Log ssh sessions using open source tools

Discussion:

Kaushal Shriyan

2018-11-03 17:08:39 UTC

Hi,

Are there any open source tools to keep track of ssh sessions? For example,
if a specific user is ssh logging to remote server and what commands or
scripts are being run. Basically, i need to log all users sessions.

Thanks in Advance and i look forward to hearing from you.

Best Regards,

Kaushal

Joseph S. Testa II

2018-11-03 19:07:59 UTC

Permalink

Hi Kaushal,

I'm the author of ssh-mitm (https://github.com/jtesta/ssh-mitm),
which is a penetration testing tool for man-in-the-middling SSH connections.

If you can ARP spoof a client (or otherwise route connections for
them), and if they ignore the changed host-key warning, then you can
record the full connection stream. You will log their passwords as well
(it doesn't work for key authentication, though). Full SFTP traffic is
captured too.

It might be overkill for what you're trying to do, but I thought I'd
mention it.

- Joe
--
Joseph S. Testa II
Founder & Principle Security Consultant
Positron Security

Post by Kaushal Shriyan
Hi,
Are there any open source tools to keep track of ssh sessions? For example,
if a specific user is ssh logging to remote server and what commands or
scripts are being run. Basically, i need to log all users sessions.
Thanks in Advance and i look forward to hearing from you.
Best Regards,
Kaushal
_______________________________________________
openssh-unix-dev mailing list
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Vincenzo Romano

2018-11-04 10:11:51 UTC

Permalink

Il giorno sab 3 nov 2018 alle ore 20:12 Joseph S. Testa II

Post by Joseph S. Testa II
Hi Kaushal,
I'm the author of ssh-mitm (https://github.com/jtesta/ssh-mitm),
which is a penetration testing tool for man-in-the-middling SSH connections.
If you can ARP spoof a client (or otherwise route connections for
them), and if they ignore the changed host-key warning, then you can
record the full connection stream. You will log their passwords as well
(it doesn't work for key authentication, though). Full SFTP traffic is
captured too.
It might be overkill for what you're trying to do, but I thought I'd
mention it.
- Joe
--
Joseph S. Testa II
Founder & Principle Security Consultant
Positron Security

Normally the ssh daemon can log a lot of details of an ssh session,
like authentication type, source IP, user name, spawned shell and the
likes.

What you are talking about is shell-related and won't be logged by a
normal ssh daemon.
You'd spoof on they pseudo-tty in order to record a full user tty
session and is thus off-topic here.

The MITM approach is something that surely works, at the price of
making ssh security and privacy more similar to those of telnet.
And the users will know you are eavesdropping on their sessions.

--
Vincenzo Romano - NotOrAnd.IT
Information Technologies
--
NON QVIETIS MARIBVS NAVTA PERITVS

Philipp Marek

2018-11-03 19:31:57 UTC

Permalink

Well, one way might be to have strace active on the ssh process. You can only log program executions like this:

strace -f -p <pid of process> -v -e execve -o <logfile>

Though you'll need'l to know the parent/child relationships and user IDs, as well as file descriptors, so there should be fork,clone,open,close,openat,dup,dup2,setuid,seteuid,setreuid and perhaps a few others in the set of traced syscalls.

I guess that a "restricted shell" might be another way; or, if you have cooperation of the users involved, a simple "force-command" involving "script" (1) might work as well.

If you are not sure about users' cooperation, you'll need some protected process - like the strace running as uid 0.

Damien Miller

2018-11-05 02:42:25 UTC

Permalink

You should look at your operating system's audit functionality. E.g. Linux
has an audit system that can be configured to log all command executions
associated with a PTY (AFAIK).

-d

Jochen Bern

2018-11-05 22:34:11 UTC

Permalink

Post by Kaushal Shriyan
Are there any open source tools to keep track of ssh sessions? For example,
if a specific user is ssh logging to remote server and what commands or
scripts are being run. Basically, i need to log all users sessions.

Which part of the remote connection is the one you need audited? The
system(s) your users are ssh'ing *out* of, resp. the users themselves
("we need to review what our staff did to whatever customer system they
did support on"), the ones they're ssh'ing *into*, or just some subset
("privileged commands") of the activity on the latter?

For the last case, the use of individual accounts, "sudo", suitable
configurations(*), and the "sudoreplay" tool might give you out of the
box what OpenSSH alone would need to be heavily modified to do.

(*) Namely, making sshd log enough information to identify the incoming
users and making sudo use an I/O logging plugin.

https://www.sudo.ws/man/1.8.25/sudoers.man.html#I/O_LOG_FILES

Regards,

--
Jochen Bern
Systemingenieur

www.binect.de
www.facebook.de/binect

Konrad Bucheli

2018-11-22 13:22:13 UTC

Permalink

Hi,

Did you check out log-user-session [1]? It can be used to record the
output of ssh shell sessions in a tamper-prof way. And it is open source.

Cheers

Konrad

[1] https://github.com/open-ch/log-user-session

--
konrad bucheli
principal systems engineer

open systems ag
raeffelstrasse 29
ch-8045 zurich

t: +41 58 100 10 10
f: +41 58 100 10 11
***@open.ch

http://www.open.ch

halfdog

2018-11-22 14:38:25 UTC

Permalink

Hello,

Post by Konrad Bucheli
Hi,
Did you check out log-user-session [1]? It can be used to record
the output of ssh shell sessions in a tamper-prof way. And
it is open source.
...
[1] https://github.com/open-ch/log-user-session

Well, using a SUID-binary in that way partially eliminates the
benefits of tamper-proof logging by increasing the attack surface,
e.g. by allowing each user to create arbitrary files using directory
traversal and symlink attacks, e.g. by calling

SSH_CLIENT="169.254.0.1/../../../../tmp/ 1234 22" /usr/local/bin/log-user-session 'echo "* * * * * root /usr/bin/touch /dead.txt"'

to start the directory traversal and lead to the problematic open
missing O_NOFOLLOW

5885 openat(AT_FDCWD, "/var/log/user-session/localhost-build-20181122-140817-169.254.0.1/../../../../tmp/-5883.log", O_WRONLY|O_CREAT|O_APPEND, 0400) = 3

Without symlink protection, linking the "-[guessable pid].log" file
to "/etc/cron.d/dead" will give you root easily. Even with protection,
something should be possible ...

I am currently also writing a tool for a similar reason. To be
really tamper-proof, my solution is preloaded into SSH to intercept
the encryption master key for each session, sends it to a daemon,
that will use a public key to encrypt it and offload it to another
machine. Together with the full-packet-captures of all SSH connections
done by the network infrastructure, I would hope for a tamper-proof
but still secure solution BUT (ha, ha, ha) - it is not ready yet.

Best regards,
hd

Post by Konrad Bucheli

Post by Kaushal Shriyan
Hi,
Are there any open source tools to keep track of ssh sessions?
For example, if a specific user is ssh logging to remote server
and what commands or scripts are being run. Basically, i need
to log all users sessions.
Thanks in Advance and i look forward to hearing from you.
Best Regards,
Kaushal _______________________________________________
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev?mc_phishing_protection_id=45427-bfetfluuab2o0p3j90ng

-- konrad bucheli principal systems engineer
open systems ag raeffelstrasse 29 ch-8045 zurich
http://www.open.ch

Continue reading on narkive:

Search results for 'Log ssh sessions using open source tools' (Questions and Answers)

replies

What is a FTP server?

started 2009-04-08 01:15:56 UTC

computer networking

replies

What is SSH? Do I access it using FTP and do I need a password to access SSH or does protect my FTP password?

started 2006-10-08 22:08:03 UTC

software

replies