如何记录SSH访问尝试并跟踪SSH用户最终在服务器上执行的操作? -- ubuntu 领域 和 security 领域 和 ssh 领域 和 logging 领域 和 ubuntu-server 领域 linux 应用 相关 的问题

How can I log SSH access attempts and keep track of what SSH users end up doing on my server?


6
vote

问题

中文

我的服务器遇到了一些安全问题,因为一些SSH用户已经引起了问题。

所以我想:

  • 跟踪用户的登录和注销
  • 跟踪这些SSH用户的活动,以发现任何恶意活动
  • 防止用户删除日志
英文原文

I've had a few security problems with a server of mine because a few SSH users have been causing problems.

So I would like to:

  • Track user logins and logouts
  • Track activity of these SSH users, in order to discover any malicious activity
  • Prevent users from deleting logs
              
 
 

回答列表

11
 
vote
vote
最佳答案
 

ssh守护程序 sshd 具有许多内置功能并已启用。这是我机器上 /var/log/secure 中的一些示例行(名称和IP地址已更改):

  Sep  7 08:34:25 myhost sshd[6127]: Failed password for illegal user root from 62.75.999.999 port 52663 ssh2 Sep  7 08:34:26 myhost sshd[7253]: User root not allowed because listed in DenyUsers Sep  7 08:34:28 myhost sshd[7253]: Failed password for illegal user root from 62.75.999.999 port 53393 ssh2 Sep  7 11:55:18 myhost sshd[11672]: Accepted password for gooduser from 98.999.26.41 port 43104 ssh2 Sep  7 23:01:28 myhost sshd[22438]: Did not receive identification string from 999.56.32.999 Sep  8 06:31:30 myhost sshd[21814]: Accepted password for gooduser from 98.999.26.41 port 5978 ssh2   

此示例显示了一些人尝试以root身份ssh进入该计算机-均被拒绝,因为禁止root。它还显示名为" gooduser" 的用户成功登录。

要微调您看到的 以及哪个文件,请在 sshd_config 手册页-特别是LogLevel和SyslogFacility的选项。

 

The ssh daemon, sshd, has much of this built in and enabled. Here's are some sample lines from /var/log/secure on my machine (names and IP addresses changed):

Sep  7 08:34:25 myhost sshd[6127]: Failed password for illegal user root from 62.75.999.999 port 52663 ssh2 Sep  7 08:34:26 myhost sshd[7253]: User root not allowed because listed in DenyUsers Sep  7 08:34:28 myhost sshd[7253]: Failed password for illegal user root from 62.75.999.999 port 53393 ssh2 Sep  7 11:55:18 myhost sshd[11672]: Accepted password for gooduser from 98.999.26.41 port 43104 ssh2 Sep  7 23:01:28 myhost sshd[22438]: Did not receive identification string from 999.56.32.999 Sep  8 06:31:30 myhost sshd[21814]: Accepted password for gooduser from 98.999.26.41 port 5978 ssh2 

This example shows a couple attempts by somebody to ssh into this machine as root -- both were denied because root is forbidden. It also shows a successful login by the user named "gooduser".

To fine tune what you see and in which file, read more in the sshd_config man page -- specifically the options for LogLevel and SyslogFacility.

 
 
 
 
4
 
vote

跟踪道格·哈里斯(Doug Harris)的回答(仅解决您的部分问题-这似乎是我的工作方式),Logwatch软件包将通过电子邮件向您每天发送大量服务器日志的摘要,包括SSHd日志。我总结了谁通过SSH成功​​登录,登录多少次,登录何地以及哪些IP尝试登录失败以及使用了哪些凭据。如果有人在允许密码身份验证的主机上尝试蛮力SSH攻击,那将变得很长(我尝试避免这种情况,而是改用RSA密钥,但是客户总是正确的,并且并不总是理解公用密钥身份验证。无论如何。

要在Ubuntu上安装Logwatch(基本上只是用于消化各种日志格式的Perl过滤器的集合),请使用 apt-get install logwatch ,然后编辑 /etc/cron.daily/00logwatch ,替换 --output mail --mailto you@yourdomain.com 。你一天就会得到。您可以添加更多标志来调整Logwatch实际读取的日志。

 

Following up on what Doug Harris answered (and only addressing part of your question - this seems to be how I work), the Logwatch package will email you a daily summary of a number of server logs, including the SSHd log. I get a summary of who successfully logged in via SSH, how many times, and from where, as well as what IPs tried to log in unsuccessfully and what credentials they used. It gets long if someone tries a brute-force SSH attack on a host where I'm allowing password authentication (I try to avoid that, favoring RSA keys instead, but the customer is always right and doesn't always understand public-key authentication. Anyway.)

