Logging port forwarding

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I'm trying to figure out wheter on OpenSSH is simple way to log all opened
forwarded connenctions via ssh. I'm thinking about something like "Event log" in
putty, but server-side:

2005-11-24 12:03:18    Opening forwarded connection to 10.x.x.x:3389
2005-11-24 12:07:26    Forwarded port closed

This is required to allow matching network activity with user accounts on ssh
host. In system log on ssh host there are no traces of such logging... Is this
possible at all without patching sshd code ?

Witold Rugowski

Re: Logging port forwarding

Quoted text here. Click to load it

Connection establishment is logged at level "debug1", so setting "LogLevel
DEBUG1" or higher in sshd_config will put in in syslog (along with a
bunch of other stuff).  Not sure if it connection termination will be
logged, though.

Note that if you're using it for audit purposes, it's possible to bypass
it with a user-run forwarder, eg "ssh yourhost nc remotehost 22".

If your OS has some kind of kernel-level accounting you might want to
investigate that.

Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Site Timeline