The following setup will allow you to track the source user ids, and the commands being executed:
1. In your source "master" server setup an iptables rule to log every SSH outgoing connection, including the user id information:
iptables -I OUTPUT -p tcp --dport 22 --syn -j LOG --log-prefix "new tcp connection: " --log-uid
2. In your target server:
Create a wrapper script for syslog logging of remote command execution:
/usr/local/bin/log_incoming
#!/bin/sh
logger -- "SSH command from $SSH_CLIENT: $@"
$@
~/.ssh/authorized_keys
command="/usr/local/bin/log_incoming $SSH_ORIGINAL_COMMAND",no-port-forwarding,no-X11-forwarding,no-pty SSH_PUB_KEYIn your master server you will get:
Sep 27 15:49:59 hostname kernel: [ 4266.151830] new tcp connection: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9887 DF PROTO=TCP SPT=32858 DPT=22 WINDOW=43690 RES=0x00 SYN URGP=0 UID=1001 GID=1002
In your target server you will get:
Sep 27 15:49:59 hostname username: SSH command from 127.0.0.1 32858 22: ls
Sem comentários:
Enviar um comentário