[Klug-general] Auditing SSH login sessions
David Halliday
david.halliday at gmail.com
Fri May 27 11:45:28 UTC 2011
On 27 May 2011 11:59, Colin McCarthy <binarysignal at gmail.com> wrote:
> Hi all, especially server peoples :)
>
> I need to audit SSH sessions against a specific account. This account is
> used by a company that is connected to our network via a VPN. I need to
> know how many times, when and for how long, they login within a 30 day
> period.
>
>
Check the man page for your ssh daemon and the centos configuration.
apparently SSH can log to /var/log/system
Try thease commands to comb your log directory:
grep -ir ssh /var/log/*
grep -ir breakin /var/log/*
grep -ir security /var/log/*
> The server is running CentOS. I've looked in the /var/log/audit/audit.log*
> files and I can see my logon attempts but none of theirs. This is assuming
> they have actually connected at some point. The log files are not easy for
> me to read....any idea where date and time is stored :) Is it in some
> strange Unix value of seconds since 1901? :)
>
Info on timestamp & an online converter:
http://www.unixtimestamp.com/index.php
>
> Also how can I make sure our logs record 30 days worth of records. Or can
> I script something specifically to watch out for and record that account?
>
>
You might be able to do this in the SSH configuration, if not then cron a
job to copy out the log each night and rename it to "ssh-log-$(date
+%F).txt"
Thanks
>
> See you all tomorrow
>
> Colin
>
> _______________________________________________
> Kent mailing list
> Kent at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/kent
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/kent/attachments/20110527/d6a13e55/attachment.htm>
More information about the Kent
mailing list