0

Server Management website take control of the server. So for example I press save button which will then update the configuration on Linux Server. It logged onto server and then update a config file.

Example Auth Log:

Aug 13 20:07:19 ladev sshd[14141]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 13 20:07:19 ladev systemd: pam_unix(systemd-user:session): session opened for user root by (uid=0)
Aug 13 20:07:19 ladev systemd-logind[1426]: New session 235 of user root.
Aug 13 20:07:19 ladev sshd[14141]: Received disconnect from 10x.236.2xx.xxx port 50291:11: disconnected by user
Aug 13 20:07:19 ladev sshd[14141]: Disconnected from 10x.236.2xx.xxx port 50291
Aug 13 20:07:19 ladev sshd[14141]: pam_unix(sshd:session): session closed for user root
Aug 13 20:07:19 ladev systemd-logind[1426]: Removed session 235.
Aug 13 20:07:20 ladev sshd[14186]: Accepted publickey for root from 10x.236.2xx.xxx port 50292 ssh2: RSA SHA256:xxxxxxxxxxxxxxxxxxxxx

How do I find out what it was doing to update a file and what command it was using?

Also is there a way to find out what SSH Client it was using?

It is not available in bash_history and history command

Edit: Server Management website which I don't own is not on the same server.

I'll-Be-Back
  • 693
  • 3
  • 10
  • 25

1 Answers1

1

I apologize if I misunderstand anything, but your question is difficult to read.

If you don't have auditing setup, then you will not have recorded the information you want. Same goes for the logging from sshd - you need to make sure sshd logs the info before something happens, not after.

Search serverfault for info on configuring auditd. You'll need this to see what commands are being executed.

https://serverfault.com/search?q=auditd

And read the man page for OpenSSH to change sshd logging/debugging. You'll need this to get as much information as possible about ssh connections.

$ man sshd_config
Community
  • 1
Ryan Babchishin
  • 6,260
  • 2
  • 17
  • 37