How to transparently monitor SSH access/network traffic in Gentoo/general linux?
Solution 1
User authorization events are typically logged by the system logging daemon in /var/log. The default locations vary between distros, but it is often /var/log/auth, /var/log/auth.log, /var/log/secure. I don't have a Gentoo system handy, but the default install used to feature syslog-ng and log these events to /var/log/auth.log.
There are a variety of ways to audit network traffic, the best one depends on the level of detail you need to retain and what sort of additional equipment you can use to accomplish the monitoring.
If you are concerned about the risk of compromise on a system, you should consider forwarding whatever auditing solution you choose to another system that is inaccessible (except for logging) from the one you are monitoring. Successful attackers would likely remove evidence of their breach from the local logging systems.
Solution 2
you have many solution to do it, for example iptraf or tcpdump package can store your packets.
Related videos on Youtube
33 : 52
08 : 05
32 : 52
18 : 48
01 : 31
iroyo
Updated on November 23, 2022Comments
-
iroyo over 1 year
What's the most effective way to monitor SSH access in Gentoo Linux?
My Gentoo box is operating locally behind my broadband router. I have SSH port forwarding on the router and a DNS entry pointing to my router on the internet. Is there a way to silently record what external domain/IP the incoming connection to my Gentoo box comes from?
Similarly what's the best method of recording all network traffic to and from this box, again without being noisy about it?
-
iroyo about 11 yearsyeah pretty much. I'm suspicious that there may be unauthorised access so I want to sandbox the machine and monitor access to it without advertising that fact.
-
Eli Heady about 11 yearsAn unfortunate reality of compromised systems is that you can't fully trust what they are telling you about user activity (or most anything else really). The best way to monitor suspected breached systems is from other locations on the network, typically between the untrusted node and it's network gateway, unless you have moderately sophisticated network gear that offers you more flexibility.
-
-
iroyo about 11 yearsFor the SSH connection monitoring I just want to record where the connections are coming from and who is logging on, what's the cleanest way to do that without recording using full packet inspection?
-
PersianGulf about 11 yearsno, you can specify rule for tcpdump such as :tcpdump -i eth0 port 22for more info , please readman pcap-filterandman tcpdump -
PersianGulf about 11 yearseven you can limit more, if you don't know tcpdump please start from a tutorial such as : danielmiessler.com/study/tcpdump oh by the way, don't forget to IO redirection to store packets or -o option instead of io redirection.
