README
¶
= SSH login monitor This program logs SSH login and logout events on the system. It keeps track of the authorized keys added to the system and calculates their fingerprints. Based on the fingerprints this monitor can tell which SSH key was used to login to the host. For example, you may have several users who have access to the `root` account on the host. You add those users' public keys to `/root/.ssh/authorized_keys` and that gives them root access to the system. Each login and logout event is logged in the systemd journal (get them using `journalctl -t sshd`), but those records contain only SSH fingerprints. This program maps fingerprints to SSH public keys and logs SSH events with the public key users that are usually stored in public key comments. The program's log will look like this: ---- <nil> INF ssh event event time="2023-05-27 21:30:57 +0000 UTC" event type=login key user=alice@fedora port=44670 source ip=192.168.1.24 username=root <nil> INF ssh event event time="2023-05-27 21:31:00 +0000 UTC" event type=logout key user=alice@fedora port=44670 source ip=192.168.1.24 username=root <nil> INF ssh event event time="2023-05-28 16:02:55 +0000 UTC" event type=login key user=charlie@fedora port=53456 source ip=192.168.1.24 username=root <nil> INF ssh event event time="2023-05-28 16:02:59 +0000 UTC" event type=logout key user=charlie@fedora port=53456 source ip=192.168.1.24 username=root ---- It shows which public key was used to login to the system (the `key user` field) and under which account (the `username` field). == Building === Prerequisites * Go version 1.19 and higher (most likely works with earlier versions too, but I haven't tested). * `systemd-devel` (Fedora, Red Hat, CentOS) or `libsystemd-dev` (Debian, Ubuntu) to work with the `sdjournal` module Clone this repo: [source,console] ---- git clone https://github.com/pavelanni/ssh-login-monitor.git ---- === Run From the main directory run: [source,console] ---- go run ./... -l test/secure.log -d test/fingerprints.db -a test/authorized_keys -o sum ---- You should see the following output: [source,none] ---- 2023/06/11 20:11:26 adding keys from file: test/authorized_keys 2023/06/11 20:11:26 adding fingerprint for user alice@fedora 2023/06/11 20:11:26 adding fingerprint for user bob@fedora 2023/06/11 20:11:26 adding fingerprint for user charlie@fedora root alice@fedora 192.168.1.24 2023-04-27 10:21:19 2023-04-27 10:21:22 3s root bob@fedora 192.168.1.24 2023-04-27 10:21:34 2023-04-27 10:21:37 3s root charlie@fedora 192.168.1.24 2023-04-27 10:21:55 2023-04-27 10:21:58 3s ---- === Build . Build the application: + [source,console] ---- make build ---- By default it builds the binary for the system you are running the build. Most likely it's Linux on x86_64, where you are going to use this tool. Copy the binary from `bin/slm` to the system where you are going to use it. == Using #THIS IS NOT IMPLEMENTED YET# . Collect the SSH fingerprints in the database. Specify the `authorized_keys` file when running this app. + [source,console] ---- # slm -a ~/.ssh/authorized_keys ---- . Run this app against a log file--for example, `/var/log/secure`. It will print out the logins and logouts of each user based on the fingerprints database. . If you want to keep monitoring logins, run the app with the `-f` flag. It will constantly monitor the specified file and print out the events as they happen. . Output formats: ** `-o sum` prints the summary of completed sessions with user names, login and logout times, session duration ** `-o log` prints the log of login/logout events with usernames, times ** `-o json` prints the list of login/logout events in JSON format (can be imported into another tool) ** `-o csv` prints the list of login/logout events in CSV format
Directories
Click to show internal directories.
Click to hide internal directories.