To install Logwatch (which is basically just a collection of Perl filters for digesting various log formats) on Ubuntu, use apt-get install logwatch and then edit /etc/cron.daily/00logwatch, replacing --output mail with --mailto you@yourdomain.com. You'll get one a day. You can add more flags to tune which logs Logwatch actually reads.

 
 
3
 
vote

一种非常完整的跟踪用户的方法是使用 auditd 。这是跟踪所需审核内容的内核级方法。它应与Ubuntu Server捆绑在一起,如果尚未运行,则应使用 sudo service auditd start 启动。

/ usr / share / doc / auditd / 下有很多配置示例,或类似的示例,当然,如果您使用Google的经过审核的教程,将会获得丰厚的回报。很多很多的教程。

auditd生成的报告存储在 / var / log / audit / 目录中。还可以使用 aureport ausearch 之类的工具将它们解析为更易理解的形式,并且也应该已经与Ubuntu Server捆绑在一起。

 

One a very complete way of tracking users is to use auditd. It's a kernel level way to track whatever you need to audit. It should be bundled with Ubuntu Server and if not already running, should be startable with sudo service auditd start.

There are plenty of configuration examples for it under /usr/share/doc/auditd/ or something similar to that, and of course if you Google for auditd tutorial, you'll be rewarded with many, many tutorials.

The reports generated by auditd are stored in /var/log/audit/ directory. They also can be parsed to more human-readable form with tools like aureport and ausearch, also should already be bundled with Ubuntu Server.

 
 
2
 
vote

我不会透露ssh帐户,特别是对于发行组类型的人。

以下是几件事:

  • 最后,为您提供最近注销的历史记录。
  • 加强bash历史记录以防止清除命令历史记录 http://sock-raw.org/papers/bash_history

来自历史文件可以统一在bash中吗?

  Insert the command shopt -s histappend in your .bashrc.  This will append to the history file instead of overwriting it. Also in your .bashrc, insert  PROMPT_COMMAND="$PROMPT_COMMAND;history -a; history -n"  and the history file will be re-written and re-read each time bash shows the prompt.   
 

I wouldn't give out ssh-accounts, especially to distro-groups type people.

Here's a couple of things:

  • last, gives you a history of recent login-out's.
  • Harden the bash history to prevent wiping out the command history http://sock-raw.org/papers/bash_history

From Can history files be unified in bash?

Insert the command shopt -s histappend in your .bashrc.  This will append to the history file instead of overwriting it. Also in your .bashrc, insert  PROMPT_COMMAND="$PROMPT_COMMAND;history -a; history -n"  and the history file will be re-written and re-read each time bash shows the prompt. 
 
 

相关问题

0  使用Postgres用户帐户的人入侵了服务器-该人将具有哪种访问权限?  ( Person hacked server using postgres user account what kind of access would thi ) 
有人使用postgres用户帐户入侵了我的一台服务器。 我不知道的是: 此用户的主文件夹是什么? bash_history在哪里? ...

0  ufw已禁用,但仍然拒绝连接  ( Ufw disabled but still the connection is refused ) 
在物理服务器上,我有Apache和运行的WebDav服务器(PyWebDav3)。这是Ubuntu 14.04服务器,具有所有图形工具。 WebDav服务器以默认配置启动: davserver -D /tmp -n 文档显示可以使用其他主机: -H,--host用于侦听的主机(默认值:localhos...

6  可以从Linux的Windows的文件/文件夹中设置隐藏属性吗?  ( Is it possible to set hidden attribute on file folder for windows from linux ) 
我想在Windows的笔式驱动器中隐藏1个文件夹,但对于Ubuntu,是否可以呢? ...

0  Mplayer不会阻止Ubuntu中的屏幕保护程序  ( Mplayer doesnt prevent screensaver in ubuntu ) 
尽管我在我的 /etc/mplayer/mplayer.conf 文件中放入了 /etc/mplayer/mplayer.conf ,但我仍尝试使用mplayer观看电影,并且我还使用 -stop-xscreensaver 启动了mplayer >,我仍然必须坐在足够近的PC旁,每隔15分钟移动一次鼠标,以停止屏幕保...

1  未分配的空间不能用于其他分区  ( Unallocated space cannot be used for other partitions ) 
几周前,我在PC上安装了最新的Ubuntu OS版本。我给了它12GB的空间,然后给了4GB的休眠临时存储空间。昨天我意识到我将不再使用它,因此我去了Windows 7中的"磁盘管理" 并删除了两个分区。重新启动时,出现启动错误,该错误是使用Windows修复盘中的命令修复的。因此,由于我有可用空间,因此我希望它可以...

