Linux SSH audit for failed root login

Question

Let's assume there are two servers ( Server A and Server B ). I am seeing root ssh failed login attempted from Server A to Server B. ssh for root login has been disabled for both of the severs.

I would like to find out all the command history in Server A ie find all users who ran ssh in server A.

Or

Add audit in B server such a way that log message will show OS id from Server A who was trying to do ssh with root from A.

Example: User1 present in server A and it tries to ssh to server b with root with failed login attempts. Server B log should display ssh for root failed and it came from server A by user user1.

Note: No one can login to server A apart from Admin. There is also no crontabs entries in server A. I am suspecting the vendor package what has installed in server A may be doing ssh via root to server B as both are part of a cluster.

Answer 1

I would like to find out all the command history in Server A ie find all users who ran ssh in server A

Like Gilles said on this topic, you can use :

getent passwd | cut -d : -f 6 | sed 's:$:/.bash_history:' | xargs -d '\n' grep -s -H -e "ssh" 

Add audit in B server such a way that log message will show OS id from Server A who was trying to do ssh with root from A

What is the purpose of showing the OS id ? And what is it ?

Answer 2

Unless you pre-configured auditing with auditd (to log calls to either specifically the ssh client or all executables/commands) you're unlikely to already have any form of comprehensive log with all past events on that particular server.

Your admins may have erroneously committed a sudo ssh server-B and then that action should be logged (depending on your distribution) in /var/log/[authlog | secure] .

You could check the ~/.bash_history files of your users, but that will only have a record of user actions in interactive login sessions and won't record anything when the user overrides the command history collection or when the ssh sessions were for instance initiated by a script.