I've had a few security problems with a server of mine, a few SSH users have been setting up fires aka giving problems.
I would like to:
- Track user logins and logouts
- Track activity of these SSH, in order to discover any malicious activity
- Prevent users from deleting logs
I am not much of a sys admin and I am quite inexperienced in this matter, so any kind of advice would be very welcome and very helpful. 🙂
Best Answer
Since we're talking about SSH servers, I will give you command line solutions.
Track user logins and logouts. That's easy, the file
/var/log/auth.log
should have this information.Track activity of those users: If they are fairly innocent, you can check the file
.bash_history
in their home dir. You will see a list of the commands that they executed. The problem is of course that they can delete or edit this file.Prevent users from deleting logs: Users shouldn't be able to touch
auth.log
. In order to stop them from playing with.bash_history
you need to do a couple of tricks.What if the user manages to obtain root access? : You're screwed. Unless they make a mistake they will be able to hide all their footsteps.