iptables SSH connection logging
Solution 1
The Line you would need to log the traffic, might look possible as:
iptables -I OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j LOG --log-prefix "Outgoing SSH connection"
On another terminal view the logs
while :; do iptables -L OUTPUT -v -n --line-n; sleep 2; done
I am using -m state --state. However I would recommand to use --ctstate
man iptables for more.
If you feel that you are being overwhelmed by the logs, you might consider changing the --log-level. http://www.netfilter.org/ can tell you more.
Solution 2
val0x00ff's suggestion of using --state, also by Petter H in a comment, should work well.
However, you don't need to introduce session state tracking just for that. You can add the --syn flag to make the rule match only packets with the SYN flag set, which is set only on new connection attempts.
Related videos on Youtube
04 : 21
31 : 02
09 : 19
06 : 19
01 : 58
phenom135
Updated on September 18, 2022Comments
-
phenom135 over 1 year
Is it possible to only write a log-entry when a connection is established ? I have tried:
iptables -I OUTPUT -p tcp --dport 22 -j LOG --log-level notice --log-prefix "outgoing ssh connection"to log outgoing SSH connections but this logs every single packet and this is as you can imagine a bit overwhelming for monitoring purposes. I am running SLES 11 SP3. So I would be grateful if anyone could point out a way to only write a log-entry when the conenction is established.
-
Petter H over 10 yearsDid you try adding the--state NEWflag? -
phenom135 over 10 yearsThank you that was exactly what i was looking for :) must have overlooked it.
-
-
FreeSoftwareServers over 7 yearsThis worked wonders for me to track down a compromised server, but I used tail -F /var/log/syslog | grep "Outgoing SSH connection" because it only output information when a connection was attempted vs constant output.
