SSH (Secure Shell) is one of the most commonly used protocols to access and manage Linux servers remotely. Monitoring and auditing SSH access is essential for ensuring the security of your system. By enabling detailed logging of SSH access, you can track all connection attempts, successful logins, failed logins, and other crucial security-related activities. In this article, we'll walk you through the steps to enable detailed logging of SSH access on Linux.
Step 1: Configure SSHD for Detailed Logging
The first step to enabling detailed SSH logging is to configure the SSH daemon (sshd) to log at a more verbose level. By default, SSH logs are set to INFO level, which provides basic information about user logins and errors. Increasing the verbosity will log additional details, such as failed authentication attempts and other security-related information. To change the logging level, you'll need to modify the sshd_config file, which is typically located at /etc/ssh/sshd_config.
Open this file in a text editor: sudo nano /etc/ssh/sshd_config
In the sshd_config file, locate the LogLevel directive. By default, it might be set to INFO. To get more detailed logs, change this to VERBOSE:
LogLevel VERBOSE
Here’s a breakdown of the different LogLevel options:
- QUIET: Only log critical errors.
- FATAL: Log only fatal errors.
- ERROR: Log errors and above.
- INFO: Log informational messages (default level).
- VERBOSE: Log more detailed information, including authentication failures and connection attempts.
- DEBUG: Extremely detailed logs, useful for debugging but very verbose.
- DEBUG1, DEBUG2, DEBUG3: Various levels of debug verbosity.
For most use cases, VERBOSE strikes a good balance, providing more information without overwhelming you with excessive detail.
After modifying the sshd_config file, save your changes and exit the text editor. Then, restart the SSH service to apply the new logging configuration:
Step 2: Configure System Logging to Capture SSH Logs
SSH logs are usually captured by the system's logging service, such as rsyslog or systemd-journald. These services ensure that logs are written to a file where they can be reviewed later. Let’s go over how to ensure SSH logs are being captured by your system logging service.
On many Linux distributions, rsyslog is used to handle logs. To check if rsyslog is running, use the following command:
If it's not running, start it with:
2.2 Check Log Files
SSH logs are typically written to specific files depending on your Linux distribution:
- On Debian/Ubuntu-based systems, logs are stored in /var/log/auth.log.
- On Red Hat/CentOS/Fedora-based systems, logs are stored in /var/log/secure.
You can view these logs with commands like:
or
2.3 Ensure Persistent Logging with systemd
By default, journald stores log-in memory, meaning they are lost after a reboot. To store logs on disk, you need to configure systemd for persistent logging.
Edit the /etc/systemd/journald.conf file and ensure the following line is set:
Storage=persistent
Restart the systemd-journald service for the changes to take effect:
Step 3: Review the Logs
Once you've enabled verbose SSH logging and ensured that your system is capturing the logs, you can start reviewing them.
SSH logs will contain valuable information, such as:
- Connection attempts: Both successful and failed login attempts.
- IP addresses: The IP addresses of users connecting to your server.
- Authentication methods: Which authentication methods were used, e.g., password, public key, or others.
- Timestamps: When users attempt to log in or log out.
To keep an eye on these logs in real-time, you can use the tail command:
sudo tail -f /var/log/auth.log
sudo tail -f /var/log/secure
sudo journalctl -u sshd --since "1 hour ago"
Conclusion
Enabling detailed SSH logging is a crucial step in enhancing the security of your Linux server. By configuring SSH to log at a verbose level and ensuring that the logs are captured by your system's logging service, you can effectively monitor access and detect any suspicious activity. Regularly reviewing these logs allows you to spot unauthorized access attempts, troubleshoot connection issues, and maintain a secure environment for your Linux systems.
