0
For some internal reasons, several people in our company are sharing the same USERNAME when connecting to SERVER, but they connect from different clients and machines.
We need to track what each IP address does on the server.
Can you suggest how to store the time history of the commands organized by IP address, and not by USERNAME (which would be much easier)? Is that even possible?
Specifics: SERVER has Ubuntu 14.04.4 LTS installed, and people are connecting and doing operations on it from both Windows and Linux machines.
dario
Posted 2016-08-02T08:38:20.793
Reputation: 11
Whoever voted down, could at least explain how to improve this question? – dario – 2016-08-03T14:01:25.037
On Linux, both the
lastcommand and a perusal of/var/log/auth.logwill give you those info, no sweat. – MariusMatutiae – 2016-08-05T07:36:36.497And I agree your question does not deserve a downvote, I redressed your situation. – MariusMatutiae – 2016-08-05T07:37:44.667
@MariusMatutiae Thank you for your comments. It's the right starting point to fix my problem. This file is huge and contains so many lines like: 'Received disconnect from 121.*: [preauth]'. Anyway I suppose I can use this content to track who was connected when a certain problem happened.Thank you – dario – 2016-08-05T10:17:47.367
The line you mention,
'Received disconnect from 121.*: [preauth], is what happens when one tries to log in, and cannot/does not try to authenticate. It might be a break-in attempt. Keep your eyes wide open. – MariusMatutiae – 2016-08-05T10:27:57.707You may want to ban some IPs, if you see many attempts to breakin from the same address. Use
iptablesfor that. – MariusMatutiae – 2016-08-05T10:29:17.177I'll certainly ban some of them. Thank you for your comments, it was really helpful. – dario – 2016-08-07T12:17:27.343