Home » Categories » Multiple Categories

record ssh sessions

Article ID: 208 | Rating: 3/5 from 2 votes | Last Updated: Wed, Feb 10, 2021 at 7:36 AM

How to record ssh sessions on a Linux Server, Router, Switch using Ezeelogin ssh Jump Server.

The "SSH Log" recording feature lets you record ssh sessions of ssh jump server users ( system admins, system engineer , developers . network administrators)  accessing remote  Linux servers /  cloud instances / switches / routers and other network devices that are accessible via the ssh protocol. 

The  SSHD daemon has to be running on the remote devices.   The  SSH daemon comes with  the OpenSSH packages  on most Linux distributions. ( Centos 6, Centos7, Centos 8, Centos 5, Centos 4, Ubuntu 14, Ubuntu 16, Ubuntu 18, SUSE, RHEL , Fedora , Freebsd and more. ).

 

record ssh session linux os

Note

There is  NO need to install a agent on the  Remote Linux servers ( Production servers ) to record ssh session of users accessing the servers via ssh.

 
IMPORTANT

Disable tcp forwarding in SSHD server configuration file on the jump server. 

The ssh session recorded  lets you audit the ssh users accessing  the Linux servers remotely via the ssh protocol. You can also monitor a ssh user in real time.  You can also search the entire logs recorded for a string or pattern which  is very useful to perform security audits  on various security incidents, lapses, security forensics etc. This is useful for meeting security compliances like pci dss, hippa, nist , nerc, ffiec etc.

1. To enable ssh  recording of the jump server users on the Ezeelogin ssh jump server gui, do the following.
Navigate to Settings->General->Security->SSH Session Logging
  record-ssh-session-setting

 

There are 3 settings to record the ssh sessions

  1. None - This would disable ssh session recording.
  2. Input - This would record only the STDIN , which would be the keyboard inputs of the ssh jump server user. 
  3. Output - This would record only the STDOUT which would be the outputs on the screen of the jump server user.
  4. Both - This would record both the STDIN and STDOUT of the ssh session. 
 The input mode would record the invisible characters typed into the STDIN, hence it would record the password changes of a user that is done using the password command. This would be in violation of security compliances like PCI DSS , HIPPA , MAS , NIST, GDPR, FFIEC, etc. We would recommend choosing output only to avoid recording the password in order to meet security compliance.



 2.   How to view the user ssh session recorded on the Ezeelogin ssh jump server gui?

A)  Navigate to users->SSH log and select the jump server user and the server  to view the recorded session for that server.
 
ssh-session-recording


B) Click on the ’Log type output’ to view the entire ssh session recorded for the user john on the server tesla.eznoc.com.  As you can see the entire ssh session is available. 

record-ssh-session

 

3. How to view the ssh session recorded of a user in real time ?

a) Identify the ongoing ssh sessions which has the status ' Active' and Click on its  'note' icon on the right.

active-ssh-session

 

b)Click on enable streaming and choose the interval of 1 second and you will be able to what the jump server user is doing on a server in real time.

Ensure to disable ssh log encryption under Settings->General->Security->Encrypt SSH Session logs so that the Enable streaming button is visible.

live-ssh-session-recording

 

4. How to encrypt  users ssh session log recorded to meet security compliances?

You can enable ’Encrypt ssh session logs’ under Settings->General->Security so that logs are not human readable. Note that the logs are only readable from the gui.  In the backend, the ssh logs are  stored in the /var/log/ezlogin directory.

record ssh session

  

5. How to search the users recorded ssh session logs for  specific strings or keywords?

Enter the string to be searched in the field 'Log Content'.  The results show the matching logs and user,username with which the server was accessed and the login and logout times are recorded as well.

record-ssh-session

  

6. The  Administrator user can download any users ssh session to remote devices as a text file by clicking on the blue arrow as shown below. 

download-ssh-logs

 

7.  The normal user can download his own ssh session logs  recorded under  Users->SSH Log

users-ssh-logs

 

 
Posted by: - Fri, May 4, 2018 at 3:00 AM. This article has been viewed 6999 times.
Filed Under: Security Compliances, Security Features
3 (2)
Article Rating (2 Votes)
Rate this article
    Attached Files
    There are no attachments for this article.
    Related Articles RSS Feed
    How to change the private key in use and change the default public key in use?
    Viewed 3902 times since Fri, Dec 1, 2017
    How can i restrict IP’s to access the ezeelogin portal?
    Viewed 144 times since Tue, Nov 24, 2020
    Integrate SAML Authentication in Ezeelogin GUI using Microsoft Azure SSO and Azure Active Directory
    Viewed 381 times since Thu, Jul 9, 2020
    How do i restrict commands that a user can execute in ssh in ezsh shell ?
    Viewed 3690 times since Wed, Jun 14, 2017
    Set SSH User Expiry
    Viewed 2202 times since Thu, Sep 20, 2018
    Prevent passwords from being recorded when ssh session recording is enabled
    Viewed 2626 times since Fri, Mar 2, 2018
    How to disable web terminal appllication in Cpanel ?
    Viewed 3551 times since Fri, Jun 29, 2018
    Configure ssh certificate based authentication
    Viewed 1705 times since Fri, Apr 17, 2020
    Configure DUO 2FA in Ezeelogin SSH jumphost
    Viewed 3239 times since Thu, Nov 23, 2017
    Configure four eyes authorization
    Viewed 2848 times since Fri, Dec 1, 2017