Ssh – iptables SSH connection logging

configurationiptablesloggingslesssh

Is it possible to only write a log-entry when a connection is established ?
I have tried:

iptables -I OUTPUT -p tcp --dport 22 -j LOG --log-level notice --log-prefix "outgoing ssh connection"

to log outgoing SSH connections but this logs every single packet and this is as you can imagine a bit overwhelming for monitoring purposes.
I am running SLES 11 SP3.
So I would be grateful if anyone could point out a way to only write a log-entry when the conenction is established.

Best Answer

The Line you would need to log the traffic, might look possible as: 

iptables -I OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j LOG --log-prefix "Outgoing SSH connection"

On another terminal view the logs

while :; do iptables -L OUTPUT -v -n --line-n; sleep 2; done

I am using -m state --state. However I would recommand to use --ctstate

man iptables for more.

If you feel that you are being overwhelmed by the logs, you might consider changing the --log-level. http://www.netfilter.org/ can tell you more.

Related Topic