SSH logging

SSH, or Secure Shell, is a cryptographic network protocol primarily used for secure remote command-line login and other secure network services between two networked computers. As with any secure system, having a robust logging mechanism in place is crucial. In the world of SSH, logging isn’t just a mere feature—it’s an essential tool for monitoring, troubleshooting, and maintaining security.

Why SSH Logging is Important

a. Security Implications:
Every time an SSH connection is established, there is a trail of actions, from initial connection to command executions. Logging these actions can be vital in detecting unauthorized or malicious activities. If an intruder or a rogue employee accesses your system, the SSH logs can provide evidence and trace their actions.

b. Auditing and Compliance:
For businesses, especially those in regulated industries, maintaining comprehensive logs is not just a best practice but a legal requirement. Auditors might require logs to ensure that access controls are in place and are effective. Without proper SSH logging, businesses could face fines or penalties for non-compliance.

c. Troubleshooting and Diagnostics:
Logs can be a lifeline when things go wrong. If there are issues with SSH connections, such as failed authentication attempts or dropped connections, the logs can provide insights into what caused these problems, making it easier to fix them.

Understanding SSH Logs

When it comes to SSH logging, it’s crucial to know the types of logs you might encounter and what each log signifies:

a. Authentication Logs:
These logs keep track of every login attempt—both successful and failed. By regularly monitoring these logs, you can detect brute force attacks or repeated failed login attempts from a particular IP address.

b. Connection Logs:
Once authentication is successful, SSH creates a session. Connection logs maintain a record of all these sessions, including when they start, when they end, and any anomalies in between.

c. Command Logs:
For those keen on granular details, some configurations will log every command executed during an SSH session. This is particularly useful for auditing or understanding the exact actions taken during a session.

By familiarizing yourself with these logs, you’re equipped with a deeper understanding of the activities within your SSH-enabled systems.

Setting Up SSH Logging

a. Basic Configuration for SSHD (the SSH server):
The primary configuration file for SSH is typically located at /etc/ssh/sshd_config. Inside this file, you can set logging parameters to control the level and type of logs.

For instance, to set the log level, you would modify or add the line:

LogLevel VERBOSE

There are various logging levels available: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG1, DEBUG2, and DEBUG3. For most uses, INFO or VERBOSE is adequate. However, if you’re troubleshooting, the DEBUG levels can provide more detailed information.

b. Increasing Verbosity for More Detailed Logs:
For more granular details, especially when troubleshooting, you can switch the LogLevel to one of the DEBUG levels. Remember, increased verbosity can lead to larger log files, so ensure you have proper log rotation and storage management.

c. Ensuring Proper Rotation and Retention Policies:
Log files can grow rapidly, especially with increased verbosity. It’s essential to have log rotation policies to manage storage. Tools like logrotate this

Log Locations

a. Default Locations for Major Operating Systems:

  • Linux/Unix-based systems: SSH logs are usually found in /var/log/auth.log or /var/log/secure.
  • BSD Systems: Check under /var/log/messages.
  • Solaris: Look in /var/log/syslog.

Make sure to check and confirm the location based on your specific OS and distribution.

b. How to Change the Default Log Location:
If you wish to modify where SSHD writes its logs, you can adjust the SyslogFacility and LogLevel directives in the sshd_config file. After making changes, always remember to restart the SSHD service to apply the modifications.

Tools for Monitoring and Analyzing SSH Logs

a. Using Built-in Tools:
Basic utilities like tail, grep, and awk are invaluable for live monitoring or searching through logs. For example, to view the most recent entries in real-time, you can use:

tail -f /var/log/auth.log

Third-party Tools and Solutions:
Several tools can enhance your log monitoring experience:

  • Logwatch: An out-of-the-box log analysis tool. It breaks down logs into categories and sends daily summaries via email.
  • Graylog: A centralized log management solution that offers a web interface for deep searches and visualizations.
  • Splunk: A powerful platform for searching, monitoring, and analyzing machine-generated big data, including SSH logs.

When choosing a tool, consider the size of your infrastructure, the volume of logs, and any specific features you need, like alerting or integration with other systems.

SSH Logging Best Practices

a. Retention Policies:
Decide how long you need to keep logs based on both your operational needs and any legal or regulatory requirements. While short-term logs are beneficial for troubleshooting, long-term logs can help in audits and identifying patterns.

b. Access Control:
SSH logs can contain sensitive information. Ensure that only authorized personnel have access to these logs. Use file permissions and consider encrypting backups of log files.

c. Alerting:
Set up real-time alerts for specific events, like multiple failed login attempts, to identify and thwart potential security breaches promptly.

Log Examples and Troubleshooting

To understand SSH logs better, let’s look at some common log entries:

a. Failed Authentication:

sshd[12345]: Failed password for root from 192.168.1.1 port 22 ssh2

This indicates a failed login attempt for the ‘root’ user from the IP 192.168.1.1.

b. Successful Authentication:

sshd[12345]: Accepted password for user1 from 192.168.1.2 port 22 ssh2

Here, ‘user1’ has successfully logged in from IP 192.168.1.2.

c. Suspicious Activity:
Multiple failed attempts followed by a successful login can be a sign of a brute-force attack.

When troubleshooting SSH issues, always start by checking the logs for any clear error messages or indications of what might be wrong. For persistent problems, consider increasing the log verbosity temporarily.

Integration with Centralized Logging Systems

a. Benefits of a Centralized Logging System:
As your infrastructure grows, managing logs on individual servers can become cumbersome. Centralized logging systems allow you to aggregate logs from multiple sources into one location, making them easier to analyze, back up, and secure.

b. Popular Solutions:

  • ELK Stack (Elasticsearch, Logstash, Kibana): A powerful trio that can collect, search, and visualize logs.
  • Syslog Servers: Traditional solutions like rsyslog or syslog-ng can be set up to gather logs from various servers.
  • Cloud Services: Platforms like AWS CloudWatch or Azure Monitor can integrate logs from various sources, including SSH logs.

c. Integrating with SSH:
Most centralized solutions will require a log shipper or agent on the SSH server. This agent collects and forwards the SSH logs to the centralized system. Ensure that the data transfer is secure, possibly using encryption, so sensitive log data isn’t exposed during transit.

FAQ (Frequently Asked Questions)

1. Can SSH logging impact server performance?
While logging itself has minimal overhead, excessive logging (like setting the log level to DEBUG) for extended periods can affect performance due to increased disk I/O. Ensure that verbose logging is used judiciously and check disk space periodically.

2. Is it possible to log SSH activities without the user knowing?
Yes, SSH activities can be logged transparently without notifying users. However, it’s essential to respect privacy guidelines and laws. Always ensure that users are aware of any monitoring, either through user agreements or policies.

3. How often should I check my SSH logs?
For active systems or critical infrastructure, daily checks or even real-time monitoring might be warranted. For less critical systems, a weekly review might suffice. Automated tools and alerting systems can assist in notifying you of significant events.

4. What should I do if I suspect malicious activity in my SSH logs?
Immediately isolate the affected system to prevent potential harm. Investigate the logs to understand the scope and nature of the activity. If a breach is confirmed, follow your organization’s incident response plan and consider notifying affected stakeholders.

5. Can SSH logs be tampered with?
Yes, if an attacker gains sufficient privileges, they can alter or delete logs. Using centralized logging or write-once media can help ensure log integrity. Regular backups and checksum validations are also recommended.

Conclusion

SSH logging is more than just a record of who’s coming and going on your servers. It’s a vital tool in maintaining the security and integrity of your systems. With the increasing sophistication of cyber threats, having a comprehensive logging strategy is not just good practice—it’s essential. By understanding, monitoring, and appropriately acting on SSH logs, administrators can ensure that their systems remain secure, compliant, and efficient. As technology continues to evolve, so will the tools and techniques around SSH logging, but the foundational principles will remain consistent: monitor, analyze, and act.

Atiqur Rahman

I am MD. Atiqur Rahman graduated from BUET and is an AWS-certified solutions architect. I have successfully achieved 6 certifications from AWS including Cloud Practitioner, Solutions Architect, SysOps Administrator, and Developer Associate. I have more than 8 years of working experience as a DevOps engineer designing complex SAAS applications.

Leave a Reply