Posted in Linux SSH

Log SSH connections with /etc/ssh/sshrc

June 6, 2009 - 5 comments

Yannick over at http://blog.uggy.org always comes up with interesting and valuable tips.

Following his latest post regarding sshrc, I made my own sshrc script.

Unlike his example, I didn’t make SSH email me whenever a connection is made. That would be overkill given the number of connections I can make on a single day.
Instead I’m just logging dates and IP in a log file of its own, which I plan on keeping forever.

My /etc/ssh/sshrc :

DATE=`date "+%d.%m.%Y %Hh%Mm"`
IP=`echo $SSH_CONNECTION | awk '{print $1}'`
echo "$DATE - $IP" >> /var/log/ssh_connections.log

Comments

Nitek

June 6, 2009 - 8:19

Why not using “last”/lastlog?

Sébastien Wains

June 6, 2009 - 14:16

They are binary files which means I need the last/lastlog command for the logs to be really useful. At some point I may want to just grab the log file using scp, which I can’t with last/lastlog, I need to run the commands to get the info.
Also last/lastlog logs get rotated by default.
It’s overall simpler, at least to me.

Goeldi

June 11, 2009 - 9:48

I use this on the third line:

echo “$DATE – $IP – $USER” >> /var/log/ssh_connections.log

Seb

June 11, 2009 - 9:56

By the way, I forgot to mention /var/log/ssh_connections.log must be writable by users able to SSH in.

sebastiaosantos

June 19, 2009 - 16:41

it’s a very simple, but is a good idea. i use to sent mail of connections.

Trackback URI Comments RSS

Leave Comment

Please consider visiting the partners below if you enjoyed this article :

If this post saved you time and money, please consider checking my Amazon wishlist.

Before submitting, some rules :
- Is your comment related to the article ?
- You're having a problem ? Have you checked Google, other howtos, docs, manpages ?
- You're still having the problem ? Have you raised log verbosity, checked traces, ran tcpdump ?
- Have you checked your configuratoin for typo ?
Unless your comment is providing additional info or respect the rules above, DON'T comment.
If you don't understand what you are doing, I urge you to read the documentation, I'm not your free Level 1 helpdesk guy.