Record ssh sessions

Record ssh sessions - How to enable it on the bastion host (also called a “ jump server ” ) 

This feature lets you record ssh sessions of ssh users ( system admins, system engineer , developers ), accessing remote  Linux servers /  vms / cloud instances via the ssh protocol.  The requirement is that  the sshd daemon has to be installed on remote Linux servers which can easily  be done by installing  OpenSSH packages. The OpenSSH packages can easily be installed on most Linux distributions available in the market. ( Centos 6, Centos7, Centos 8, Centos 5, Centos 4, Ubuntu 14, Ubuntu 16, Ubuntu 18, SUSE, RHEL , Fedora , Freebsd and more. ).

Note

There is  NO need to install a agent on the  Remote Linux servers to record ssh session of users accessing the servers via ssh.

 The ssh session recorded  lets you audit the ssh users accessing  the Linux servers remotely via the ssh protocol. You can also monitor a ssh user in real time.  You can also search the entire logs recorded for a string or pattern which  is very useful to perform security audits  on various security incidents, lapses etc. This is useful for meeting security compliances like pci dss, hippa, nist , nerc, ffiec etc.

To enable ssh  recording for the SSH Users on the jump server,

  1. Navigate to Settings->General->Security->SSH Session Logging
    record-ssh-session-setting

There are 3 settings to record the ssh sessions

  • None - This would disable ssh session recording.
  • Input - This would record only the STDIN , which would be the keyboard inputs of the ssh jump server user. 
  • Output - This would record only the STDOUT which would be the outputs on the screen of the jump server user.
  • Both - This would record both the STDIN and STDOUT of the ssh session.

     
     The input mode would record the invisible characters typed into the STDIN, hence it would record the password changes of a user that is done using the password command. This would be in violation of security compliances like PCI DSS , HIPPA , MAS , NIST, GDPR, FFIEC, etc. We would recommend choosing output only to avoid recording the password in order to meet security compliance.


     

How to view the ssh session recorded?

  1. Navigate to users->SSH log and select the jump server user and the server  to view the recorded session for that server.
    ssh-session-recording


  2. Click on the ’Log type output’ to view the entire ssh session recorded for the user john on the server tesla.eznoc.com.  As you can see the entire ssh session is available.

    record-ssh-session

     How to view the ssh session recorded in real time or view the currently on going ssh session of jump server users live?

    Click on enable streaming and choose the interval of 1 second and you will be able to what the jump server user is doing on a server in real time. 
     
    Ensure to disable ssh log encryption under Settings->General->Security->Encrypt SSH Session logs so that the Enable streaming button is visible.

live-ssh-session-recording

 

 

How to encrypt ssh session log recorded to meet security compliances?

You can enable ’Encrypt ssh session logs’ under Settings->General->Security so that logs are not human readable. Note that the logs are only readable from the gui and the ssh logs are  stored in the /var/log/ezlogin directory.

record ssh session

 

 

How to search the ssh session log recorded for strings or keywords?

Enter the string to be searched in the field 'Log Content'.  The results show the matching logs and user,username with which the server was accessed and the login and logout times are recorded as well.

record-ssh-session

 

 

 

1 (1)
Article Rating (1 Votes)
Rate this article
    Attached Files
    There are no attachments for this article.
    Related Articles RSS Feed
    encryption used in ezeelogin use to secure information stored
    Viewed 2106 times since Thu, Jun 15, 2017
    How to enforce 2 Factor Authentication on user login?
    Viewed 1466 times since Wed, Sep 19, 2018
    Can I use Google 2FA, Yubikey , DUO simultaneously?
    Viewed 2857 times since Thu, Dec 14, 2017
    Enable Google reCaptcha
    Viewed 585 times since Fri, Feb 1, 2019
    Configure ssh timeout in ssh gateway
    Viewed 2797 times since Fri, Dec 1, 2017
    How to disable web terminal appllication in Cpanel ?
    Viewed 2097 times since Fri, Jun 29, 2018
    record rdp session
    Viewed 1208 times since Thu, Dec 6, 2018
    How do i restrict commands that a user can execute in ssh in ezsh shell ?
    Viewed 2747 times since Wed, Jun 14, 2017
    Set SSH User Expiry
    Viewed 1304 times since Thu, Sep 20, 2018
    Configure DUO 2FA in Ezeelogin SSH jumphost
    Viewed 2272 times since Thu, Nov 23, 2017