1  Ubuntu 19.04停留在Hyper-V XRDP登录屏幕上  ( Ubuntu 19 04 stuck on hyper v xrdp login screen ) 
我可以登录,从下拉菜单中选择Xorg并输入用户名和密码。然后,它在如下所示的蓝绿色屏幕上挂起2-3分钟(无对话框)。然后弹出对话框。如果我单击"确定" ,它将带我回到开头(xorg +用户名+密码)。 我该如何解决?我似乎根本找不到启动终端或登录的方法。 它早些时候运行良好。我正在编写一些OpenGL东西,重新启动并...

0  远程扩展或合并根分区  ( Extending or merging root partition remotely ) 
我目前正在Ubuntu 14.04 LTS上远程工作。 这是 df -h 的结果 Filesystem Size Used Avail Use% Mounted on /dev/md2 20G 20G 0 100% / udev 16G 4.0...

3  如何将VirtualBox Ubuntu服务器用作服务器?  ( How can i use a virtualbox ubuntu server as a server ) 
目前我无法访问Linux服务器,我想暂时使用VirtualBox上运行的虚拟化Ubuntu服务器。我已经安装好了,但是不确定使用什么网络设置。明确说明:我想启动从Windows桌面到VirtualBox(在Windows框中)运行的虚拟化Ubuntu服务器的连接。 TIA ...

2  如何在我的开发网站的Google Chrome中删除“您的连接不是私有的”  ( How to remove your connection is not private in google chrome in my developmen ) 
我是一名Web开发人员,并且使用Ubuntu 18.04。我的设置是nginx,php-fpm,mysql。我的机器上有多个运行的网站,例如site1.local,site2.local。 我按照以下说明将我的本地站点配置为使用SSL: https://www.digitalocean.com/community/t...

1  如何停止我的bash终端将先前命令的部分放在我的当前行之前?  ( How do i stop my bash terminal from prepending parts of previous commands to my ) 
我正在将bash与Ubuntu(10.04)配合使用,并且遇到了一个奇怪的问题。使用向上箭头在命令历史记录中向后滚动并返回到较长的命令之一(即,具有足以在屏幕上换行的字符的命令)之后,然后继续向前或向后滚动,第一个该长命令的8或9个字符显示在我的输入行上。 这些字符对我最终输入的命令没有任何影响,但有时很难弄清楚我...

3  Windows上的Ubuntu显示未启用WSL,即使Windows显示已启用WSL  ( Ubuntu on windows showing wsl as not enabled even though windows showing wsl as ) 
启动Ubuntu时,出现以下错误: The WSL optional component is not enabled. Please enable it and try again. See https://aka.ms/wslinstall for details. Error: 0x8007007e Pre...

0  在Ubuntu中自动启动uTorrent  ( Auto start utorrent in ubuntu ) 
我在Ubuntu(wine)下运行uTorrent。有什么方法可以在启动时自动启动uTorrent吗?对于JDownloader也有同样的问题。 ...

3  软件可以控制声音中的低音吗?  ( Software to control bass in sound ) 
我从Windows转移到Ubuntu,现在我通过耳机听到的音乐听起来像是太重了,就像低音一样。 我研究了alsamixer和Pulseaudio,但在那里我无法控制低音。 有什么想法吗? ...

1  Linux Mint和Ubuntu均不能安装在Alienware m14x r2上  ( Neither linux mint nor ubuntu can be installed on alienware m14x r2 ) 
几年前,我从Alienware购买了一台笔记本电脑,最近又尝试切换到Linux。但是,我在安装任何版本的Linux时都遇到了很多问题,以至于我可能不得不使用Windows。如果有人知道我该怎么办,请告诉我,因为我不知道接下来该怎么办。 全文: 所以大约一年前,我开始安装Linux mint。我记不太清了,但是我无法完...

7  Photoshop + Wine工具提示不会消失的问题[关闭]  ( Photoshop wine tooltip doesnt go away problem ) 
<路径d =" M15 6.38A6.48 6.48 0 007.78。 04h-.02A6.49 6.49 0 002.05 5.6a6.31 6.31 0 002.39 5.75c.49.39.76.93.76 1.5v.24c0 1.07.89 1.9 1.92 1.9h2.75c1.04 0 1....




© 2021 it.wenda123.org All Rights Reserved. 问答之家 版权所有


Licensed under cc by-sa 3.0 with attribution required.