Ssh – How to detect that remote ssh session started from external network

loggingssh

How can I setup monit to notify me about new remote SSH sessions that originate from outside one specific subnet?

I've considered logging connection attempts as part of a ~/.bashrc script but I'm not sure if this is possible because I'm uncertain of a few implementation details.

Specifically I need to know how to do the following things in the ~/bashrc script:

How to get the IP address and subnet associated with a new connection
How to check whether the the IP is outside the specific subnet I've selected

I imagine the script might look something like this psudocode:

# check that this is an SSH connection
# check whether the SSH connection originates outside the selected subnet
echo "New connection from $SSH_CLIENT" > /var/log/_ssh.log

Monit recipe:

check file _ssh with path /var/log/_ssh.log
   if failed checksum then alert

Best Answer

You can't do this logging from ~/.bashrc or similar, because it's only executed for some interactive sessions, not if someone does ssh yourserver mycommand, sftp yourserver, etc.

All ssh login attempts, failed or successful, are logged through syslog with the auth facility. The log message includes the source IP address, the authentication method and whether the authentication suceeded. I think your best option is to use some log monitoring software.

I don't know monit, but it looks like its job is to watch sshd and restart it if it dies, which is a different concern.

Best Answer

Related Solutions

How to Reconnect to a Disconnected SSH Session

Ubuntu – How to VNC using a SSH Tunnel from one Ubuntu box into another

Related Topic