How to display commands executed via ssh and their user's IP?
Clash Royale CLAN TAG#URR8PPP
I asked a question before, but I didn't get a satisfying answer in :
How can I display ssh commands executed from another machine?
so I'll ask this time precisely.
How to display commands and their users/IP's, executed in my server via SSH.
I'm looking to something like this :
#tail .bash_history etc...
192.168.1.101 : vi /etc/ssh/sshd_config
192.168.1.102 : ls -l
192.168.1.101 : cd .ssh
192.168.1.101 : systemctl reload sshd.service
192.168.1.102 : service --status-all
linux bash shell ssh networking
edited Apr 13 '17 at 12:36
Community♦
1
asked Mar 23 '17 at 10:03
ziedzied
564
add a comment |
I asked a question before, but I didn't get a satisfying answer in :
How can I display ssh commands executed from another machine?
so I'll ask this time precisely.
How to display commands and their users/IP's, executed in my server via SSH.
I'm looking to something like this :
#tail .bash_history etc...
192.168.1.101 : vi /etc/ssh/sshd_config
192.168.1.102 : ls -l
192.168.1.101 : cd .ssh
192.168.1.101 : systemctl reload sshd.service
192.168.1.102 : service --status-all
linux bash shell ssh networking
edited Apr 13 '17 at 12:36
Community♦
1
asked Mar 23 '17 at 10:03
ziedzied
564
1
You would need some shell logger to get all of that information. Bash is storing the history, but not the ip addresses.
– Jakuje
Mar 23 '17 at 13:02
rewrite bash to take $SSH_CONNECTION into account when writing .bash_history
– Archemar
Mar 23 '17 at 13:53
@Jakuje yes, but could change how to write this log. I added a this lineexport HISTTIMEFORMAT=$USER@$(hostname -I)" "to this file/etc/bash.bashrc, it didn't work of course.
– zied
Mar 24 '17 at 7:52
@Archemar$SSH_CONNECTIONis a variable in the client's host only, not in the server.
– zied
Mar 24 '17 at 7:54
Try this document. It will be helpful for you. (askubuntu.com/questions/93566/…).
– Sachin
Aug 13 '18 at 5:32
add a comment |
I asked a question before, but I didn't get a satisfying answer in :
How can I display ssh commands executed from another machine?
so I'll ask this time precisely.
How to display commands and their users/IP's, executed in my server via SSH.
I'm looking to something like this :
#tail .bash_history etc...
192.168.1.101 : vi /etc/ssh/sshd_config
192.168.1.102 : ls -l
192.168.1.101 : cd .ssh
192.168.1.101 : systemctl reload sshd.service
192.168.1.102 : service --status-all
linux bash shell ssh networking
edited Apr 13 '17 at 12:36
Community♦
1
asked Mar 23 '17 at 10:03
ziedzied
564
I asked a question before, but I didn't get a satisfying answer in :
How can I display ssh commands executed from another machine?
so I'll ask this time precisely.
How to display commands and their users/IP's, executed in my server via SSH.
I'm looking to something like this :
#tail .bash_history etc...
192.168.1.101 : vi /etc/ssh/sshd_config
192.168.1.102 : ls -l
192.168.1.101 : cd .ssh
192.168.1.101 : systemctl reload sshd.service
192.168.1.102 : service --status-all
linux bash shell ssh networking
linux bash shell ssh networking
edited Apr 13 '17 at 12:36
Community♦
1
asked Mar 23 '17 at 10:03
ziedzied
564
edited Apr 13 '17 at 12:36
Community♦
1
asked Mar 23 '17 at 10:03
ziedzied
564
edited Apr 13 '17 at 12:36
Community♦
1
edited Apr 13 '17 at 12:36
Community♦
1
edited Apr 13 '17 at 12:36
Community♦
1
1
asked Mar 23 '17 at 10:03
ziedzied
564
asked Mar 23 '17 at 10:03
ziedzied
564
asked Mar 23 '17 at 10:03
ziedzied
564
564
1
You would need some shell logger to get all of that information. Bash is storing the history, but not the ip addresses.
– Jakuje
Mar 23 '17 at 13:02
rewrite bash to take $SSH_CONNECTION into account when writing .bash_history
– Archemar
Mar 23 '17 at 13:53
@Jakuje yes, but could change how to write this log. I added a this lineexport HISTTIMEFORMAT=$USER@$(hostname -I)" "to this file/etc/bash.bashrc, it didn't work of course.
