Re: Monitoring ssh logins/logouts

Darren Tucker schrieb:

> Jakob Curdes wrote:
>
>> we are trying to monitor ssh logins on security-critical machines
>> with a script that scans logfiles for the relevant entries.
>> A problem ist that when the ssh connection is closed by a network
>> interruption or by closing the window with the ssh client, we do not
>> find a corresponding entry in the logs.
>
>
> Which OpenSSH version, and is it a vendor-supplied package or
> self-compiled?
>
OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004 self-compiled.

>
> I think sshd should update last on disconnects, if it doesn't it
> should be investigated.
>
I checked in what situations the problem occurs - it turns out that most
closed connections are displayed properly by last.
Problems arise e.g. when the session is closed through a reconnectiing
DSL router, those connections are displayed as "sill logged in" while
the connection on the client side has been closed long ago.

>
> The optional audit code in 4.0p1 and will catch these disconnect
> events and syslog them if you enable it (configure --with-audit=debug).
>
I will play around with that option and see if we can excerpt the
relevant information from the additional messages.

Thank you for your hints,

Jakob Curdes

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev