How to display commands executed via ssh and their user's IP?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












2















I asked a question before, but I didn't get a satisfying answer in :
How can I display ssh commands executed from another machine?



so I'll ask this time precisely.



How to display commands and their users/IP's, executed in my server via SSH.
I'm looking to something like this :



#tail .bash_history
192.168.1.101 : vi /etc/ssh/sshd_config
192.168.1.102 : ls -l
192.168.1.101 : cd .ssh
192.168.1.101 : systemctl reload sshd.service
192.168.1.102 : service --status-all etc...






linux bash shell ssh networking







share|improve this question



















  • 1





    You would need some shell logger to get all of that information. Bash is storing the history, but not the ip addresses.

    – Jakuje
    Mar 23 '17 at 13:02











  • rewrite bash to take $SSH_CONNECTION into account when writing .bash_history

    – Archemar
    Mar 23 '17 at 13:53











  • @Jakuje yes, but could change how to write this log. I added a this line export HISTTIMEFORMAT=$USER@$(hostname -I)" " to this file /etc/bash.bashrc , it didn't work of course.

    – zied
    Mar 24 '17 at 7:52











  • @Archemar $SSH_CONNECTION is a variable in the client's host only, not in the server.

    – zied
    Mar 24 '17 at 7:54











  • Try this document. It will be helpful for you. (askubuntu.com/questions/93566/…).

    – Sachin
    Aug 13 '18 at 5:32















2















I asked a question before, but I didn't get a satisfying answer in :
How can I display ssh commands executed from another machine?



so I'll ask this time precisely.



How to display commands and their users/IP's, executed in my server via SSH.
I'm looking to something like this :



#tail .bash_history
192.168.1.101 : vi /etc/ssh/sshd_config
192.168.1.102 : ls -l
192.168.1.101 : cd .ssh
192.168.1.101 : systemctl reload sshd.service
192.168.1.102 : service --status-all etc...






linux bash shell ssh networking







share|improve this question



















  • 1





    You would need some shell logger to get all of that information. Bash is storing the history, but not the ip addresses.

    – Jakuje
    Mar 23 '17 at 13:02











  • rewrite bash to take $SSH_CONNECTION into account when writing .bash_history

    – Archemar
    Mar 23 '17 at 13:53











  • @Jakuje yes, but could change how to write this log. I added a this line export HISTTIMEFORMAT=$USER@$(hostname -I)" " to this file /etc/bash.bashrc , it didn't work of course.

    – zied
    Mar 24 '17 at 7:52











  • @Archemar $SSH_CONNECTION is a variable in the client's host only, not in the server.

    – zied
    Mar 24 '17 at 7:54











  • Try this document. It will be helpful for you. (askubuntu.com/questions/93566/…).

    – Sachin
    Aug 13 '18 at 5:32













2












2








2








I asked a question before, but I didn't get a satisfying answer in :
How can I display ssh commands executed from another machine?



so I'll ask this time precisely.



How to display commands and their users/IP's, executed in my server via SSH.
I'm looking to something like this :



#tail .bash_history
192.168.1.101 : vi /etc/ssh/sshd_config
192.168.1.102 : ls -l
192.168.1.101 : cd .ssh
192.168.1.101 : systemctl reload sshd.service
192.168.1.102 : service --status-all etc...






linux bash shell ssh networking







share|improve this question
















I asked a question before, but I didn't get a satisfying answer in :
How can I display ssh commands executed from another machine?



so I'll ask this time precisely.



How to display commands and their users/IP's, executed in my server via SSH.
I'm looking to something like this :



#tail .bash_history
192.168.1.101 : vi /etc/ssh/sshd_config
192.168.1.102 : ls -l
192.168.1.101 : cd .ssh
192.168.1.101 : systemctl reload sshd.service
192.168.1.102 : service --status-all etc...






linux bash shell ssh networking




linux bash shell ssh networking






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Apr 13 '17 at 12:36









Community

1




1










asked Mar 23 '17 at 10:03









ziedzied

564




564







  • 1





    You would need some shell logger to get all of that information. Bash is storing the history, but not the ip addresses.

    – Jakuje
    Mar 23 '17 at 13:02











  • rewrite bash to take $SSH_CONNECTION into account when writing .bash_history

    – Archemar
    Mar 23 '17 at 13:53











  • @Jakuje yes, but could change how to write this log. I added a this line export HISTTIMEFORMAT=$USER@$(hostname -I)" " to this file /etc/bash.bashrc , it didn't work of course.

    – zied
    Mar 24 '17 at 7:52











  • @Archemar $SSH_CONNECTION is a variable in the client's host only, not in the server.

    – zied
    Mar 24 '17 at 7:54











  • Try this document. It will be helpful for you. (askubuntu.com/questions/93566/…).

    – Sachin
    Aug 13 '18 at 5:32












  • 1





    You would need some shell logger to get all of that information. Bash is storing the history, but not the ip addresses.

    – Jakuje
    Mar 23 '17 at 13:02











  • rewrite bash to take $SSH_CONNECTION into account when writing .bash_history

    – Archemar
    Mar 23 '17 at 13:53











  • @Jakuje yes, but could change how to write this log. I added a this line export HISTTIMEFORMAT=$USER@$(hostname -I)" " to this file /etc/bash.bashrc , it didn't work of course.

    – zied
    Mar 24 '17 at 7:52











  • @Archemar $SSH_CONNECTION is a variable in the client's host only, not in the server.

    – zied
    Mar 24 '17 at 7:54











  • Try this document. It will be helpful for you. (askubuntu.com/questions/93566/…).

    – Sachin
    Aug 13 '18 at 5:32







1




1





You would need some shell logger to get all of that information. Bash is storing the history, but not the ip addresses.

– Jakuje
Mar 23 '17 at 13:02





You would need some shell logger to get all of that information. Bash is storing the history, but not the ip addresses.

– Jakuje
Mar 23 '17 at 13:02













rewrite bash to take $SSH_CONNECTION into account when writing .bash_history

– Archemar
Mar 23 '17 at 13:53





rewrite bash to take $SSH_CONNECTION into account when writing .bash_history

– Archemar
Mar 23 '17 at 13:53













@Jakuje yes, but could change how to write this log. I added a this line export HISTTIMEFORMAT=$USER@$(hostname -I)" " to this file /etc/bash.bashrc , it didn't work of course.

– zied
Mar 24 '17 at 7:52





@Jakuje yes, but could change how to write this log. I added a this line export HISTTIMEFORMAT=$USER@$(hostname -I)" " to this file /etc/bash.bashrc , it didn't work of course.

– zied
Mar 24 '17 at 7:52













@Archemar $SSH_CONNECTION is a variable in the client's host only, not in the server.

– zied
Mar 24 '17 at 7:54





@Archemar $SSH_CONNECTION is a variable in the client's host only, not in the server.

– zied
Mar 24 '17 at 7:54













Try this document. It will be helpful for you. (askubuntu.com/questions/93566/…).

– Sachin
Aug 13 '18 at 5:32





Try this document. It will be helpful for you. (askubuntu.com/questions/93566/…).

– Sachin
Aug 13 '18 at 5:32










2 Answers
2






active

oldest

votes


















0














Found the question interesting, so I googled a little, and find this.



More precisely, you need to add this line to your sshd_config.



ForceCommand logger -p user.notice "$SSH_ORIGINAL_COMMAND"


According to the man sshd_config:




ForceCommand

Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a Match block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. Specifying a command of internal-sftp will force the use of an in-process SFTP server that requires no support files when used with ChrootDirectory. The default is none.




On my debian rsyslog installation user.* is written to /var/log/user.log






share|improve this answer






























    0














    Try this (https://askubuntu.com/questions/93566/how-to-log-all-bash-commands-by-all-users-on-a-server). Just edit the /etc/bash.bashrc file and add the line export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ][0-9]+[ ]//" ) [$RETRN_VAL]" at bottom of the file and save it.






    share|improve this answer






















      Your Answer








      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "106"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader:
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      ,
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













      draft saved

      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f353289%2fhow-to-display-commands-executed-via-ssh-and-their-users-ip%23new-answer', 'question_page');

      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      0














      Found the question interesting, so I googled a little, and find this.



      More precisely, you need to add this line to your sshd_config.



      ForceCommand logger -p user.notice "$SSH_ORIGINAL_COMMAND"


      According to the man sshd_config:




      ForceCommand

      Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a Match block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. Specifying a command of internal-sftp will force the use of an in-process SFTP server that requires no support files when used with ChrootDirectory. The default is none.




      On my debian rsyslog installation user.* is written to /var/log/user.log






      share|improve this answer



























        0














        Found the question interesting, so I googled a little, and find this.



        More precisely, you need to add this line to your sshd_config.



        ForceCommand logger -p user.notice "$SSH_ORIGINAL_COMMAND"


        According to the man sshd_config:




        ForceCommand

        Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a Match block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. Specifying a command of internal-sftp will force the use of an in-process SFTP server that requires no support files when used with ChrootDirectory. The default is none.




        On my debian rsyslog installation user.* is written to /var/log/user.log






        share|improve this answer

























          0












          0








          0







          Found the question interesting, so I googled a little, and find this.



          More precisely, you need to add this line to your sshd_config.



