SSH Advanced Logging

I've installed OpenSUSE on my server and want to set ssh to log every command, which is send to system over it.

I've found this in my sshd_config:

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

I guess that both of those directives has to be uncommented, but I'd like to log every command, not only authorization (login/logout via SSH). I just want to know, if someone breaks into my system, what did he do.

Radek Simko

Posted 2010-06-16T19:12:56.973

Reputation: 392

Answers

history does this automatically, login as the user that was logged into through ssh and execute:

history

It shows the history of commands executed by that specific user.

history > command.log

will save the history to the file "command.log"

More about history: http://en.wikipedia.org/wiki/History_%28Unix%29 and http://compute.cnr.berkeley.edu/cgi-bin/man-cgi?history

Command line history should also be stored in .bash_history (file in the user's home directory) when using bash (properly).

BloodPhilia

Posted 2010-06-16T19:12:56.973

Reputation: 27 374

bash history is not used in ssh commands that don't start a bash shell. – user3338098 – 2016-04-11T14:36:24.540

Can this (the report from "history" command) be cleared by possible attacker? – Radek Simko – 2010-06-16T19:57:54.230

1It could, but any other log could be cleared as well... – BloodPhilia – 2010-06-16T20:03:47.623

There are a few source code additions to SSHD which will log all SSH input and output. These files are written & owned by root and often sent to syslog. The user cannot clear these logfiles. However, I'm not aware of any publicly-available code, and OpenSSH is a BSD licensed product so there is no requirement to redistribute any changes in the code. – Stefan Lasiewski – 2010-06-16T20:28:46.803

Your best bet would be to install Fail2Ban and ignore the SSH logging. Preventing the breaking in is worth much more then seeing what an attacker might have done. Especially when you assume if he breaks in he could remove the logfile.

Josh K

Posted 2010-06-16T19:12:56.973

Reputation: 11 754

If someone can break into your system, (s)he probably is smart enough to delete the history file and tamper the logs. To make things harder for the bad guy:

Take a look at SELinux / GRsecurity and Linux auditing features
Set up a centralized logging server and make your syslog-daemon (I prefer syslog-ng) forward all your log files there. Make sure your logging server is behind a tight firewall, having only the logging port open for incoming connections (when trying to connect from your another server).
Consider using rootsh or some equivalent of it.

Janne Pikkarainen

Posted 2010-06-16T19:12:56.973

Reputation: 6 717

you said you wanted to log every "command". i asume you mean every command entered in the shell of the user (be it a legitimate user or not). in the following links there are many tools which can do that in a more or less secure way:

note: like @Janne-Pikkarainen said, if you want to have really secure logs you should send your log files to another machine.

lesmana

Posted 2010-06-16T19:12:56.973

Reputation: 14 930