8

Say I have an SSH server, with port forwarding enabled. It's fairly simple for a user to set up an SSH connection and forward BitTorrent traffic or other illegal or abusive traffic over it. How can I set up logging to record what port forwards users make?

interfect
  • 313
  • 1
  • 2
  • 7
  • For any reasonable level of security, you'll need to make sure the same level of logging is available in all the other programs on your system which might be used to forward traffic - including programs that users write/compile themselves. – Alex Holst Sep 16 '10 at 06:56
  • 2
    If you don't trust someone, it would almost certainly be better to simply not give them access to your network. – Zoredache Sep 16 '10 at 07:00
  • @Zoredache So the answer is don't give anyone access to your network? – rox0r Apr 28 '13 at 22:07

4 Answers4

3

I have used the patch on this web page (slightly altered) http://blog.rootshell.be/2009/03/01/keep-an-eye-on-ssh-forwarding/ to log ssh port forwards.

Halfdime
  • 31
  • 2
3

I'm asking a question here How can a SSH host process detect which ports have been forwarded by the client (-R not -L) to find a more elegant way to do this same thing.

However, since it's not looking like there is a better way, I do it with lsof:

sudo lsof -aPni@127.0.0.1 -Fn -p99999 | grep "^n" | grep -v '\->' | awk -F: '{print $NF}' | sort | uniq

99999 is the PID of the sshd handling the connection you are interested in.

There are a few ways to make use of this snippet. Either have a long-running process that watches for new instances of sshd and then introspects them using the above command, or you prefix all .ssh/authorized_keys entries with a custom command which does this, logs it somewhere, then exec the original intended command (SSH_ORIGINAL_COMMAND or login shell in most cases).

Community
  • 1
Bo Jeanes
  • 1,520
  • 2
  • 13
  • 17
0

you might try wireshark. I'm honestly not sure if it will do specifically what you want, but it can certainly determine what users are doing on the network. Spiceworks is another free option

MaQleod
  • 503
  • 2
  • 5
  • 17
0

netstat, ps and some clever cuting & greping. Netstat can give you the Program ID's and ps can give you the user.

user@myhome:~$ ssh user@some.server -R 12345:other.server:22

meanwhile in the other side of the console

root@some.server# netstat -plnt | grep 12345
tcp        0      0 127.0.0.1:12345         0.0.0.0:*               LISTEN     12998/15            
tcp6       0      0 ::1:12345               :::*                    LISTEN     12998/15 
                                                                                 ^ PID!

Of course you won't know the port specified in grep, grep it's here to constraint my output

and

ps -aux | grep 12998 # the PID
user   12998  0.0  0.1   6624  1920 ?        S    07:57   0:00 sshd: user@pts/15

et voila! you know that user "user" is redirecting port 12345 using sshd

script & cron something using this

theist
  • 1,229
  • 2
  • 10
  • 24