0

How can I setup monit to notify me about new remote SSH sessions that originate from outside one specific subnet?

I've considered logging connection attempts as part of a ~/.bashrc script but I'm not sure if this is possible because I'm uncertain of a few implementation details.

Specifically I need to know how to do the following things in the ~/bashrc script:

  1. How to get the IP address and subnet associated with a new connection
  2. How to check whether the the IP is outside the specific subnet I've selected

I imagine the script might look something like this psudocode:

 # check that this is an SSH connection # check whether the SSH connection originates outside the selected subnet echo "New connection from $SSH_CLIENT" > /var/log/_ssh.log

Monit recipe:

 check file _ssh with path /var/log/_ssh.log if failed checksum then alert
Improve this question
2
  • 1
    You could monitor /var/log/messages which will log attempts, ips, time, etc. Commented Aug 9, 2010 at 7:32
  • +1 for monitoring server logs instead of running script which can monitored user change. Commented Aug 9, 2010 at 10:09

4 Answers 4

Reset to default
1

You can't do this logging from ~/.bashrc or similar, because it's only executed for some interactive sessions, not if someone does ssh yourserver mycommand, sftp yourserver, etc.

All ssh login attempts, failed or successful, are logged through syslog with the auth facility. The log message includes the source IP address, the authentication method and whether the authentication suceeded. I think your best option is to use some log monitoring software.

I don't know monit, but it looks like its job is to watch sshd and restart it if it dies, which is a different concern.

Improve this answer
1

Along with $SSH_CLIENT, there's $SSH_CONNECTION. To see the available variables, run "env" (without the quotes) at the command prompt. -Tim

Improve this answer
0

I don't know monit, but you can do this easily by the firewall. Log all the external connections with a special tag and leave the internal non loggued. iptables is your friend if you are on Linux.

You can block all the ssh connections by hosts.allow/hosts.deny, too. You will see the logs in ssh logs.

Improve this answer
0

The environment variable $SSH_CLIENT is the IP, remote port and local port of the current user's SSH session.

That said, why don't you just drop everything from any other subnet than the secure one? Saves you a lot of trouble.

Also: please spend some time on properly formulating your question. ServerFault is supposed to be a place where people can find answers, not only in their own, but also in other people's questions. Yours is a bit messy, if you don't mind me saying so.

Improve this answer

You must log in to answer this question.