– zied
Mar 24 '17 at 7:52
@Archemar$SSH_CONNECTIONis a variable in the client's host only, not in the server.
– zied
Mar 24 '17 at 7:54
Try this document. It will be helpful for you. (askubuntu.com/questions/93566/…).
– Sachin
Aug 13 '18 at 5:32
add a comment |
1
You would need some shell logger to get all of that information. Bash is storing the history, but not the ip addresses.
– Jakuje
Mar 23 '17 at 13:02
rewrite bash to take $SSH_CONNECTION into account when writing .bash_history
– Archemar
Mar 23 '17 at 13:53
@Jakuje yes, but could change how to write this log. I added a this lineexport HISTTIMEFORMAT=$USER@$(hostname -I)" "to this file/etc/bash.bashrc, it didn't work of course.
– zied
Mar 24 '17 at 7:52
@Archemar$SSH_CONNECTIONis a variable in the client's host only, not in the server.
– zied
Mar 24 '17 at 7:54
Try this document. It will be helpful for you. (askubuntu.com/questions/93566/…).
– Sachin
Aug 13 '18 at 5:32
1
1
You would need some shell logger to get all of that information. Bash is storing the history, but not the ip addresses.
– Jakuje
Mar 23 '17 at 13:02
You would need some shell logger to get all of that information. Bash is storing the history, but not the ip addresses.
– Jakuje
Mar 23 '17 at 13:02
rewrite bash to take $SSH_CONNECTION into account when writing .bash_history
– Archemar
Mar 23 '17 at 13:53
rewrite bash to take $SSH_CONNECTION into account when writing .bash_history
– Archemar
Mar 23 '17 at 13:53
@Jakuje yes, but could change how to write this log. I added a this line
export HISTTIMEFORMAT=$USER@$(hostname -I)" " to this file /etc/bash.bashrc , it didn't work of course.– zied
Mar 24 '17 at 7:52
@Jakuje yes, but could change how to write this log. I added a this line
export HISTTIMEFORMAT=$USER@$(hostname -I)" " to this file /etc/bash.bashrc , it didn't work of course.– zied
Mar 24 '17 at 7:52
@Archemar
$SSH_CONNECTION is a variable in the client's host only, not in the server.– zied
Mar 24 '17 at 7:54
@Archemar
$SSH_CONNECTION is a variable in the client's host only, not in the server.– zied
Mar 24 '17 at 7:54
Try this document. It will be helpful for you. (askubuntu.com/questions/93566/…).
– Sachin
Aug 13 '18 at 5:32
Try this document. It will be helpful for you. (askubuntu.com/questions/93566/…).
– Sachin
Aug 13 '18 at 5:32
add a comment |
2 Answers
2
active
oldest
votes
Found the question interesting, so I googled a little, and find this.
More precisely, you need to add this line to your sshd_config.
ForceCommand logger -p user.notice "$SSH_ORIGINAL_COMMAND"
According to the man sshd_config:
ForceCommand
Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a Match block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. Specifying a command of internal-sftp will force the use of an in-process SFTP server that requires no support files when used with ChrootDirectory. The default is none.
On my debian rsyslog installation user.* is written to /var/log/user.log
answered Mar 23 '17 at 15:42
V.FrenotV.Frenot
387
add a comment |
Try this (https://askubuntu.com/questions/93566/how-to-log-all-bash-commands-by-all-users-on-a-server). Just edit the /etc/bash.bashrc file and add the line export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ][0-9]+[ ]//" ) [$RETRN_VAL]" at bottom of the file and save it.
answered Aug 13 '18 at 5:35
SachinSachin
83
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f353289%2fhow-to-display-commands-executed-via-ssh-and-their-users-ip%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Found the question interesting, so I googled a little, and find this.
More precisely, you need to add this line to your sshd_config.
ForceCommand logger -p user.notice "$SSH_ORIGINAL_COMMAND"
According to the man sshd_config:
ForceCommand
Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a Match block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. Specifying a command of internal-sftp will force the use of an in-process SFTP server that requires no support files when used with ChrootDirectory. The default is none.
On my debian rsyslog installation user.* is written to /var/log/user.log
answered Mar 23 '17 at 15:42
V.FrenotV.Frenot
387
add a comment |
Found the question interesting, so I googled a little, and find this.
More precisely, you need to add this line to your sshd_config.
ForceCommand logger -p user.notice "$SSH_ORIGINAL_COMMAND"
According to the man sshd_config:
ForceCommand
Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a Match block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. Specifying a command of internal-sftp will force the use of an in-process SFTP server that requires no support files when used with ChrootDirectory. The default is none.
On my debian rsyslog installation user.* is written to /var/log/user.log
answered Mar 23 '17 at 15:42
V.FrenotV.Frenot
387
add a comment |
Found the question interesting, so I googled a little, and find this.
More precisely, you need to add this line to your sshd_config.
ForceCommand logger -p user.notice "$SSH_ORIGINAL_COMMAND"
According to the man sshd_config:
ForceCommand
Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a Match block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. Specifying a command of internal-sftp will force the use of an in-process SFTP server that requires no support files when used with ChrootDirectory. The default is none.
On my debian rsyslog installation user.* is written to /var/log/user.log
answered Mar 23 '17 at 15:42
V.FrenotV.Frenot
387
Found the question interesting, so I googled a little, and find this.
More precisely, you need to add this line to your sshd_config.
ForceCommand logger -p user.notice "$SSH_ORIGINAL_COMMAND"
According to the man sshd_config:
ForceCommand
Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a Match block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. Specifying a command of internal-sftp will force the use of an in-process SFTP server that requires no support files when used with ChrootDirectory. The default is none.
On my debian rsyslog installation user.* is written to /var/log/user.log
answered Mar 23 '17 at 15:42
V.FrenotV.Frenot
387
answered Mar 23 '17 at 15:42
V.FrenotV.Frenot
387
answered Mar 23 '17 at 15:42
V.FrenotV.Frenot
387
answered Mar 23 '17 at 15:42
V.FrenotV.Frenot
387
387
add a comment |
add a comment |
Try this (https://askubuntu.com/questions/93566/how-to-log-all-bash-commands-by-all-users-on-a-server). Just edit the /etc/bash.bashrc file and add the line export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ][0-9]+[ ]//" ) [$RETRN_VAL]" at bottom of the file and save it.
answered Aug 13 '18 at 5:35
SachinSachin
83
add a comment |
Try this (https://askubuntu.com/questions/93566/how-to-log-all-bash-commands-by-all-users-on-a-server). Just edit the /etc/bash.bashrc file and add the line export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ][0-9]+[ ]//" ) [$RETRN_VAL]" at bottom of the file and save it.
answered Aug 13 '18 at 5:35
SachinSachin
83
add a comment |
Try this (https://askubuntu.com/questions/93566/how-to-log-all-bash-commands-by-all-users-on-a-server). Just edit the /etc/bash.bashrc file and add the line export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ][0-9]+[ ]//" ) [$RETRN_VAL]" at bottom of the file and save it.
answered Aug 13 '18 at 5:35
SachinSachin
83
Try this (https://askubuntu.com/questions/93566/how-to-log-all-bash-commands-by-all-users-on-a-server). Just edit the /etc/bash.bashrc file and add the line export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ][0-9]+[ ]//" ) [$RETRN_VAL]" at bottom of the file and save it.
answered Aug 13 '18 at 5:35
SachinSachin
83
answered Aug 13 '18 at 5:35
SachinSachin
83
answered Aug 13 '18 at 5:35
SachinSachin
83
answered Aug 13 '18 at 5:35
SachinSachin
83
83
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f353289%2fhow-to-display-commands-executed-via-ssh-and-their-users-ip%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
You would need some shell logger to get all of that information. Bash is storing the history, but not the ip addresses.
– Jakuje
Mar 23 '17 at 13:02
rewrite bash to take $SSH_CONNECTION into account when writing .bash_history
– Archemar
Mar 23 '17 at 13:53
@Jakuje yes, but could change how to write this log. I added a this line
export HISTTIMEFORMAT=$USER@$(hostname -I)" "to this file/etc/bash.bashrc, it didn't work of course.– zied
Mar 24 '17 at 7:52
@Archemar
$SSH_CONNECTIONis a variable in the client's host only, not in the server.– zied
Mar 24 '17 at 7:54
Try this document. It will be helpful for you. (askubuntu.com/questions/93566/…).
– Sachin
Aug 13 '18 at 5:32