centralized audit server solution for mutiple server management [closed]

ssh linux ldap

Solution 1:

Each server's ssh port should not open to the public, it is dangerous.

This is not true, especially if you are using keys with good pass phrases and have disabled password logins (you have haven't you).

If one server is accessed by multiple person with the same account, we cannot tell who is logged in.

In your current scenario this is correct - shared accounts are not a Good Thing. However with suitably verbose sshd logs you can see who logged in when.

It is hard to remove or revoke someone's ssh key for those server's.

There are tools available that will allow this to be automated - puppet, chef, ansible etc - configuration management tools in general.

A general solution to you problem is to

  • Provide everyone with their own account (automate it with a configuration management tool)
  • Stop using shared accounts.
  • Give everyone suitable sudo access.
  • Use rsyslog to ship all the logs to a central log server.

This allows you to log the individual users accessing the system. With suitable education you can also log individual users use of the administrative account.

Related

Where Does /var/lib/nginx/proxy Come From?
How to disable core dumps on Debian 8
How to log all queries to Outlook Web Access (msexchange 2010)
LVM thin snapshot unavailable
How to find directory containing specific files or directories?
What's the definition and difference between provision and bootstrap?
What does Amazon SES free tier mean? Why am I charged?
Connect to openvpn management interface on unix domain socket
Server 2012 R2 - how to delete a file that is "open in System"?
Upgrade cURL to latest on CentOS 5.8
Input/output error when attempting to mount a Windows NFS share
Can only some machines on a network have a public IP addresses?