How do I log SSH port forwards?

ssh ssh-tunnel

Solution 1:

I have used the patch on this web page (slightly altered) http://blog.rootshell.be/2009/03/01/keep-an-eye-on-ssh-forwarding/ to log ssh port forwards.

Solution 2:

I'm asking a question here How can a SSH host process detect which ports have been forwarded by the client (-R not -L) to find a more elegant way to do this same thing.

However, since it's not looking like there is a better way, I do it with lsof:

sudo lsof [email protected] -Fn -p99999 | grep "^n" | grep -v '\->' | awk -F: '{print $NF}' | sort | uniq

99999 is the PID of the sshd handling the connection you are interested in.

There are a few ways to make use of this snippet. Either have a long-running process that watches for new instances of sshd and then introspects them using the above command, or you prefix all .ssh/authorized_keys entries with a custom command which does this, logs it somewhere, then exec the original intended command (SSH_ORIGINAL_COMMAND or login shell in most cases).

Related

What Command(s) List a User's System Permissions in Linux?
For an internal cluster, is it good idea to use IPv6?
Linux RAID-0 performance doesn't scale up over 1 GB/s
How to know currently open ports on the Windows Firewall?
How secure is Remote Desktop Connection?
Is it safe to replicate from Solaris ZFS to FreeBSD ZFS?
Cannot join Win7 workstations to Win2k8 domain
SQL Server transaction log BACKUPS are very large
Test for Localhost in Powershell?
ggplot - Multiple legends arrangement
External load balancer solutions between EC2 and Rackspace
High system cpu load (%sys), system locks