Is it possible to list the last number of X users that logged on SSH/Telnet. Redhat 6.2..

You mean like the last 5 sessions?

try ..


last -5

<-- obviously not a sys admin..

Thanks :)

turn off telnet

is there a way to see what they are doing on telnet (when thy are connetted) or what they have done ?


thanks

In their home dir there should be a file called .bash_history.
That's the commands they have ran while being logged on.

hmm... can't finde this file.... :bawling:
Is ther another way?

PS: it's a CPanel server....


thanks

I would recommend for you to shutdown Telnet and use SSH, your just asking for problems if not.. I would also set up an IPChain or IPTable and block access to the telnet port, so someone cannot try a DoS attack through a webbrowser using that port.

Originally posted by mercury
hmm... can't finde this file.... :bawling:
Is ther another way?

PS: it's a CPanel server....


thanks

The user can remove, edit or link their .bash_history file (or whatever their history file might be called on your system -- maybe depending on the shell they have) and the information might not be there or accurate. You can use a TTY snoop tool to log everything they type, but that's not wise and it would be a privacy issue. Of course, just looking in their history file might bring up privacy issue too. However, if you have good cause to look, you surely have a justified reason and it's your duty to make sure they aren't doing attacks, spamming, running tools they shouldn't or trying to run exploits or breaching your TOS, etc., or whatever reason there is.

Logging a user's actions (via tty or whatever) might probably be okay, if you notify them of this fact (via motd, issue, or whatever). But to specifically monitor a user, if they are a specific user, or a few, you probably should think if you should have them on the system. However, it might be good to implement a policy and inform the user's that all their actions are logged, for whatever good and legitimate reason you have to do it (so they can make sure they don't type anything that they consider private to them). Of course, then there are other issues that bring some cons to this policy too -- such as if your system was to be compromised, there would be a huge amount of useful data to a system cracker to get a hold of that file -- usually). There's other issues involved, but some to consider. Just if you do this, make sure to let the clients know so they can be able to agree with it or not.

Here is a tool to snoop on TTYs:

http://freshmeat.net/projects/ttysnoop/

Read Tim's essay before you use it, though. :)

My opinion on this is that as long as they are notified, it's OK to see what they're doing. What could they be do that they wouldn't want you to see AND that they can't do on their own computer?

ebo,

A couple of things:

First, disable telnet as everyone said. You can do this by commenting the telnet line in /etc/inetd.conf and rebooting the server, then users will have to use an ssh client to login.

Second, every time a user logs into the shell, a file called ".bash_history" will be placed on their user directory. You can prevent users from deleting this file by running this command as root:

chattr +a /home/username/.bash_history

Hope this helps :)

Hmmm. Hi Tim, for some reason I skipped your post :)

Yes, Tim is correct. We, however state very clearly that we will read the user's bash history file and if they tamper with it or remove it, we will suspend their shell access immediately :)

I agree with Bert's advice, as that is a viable solution. To set the attributes (the chattr command Bert mentioned), will make it so the file can only be appended to -- not deleted, moved (move will only make a copy nd not touch the original file), etc. it will still write the information and log it. Be sure to do this for any history file of any shell. To do it for all users, type something like: "chattr +a /home/*/.bash_history" ... Also, make sure the user can't set their history limit in their profile. There, you could disable it or set it low.

Originally posted by Tim_Greer
I agree with Bert's advice, as that is a viable solution. To set the attributes (the chattr command Bert mentioned), will make it so the file can only be appended to -- not deleted, moved (move will only make a copy nd not touch the original file), etc. it will still write the information and log it. Be sure to do this for any history file of any shell. To do it for all users, type something like: "chattr +a /home/*/.bash_history" ... Also, make sure the user can't set their history limit in their profile. There, you could disable it or set it low.

A couple more things to consider:

- A user can upload his/her own shell without history support, then execute it from a session.

- A user can use another shell. Tcsh, zsh are usually available on any Linux system

- A user can make bash logging to another file than .bash_history

Hey, for some reason, I forgot about this thread, but Bert, thanks for the advice on the .bash_history file, i tried chowing it, but then they couldn't write to it. ;)

Of course, I already had telnet disabled, long time ago. When I first got the server I disabled that.. But again, thanks for the info on the .bash_history file, that will be helpful.

Glad to help :)