          ForceCommand logger -p user.notice "$SSH_ORIGINAL_COMMAND"


          According to the man sshd_config:




          ForceCommand

          Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a Match block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. Specifying a command of internal-sftp will force the use of an in-process SFTP server that requires no support files when used with ChrootDirectory. The default is none.




          On my debian rsyslog installation user.* is written to /var/log/user.log






          share|improve this answer













          Found the question interesting, so I googled a little, and find this.



          More precisely, you need to add this line to your sshd_config.



          ForceCommand logger -p user.notice "$SSH_ORIGINAL_COMMAND"


          According to the man sshd_config:




          ForceCommand

          Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a Match block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. Specifying a command of internal-sftp will force the use of an in-process SFTP server that requires no support files when used with ChrootDirectory. The default is none.




          On my debian rsyslog installation user.* is written to /var/log/user.log







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Mar 23 '17 at 15:42









          V.FrenotV.Frenot

          387




          387























              0














              Try this (https://askubuntu.com/questions/93566/how-to-log-all-bash-commands-by-all-users-on-a-server). Just edit the /etc/bash.bashrc file and add the line export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ][0-9]+[ ]//" ) [$RETRN_VAL]" at bottom of the file and save it.






              share|improve this answer



























                0














                Try this (https://askubuntu.com/questions/93566/how-to-log-all-bash-commands-by-all-users-on-a-server). Just edit the /etc/bash.bashrc file and add the line export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ][0-9]+[ ]//" ) [$RETRN_VAL]" at bottom of the file and save it.






                share|improve this answer

























                  0












                  0








                  0







                  Try this (https://askubuntu.com/questions/93566/how-to-log-all-bash-commands-by-all-users-on-a-server). Just edit the /etc/bash.bashrc file and add the line export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ][0-9]+[ ]//" ) [$RETRN_VAL]" at bottom of the file and save it.






                  share|improve this answer













                  Try this (https://askubuntu.com/questions/93566/how-to-log-all-bash-commands-by-all-users-on-a-server). Just edit the /etc/bash.bashrc file and add the line export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ][0-9]+[ ]//" ) [$RETRN_VAL]" at bottom of the file and save it.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Aug 13 '18 at 5:35









                  SachinSachin

                  83




                  83



























                      draft saved

                      draft discarded
















































                      Thanks for contributing an answer to Unix & Linux Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid


                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.

                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f353289%2fhow-to-display-commands-executed-via-ssh-and-their-users-ip%23new-answer', 'question_page');

                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown






                      -

                      Popular posts from this blog

                      How to check contact read email or not when send email to Individual?

                      Image
                      Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Sep 26 at 0:12 ToanLuong 49 9 add a comment  |  up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Se
                      Read more

                      Bahrain

                      Image
                      For other uses, see Bahrain (disambiguation). Sovereign island state in the Persian Gulf Kingdom of Bahrain مملكة البحرين   (Arabic) Mamlakat al-Baḥrayn Flag Coat of arms Anthem:  نشيد البحرين الوطني Bahrainona Our Bahrain Location of   Bahrain    (circled in red) Capital and largest city Manama 26°13′N 50°35′E  /  26.217°N 50.583°E  / 26.217; 50.583 Official languages Arabic Ethnic groups (2010 [1] ) 50.7% Arab (46% Bahrani, 4.7% other Arabs) 45.5% Asian 1% European 1.2% Others Religion Islam Demonym(s) Bahraini Government Unitary constitutional monarchy • King Hamad bin Isa Al Khalifa • Crown Prince Salman bin Hamad bin Isa Al Khalifa • Prime Minister Khalifa bin Salman Al Khalifa Legislature National Assembly • Upper house Consultative Council • Lower house Council of Representatives Independence • Declared Independence [2] 14 August 1971 • from United Kingdom [1] 15 August 1971 • Admitted to the United Nations 21 September 1971 • Kingdom of Bahrain 14 February 2002
                      Read more

                      Postfix configuration issue with fips on centos 7; mailgun relay

                      Image
                      Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I am trying to setup postfix to relay all mail generated on the local machine via SMTP to a mailgun relay. I have used the mailgun relay before with success on an ubuntu server, but I am migrating to a Centos 7 server which I will be running in FIPS mode. There error log is below, slightly sanitized. I have a small enough network that I choose to have each machine reach out to mailgun individually (this the loopback-only, 127.0.0.0/8 restrictions) and no firewall open port allowing smtp in to the machine. I assume the FIPS mode (and with it disabling of MD5) is causing problems, but I don't know how to overcome it or if it is even possible for tls_fprint to use some supported hash such as sha256 or sha512. However, the relay=none is slightly concerning since I have relayhost set, but perhaps that is because the smtp process is failing? Any help would be appreciated! postconf -n: alias_database = hash:/etc/alia
                      Read more