2

I have an Ubuntu server and I want to log all SSH activity on my server.

For this, I found one good document here: How to log all Bash commands by all users on a server? I followed this document and enable the logging on the server. I log the commands with the following line:

export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" ) [$RETRN_VAL]"

It gives the log of all executed command on my server (locally executed and SSHed).I have attached the output of the same.

What I need is, In the log file there should be a username or the hostname and public IP address of the user who used to connect to my local server.

Does anybody have an idea about this?

Output log file:

Aug 7 11:03:34 local ajay: ajay [1906]: sudo rm -rf commands.log*
Aug 7 11:03:36 local ajay: ajay [1906]: ll
Aug 7 11:03:59 local ajay: ajay [1906]: sudo rm -rf messages*
Aug 7 11:04:19 local ajay: ajay [1906]: sudo rm -rf usercommands
Aug 7 11:04:49 local ajay: ajay [1906]: sudo rm -rf history.log
Aug 7 11:05:11 local ajay: ajay [1906]: ll
Aug 7 11:05:21 local ajay: ajay [1906]: cat commands.log
Aug 7 11:05:33 local ajay: ajay [1906]: cat commands.log
Aug 7 11:05:46 local ajay: ajay [1906]: sudo chmod -R 777 commands.log
Aug 7 11:05:48 local ajay: ajay [1906]: cat commands.log
Aug 7 11:06:19 local ajay: ajay [1906]: cat commands.log
Sachin
  • 33
  • 1
    Did you try the command last ? – Kiwy Aug 10 '18 at 05:13
  • Yes, I have tried it. It gives only the public IP address of last connected users. Is it possible to know Username or hostname with executed command? – Sachin Aug 10 '18 at 05:43
  • Don't fool yourself, this doesn't log commands executed by SFTP. And anything in a script|alias|function is also hidden. To see who logged on with SSH, check /var/log/auth.log. If you don't trust your users, don't give them access, or chroot them... – xenoid Aug 10 '18 at 08:58
  • Also if you use key-based authentication, you can tell which key was used to login (ie, the real user, even if ids are shared on the server). See here. – xenoid Aug 10 '18 at 09:20

1 Answers1

1

The variable $SSH_CONNECTION gives you the ports and source/destination IP addresses used by the user connection. So add it as argument to your logger command.

As in:

 export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$SSH_CONNECTION $(whoami) [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" ) [$RETRN_VAL]"

For further details, have a look at What are SSH_TTY and SSH_CONNECTION?

As for the hostname, that is dependent on DNS resolution. You can always script for solving the reverse DNS of the logs. There is no directive I am aware of that solves directly to the DNS name.

Rui F Ribeiro
  • 56,709
  • 26
  • 150
  • 232
  • What should I do to know the hostname of the user who has accessed my server through SSH? – Sachin Aug 11 '18 at 04:32
  • Ha, good one, forgot that detail. I am aware of a directive, and I would not try to do that in real time due to possible network delays. – Rui F Ribeiro Aug 11 '18 at 08:44