Tuesday, April 21, 2015

Monitoring users ssh tunnels (port forwarding)

I hope this aids others faced with the same issue. The problem was as follows. We have have a number of remote users to a Linux system who need to access resources on some machines on a private network range. There are a number of solutions that could be employed such as VPN but for a variety of reasons we have decided to use ssh.

The tunneling works fine via the allocated ssh server. It is quite secure in that all users are given private keys and password access is disabled along with fail2ban. And from a usage perspective it has proven very robust. But this is all on the basis that your users are trusted. Ours are to a point, but we still need some more visibility and accountability.

Whilst sshd does log connections and you can increase that verbosity up to debug level in sshd_config, it still will not make a record anywhere of tunnels created. In short sshd only allows you disable or enable port forwarding globally or per user. We still need more!

One option is to manually patch ssh:

An alternative quick and dirty solution is what I've gone with. I've put a cron running a variant of this (also pipped into another grep to limit to specific username groups) every minute which feeds that into a log file in /var/log. In turn this is rotated daily and compressed.

lsof -i -n | egrep '\'

Something perhaps like this in a script:
date | tr '\n' ' '; lsof -i -n | egrep '\' | grep -v 22; printf '\n'

insert the date, trim newline characters, get rid of ordinary port 22 notices as they're already catered for in auth.log. You may need to alter slightly to suit your needs.

In crontab -e you can do something like:

*/1 * * * * /sbin/showtunnels.sh >> /var/log/sshd_tunnels

1 minute might be to verbose or insufficient depending on your system. Ideally it would be useful to report only the changes every minute rather than keep reporting the same tunnels still being open but that is another days work. This is very much a work in progress!