By default, OpenSSH dumps log messages to /var/log/secure authentication log file. The need to log particular host or group of IP address to separate SSH log file is needed at times to further log SSH details for further record and monitoring.
Create Separate SSH Log File for Particular SSH Client Log Attempts
Here's how to log particular SSH client to separate SSH log file.
Step One
Create the separate SSH log file
# touch /var/log/abusive.log
and make sure it is readable and writable by root.
# chmod 600 /var/log/abusive.log
Step Two
Modify /etc/hosts.allow and append a similar line shown below
sshd: 83.83.83.83 : spawn /bin/echo `/bin/date` from %h %u >> /var/log/abusive.log
Alternatively, you can log a group of hosts to separate SSH log file
sshd: *.google.com : spawn /bin/echo `bin/date` from %h %c >> /var/log/abusive.log
To group SSH clients to particular log gile
sshd: *.yahoo.com : spawn /bin/echo `bin/date` from %h %c >> /var/log/yahoo-ssh.log
Save and exit. Noticed that we use the SPAWN tcp wrapper operator to log every hosts under google.com and dump the corresponding date of SSH login attempt to /var/log/abusive.log SSH log file.
Now, to log to separate SSH log file and completely deny particular host under google.com domain, simply
sshd: *.google.com : spawn /bin/echo `bin/date` from %h %c >> /var/log/abusive.log : deny
Save and exit.
No need to restart any services like SSH or XInet .
Supported Parameter Expansions
Below is a list of supported expansions:
- %a — The client's IP address.
- %A — The server's IP address.
- %c — Supplies a variety of client information, such as the username and hostname, or the username and IP address.
- %d — The daemon process name.
- %h — The client's hostname (or IP address, if the hostname is unavailable).
- %H — The server's hostname (or IP address, if the hostname is unavailable).
- %n — The client's hostname. If unavailable, unknown is printed. If the client's hostname and host address do not match, paranoid is printed.
- %N — The server's hostname. If unavailable, unknown is printed. If the server's hostname and host address do not match, paranoid is printed.
- %p — The daemon process ID.
- %s — Various types of server information, such as the daemon process and the host or IP address of the server.
- %u — The client's username. If unavailable, unknown is printed.
Monitoring Separate SSH Log File
# tailf /var/log/abusive.log
Log File
Similar SSH log lines from /var/log/abusive.log would be
Fri Jul 25 10:26:52 WAT 2008 from hostname.google.com
The above should work out right with RedHat, CentOS, Fedora, White OS distros.
All is done.
0 comments:
Post a Comment