ssh traffic accounting

From: Christian Brandt (brandtc_at_psi5.com)
Date: 06/08/03

• Next message: Harry Putnam: "RSA or DSA?"
• Previous message: peter pilsl: "Re: ssh tunnel through firewall"
• Next in thread: Nico Kadel-Garcia: "Re: ssh traffic accounting"
• Reply: Nico Kadel-Garcia: "Re: ssh traffic accounting"
• Reply: all mail refused: "Re: ssh traffic accounting"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 08 Jun 2003 22:59:46 +0200

I need to account ssh-traffic on a per-user-basis. A patch from
http://groups.google.de/groups?selm=abmaj8%242989%241%40FreeBSD.csie.NCTU.edu.tw&output=gplain
is quite usefull for openssh-3.1pl1 but far from perfect. At least it puts
usefull information into syslog like

Jun 8 16:07:40 sword sshd[2012]: Accepted password for brandtc from
::ffff:10.11.12.13 port 51989 ssh2
Jun 8 16:07:40 sword sshd[2012]: subsystem request for sftp
Jun 8 16:08:08 sword sshd[2012]: accounting: inbytes:1120 outbytes:31776
time:35

First, its not in Mainstream openssh so I would have to repatch after every
update. Dumb routine. I hate dumb routine.

Second, the patch doesn't log broken connections. So if one transfers 200mb
and then makes the connection timeout, kills his ssh or if I kill my sshd,
the 200mb won't be accounted.

Actually I am quite puzzled that ssh doesn't offer accounting. Its like
having a car running safely at the speed of light but without tachometer
and without mileage indicator and a black curtain in front of the window.

As I am running lots of ssh-based traffic like rsync, uucp, sftp and
several tunneling/bouncing. It would save me lots of hazzles writing lots
of logfile-analyzers for every single job.

Any ideas / Alternatives?

-- 
Christian Brandt
 life is short and in most cases it ends with death
 but my tombstone will carry the hiscore

• Next message: Harry Putnam: "RSA or DSA?"
• Previous message: peter pilsl: "Re: ssh tunnel through firewall"
• Next in thread: Nico Kadel-Garcia: "Re: ssh traffic accounting"
• Reply: Nico Kadel-Garcia: "Re: ssh traffic accounting"
• Reply: all mail refused: "Re: ssh traffic accounting"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Passing password in ssh ... If I create keys without a passphrase, and share the public keys between ... You do know that you first have to get the private key of the key ... The .ssh directory also ... But simply cracking into a user's account who has access to several ... (Fedora) Re: Problems with Sudo ... where only one unprivileged account is allowed to log in. ... you're gaining nothing at all by running two ssh daemons ... Using odd port numbers isn't very useful either, ... I have SSH exposed to the world with key-only login and an iptables ... (Ubuntu) Re: ssh and subsequent telnet, encrypted? ... >> account of mine only to launch telnet to a newsserver from ... is that telnet session (since it is embedded in the ssh ... the traffic between my shell account and the newsserver is ... (comp.security.ssh) RE: Illegal user ssh probes ... the attacked account names. ... Subject: Illegal user ssh probes ... On linux the admin account could possibly lead to access on the box. ... (SSH) Re: How restrict network login on AIX for everything BUT SSH? (RLOGIN=FALSE & loginrestrictions ... Unfortunately I WANT to disable telnet, rsh, rlogin etc for an account, BUT keep SSH enabled. ... However in Aix v5.3 full pam support was added, and our LAM module broke and we have been unable to figure out how to get it working again. ... (comp.security.ssh)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint