Monitoring ssh logins/logouts
Jakob Curdes
jc at info-systems.de
Wed Apr 6 23:40:08 EST 2005
Darren Tucker schrieb:
> Jakob Curdes wrote:
>
>> we are trying to monitor ssh logins on security-critical machines
>> with a script that scans logfiles for the relevant entries.
>> A problem ist that when the ssh connection is closed by a network
>> interruption or by closing the window with the ssh client, we do not
>> find a corresponding entry in the logs.
>
>
> Which OpenSSH version, and is it a vendor-supplied package or
> self-compiled?
>
OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004 self-compiled.
>
> I think sshd should update last on disconnects, if it doesn't it
> should be investigated.
>
I checked in what situations the problem occurs - it turns out that most
closed connections are displayed properly by last.
Problems arise e.g. when the session is closed through a reconnectiing
DSL router, those connections are displayed as "sill logged in" while
the connection on the client side has been closed long ago.
>
> The optional audit code in 4.0p1 and will catch these disconnect
> events and syslog them if you enable it (configure --with-audit=debug).
>
I will play around with that option and see if we can excerpt the
relevant information from the additional messages.
Thank you for your hints,
Jakob Curdes
More information about the openssh-unix-dev
mailing list