How do I log SSH port forwards?
Solution 1:
I have used the patch on this web page (slightly altered) http://blog.rootshell.be/2009/03/01/keep-an-eye-on-ssh-forwarding/ to log ssh port forwards.
Solution 2:
I'm asking a question here How can a SSH host process detect which ports have been forwarded by the client (-R not -L) to find a more elegant way to do this same thing.
However, since it's not looking like there is a better way, I do it with lsof
:
sudo lsof [email protected] -Fn -p99999 | grep "^n" | grep -v '\->' | awk -F: '{print $NF}' | sort | uniq
99999 is the PID of the sshd
handling the connection you are interested in.
There are a few ways to make use of this snippet. Either have a long-running process that watches for new instances of sshd
and then introspects them using the above command, or you prefix all .ssh/authorized_keys
entries with a custom command which does this, logs it somewhere, then exec
the original intended command (SSH_ORIGINAL_COMMAND
or login shell in most cases).