitoring ssh logins/logouts
Darren Tucker
dtucker at zip.com.au
Wed Apr 6 21:49:52 EST 2005
Jakob Curdes wrote:
> we are trying to monitor ssh logins on security-critical machines with a
> script that scans logfiles for the relevant entries.
> A problem ist that when the ssh connection is closed by a network
> interruption or by closing the window with the ssh client, we do not
> find a corresponding entry in the logs.
Which OpenSSH version, and is it a vendor-supplied package or self-compiled?
> "last" does not show this
> information either, at least on our systems which are RedHat Linux
> based. Is there any way to record a "User gone" or so ? At a certain
> point, the daemon closes the connection when the client has gone away;
> would it be possible to log this ?
I think sshd should update last on disconnects, if it doesn't it should be
investigated.
> I would be grateful for a hint.
The optional audit code in 4.0p1 and will catch these disconnect events
and syslog them if you enable it (configure --with-audit=debug).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list