Logging port forwarding - SSH

This is a discussion on Logging port forwarding - SSH ; Hi! I'm trying to figure out wheter on OpenSSH is simple way to log all opened forwarded connenctions via ssh. I'm thinking about something like "Event log" in putty, but server-side: 2005-11-24 12:03:18 Opening forwarded connection to 10.x.x.x:3389 2005-11-24 12:07:26 ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Logging port forwarding

  1. Logging port forwarding

    Hi!

    I'm trying to figure out wheter on OpenSSH is simple way to log all opened forwarded connenctions via ssh. I'm thinking about something like "Event log" in putty, but server-side:

    2005-11-24 12:03:18 Opening forwarded connection to 10.x.x.x:3389
    2005-11-24 12:07:26 Forwarded port closed

    This is required to allow matching network activity with user accounts on ssh host. In system log on ssh host there are no traces of such logging... Is this possible at all without patching sshd code ?

    --
    Witold Rugowski

  2. Re: Logging port forwarding

    On 2005-11-25, Witold Rugowski wrote:
    > I'm trying to figure out wheter on OpenSSH is simple way to log all
    > opened forwarded connenctions via ssh. I'm thinking about something like
    > "Event log" in putty, but server-side:
    >
    > 2005-11-24 12:03:18 Opening forwarded connection to 10.x.x.x:3389
    > 2005-11-24 12:07:26 Forwarded port closed
    >
    > This is required to allow matching network activity with user accounts
    > on ssh host. In system log on ssh host there are no traces of such
    > logging... Is this possible at all without patching sshd code ?


    Connection establishment is logged at level "debug1", so setting "LogLevel
    DEBUG1" or higher in sshd_config will put in in syslog (along with a
    bunch of other stuff). Not sure if it connection termination will be
    logged, though.

    Note that if you're using it for audit purposes, it's possible to bypass
    it with a user-run forwarder, eg "ssh yourhost nc remotehost 22".

    If your OS has some kind of kernel-level accounting you might want to
    investigate that.

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

+ Reply to Thread