There are lot of parameters to configure our SSH server, and we should do some hardening to secure itr: Only use SSH-2, Limit user access, configure idle log out time, etc.
The IBMi come with a default configuration file that we should take care about before starting SSH in a production server. There are some good documentation about best SSH practices, but this is not the purpose of my post.
The purpose of my post is to show how to configure SSH-logging, so we can monitor the access to our server. SSH Daemon config is in:
If we uncomment the line "SysLogFacility" and "LogLevel", nothing will happend.
The reason is because SSH daemon use a SysLog facility to forward the ssh events to Syslog daemon But we are lucky, we have syslog in PASE. (It came to my mind my old blog entry about how to use syslog and rsync: Remote syslog on IBMi )
So our next step is to configure syslog. Silly me, I expend many hours trying to put syslog up and running... until i figured out that the config file of syslog should be in /QOpenSys/etc/syslog.con instead of /etc/syslog.conf like on *nix systems. YAK!
The first line specifies that syslog info messages will go to the file /var/log/messages (it is necesary to create the files first) and all kind of auth.info messages will go to /var/log/auth. We could be more specific just sending ssh messages to "ssh.log"
So next steps are:
1. Stop SSH. Be sure all your sessions are disconnected. By default SSH doesnt disconnected SSH sessions. Even if we stop SSH (ENDTCPVSR *SSHD), the current session will keep alive.
There are two ways to solve this issue: netstat -> 3 -> End Job or check the file sshd.pid and "Kill -9 pid"
But we can also change some settings in sshd.conf to disconnect our SSH clients:
2. In PASE, start "syslogd"
For debugging, you can start "syslogd -d" to check your configuration. But, take care, i ended with 10 syslogd jobs running on the system and they took almost 100% of the CPU.
It should be fine to run syslogd as a batch process:
SBMJOB CMD(STRQSH CMD('/QOpenSys/usr/sbin/syslogd'))
3. Start SSH
There is a tool to check our syslog config:
Now, try to open a session from ssh and check the files:
And the info messages
The IBMi come with a default configuration file that we should take care about before starting SSH in a production server. There are some good documentation about best SSH practices, but this is not the purpose of my post.
The purpose of my post is to show how to configure SSH-logging, so we can monitor the access to our server. SSH Daemon config is in:
/QOpenSys/QIBM/UserData/SC1/OpenSSH/etc/ssh_config By default SSH is Disabled: # Logging # obsoletes QuietMode and FascistLogging # SyslogFacility AUTH # LogLevel INFO
If we uncomment the line "SysLogFacility" and "LogLevel", nothing will happend.
The reason is because SSH daemon use a SysLog facility to forward the ssh events to Syslog daemon But we are lucky, we have syslog in PASE. (It came to my mind my old blog entry about how to use syslog and rsync: Remote syslog on IBMi )
So our next step is to configure syslog. Silly me, I expend many hours trying to put syslog up and running... until i figured out that the config file of syslog should be in /QOpenSys/etc/syslog.con instead of /etc/syslog.conf like on *nix systems. YAK!
touch /QOpenSys/etc/syslog.conf # Syslog config, general all info events *.info /var/log/messages # Syslog config for auth events auth.info /var/log/auth mkdir /var/log touch /var/log/messages touch /var/log/auth
The first line specifies that syslog info messages will go to the file /var/log/messages (it is necesary to create the files first) and all kind of auth.info messages will go to /var/log/auth. We could be more specific just sending ssh messages to "ssh.log"
So next steps are:
1. Stop SSH. Be sure all your sessions are disconnected. By default SSH doesnt disconnected SSH sessions. Even if we stop SSH (ENDTCPVSR *SSHD), the current session will keep alive.
There are two ways to solve this issue: netstat -> 3 -> End Job or check the file sshd.pid and "Kill -9 pid"
But we can also change some settings in sshd.conf to disconnect our SSH clients:
ClientAliveInterval 60 ClientAliveCountMax 3
2. In PASE, start "syslogd"
For debugging, you can start "syslogd -d" to check your configuration. But, take care, i ended with 10 syslogd jobs running on the system and they took almost 100% of the CPU.
It should be fine to run syslogd as a batch process:
SBMJOB CMD(STRQSH CMD('/QOpenSys/usr/sbin/syslogd'))
3. Start SSH
There is a tool to check our syslog config:
logger "Testting...."
cat /var/log/messages
Oct 3 15:32:02 DISIxxxx2 user:notice acl: Testing....
Now, try to open a session from ssh and check the files:
cat /var/log/auth Oct 3 15:08:01 DISIxxxx2 auth|security:info sshd[19750]: Accepted password for acl from 1xxxxxxx port 54269 ssh2 Oct 3 15:08:01 DISIxxxx2 auth|security:info sshd[19751]: Accepted password for acl from 1xxxxxxx port 54270 ssh2 Oct 3 15:09:37 DISIxxxx2 auth|security:info sshd[19759]: Accepted password for acl from 1xxxxxxx port 54275 ssh2 Oct 3 15:09:37 DISIxxxx2 auth|security:info sshd[19760]: Accepted password for acl from 1xxxxxxx port 54276 ssh2
And the info messages
cat /var/log/messages Oct 3 15:09:27 DISIxxxx2 syslog:info syslogd: restart Oct 3 15:09:37 DISIxxxx2 auth|security:info sshd[19759]: Accepted password for acl from 1xxxxxxx port 54275 ssh2 Oct 3 15:09:37 DISIxxxx2 auth|security:info sshd[19760]: Accepted password for acl from 1xxxxxxx port 54276 ssh2 $
