HPE Community
Operating System - Linux
1830234 Members
2464 Online
109999 Solutions
New Discussion

log every keystorke of a user

 
SOLVED
Go to solution
njia_1
Trusted Contributor

‎01-14-2006 08:22 PM

‎01-14-2006 08:22 PM

log every keystorke of a user

Hi

Is there a way to log absolute every keystorke of a user ? for example, user root.

thanks
0 Kudos
Reply
15 REPLIES 15
Alexander Chuzhoy
Honored Contributor

‎01-14-2006 09:05 PM

‎01-14-2006 09:05 PM

Solution

Re: log every keystorke of a user

what about `history` command?
You have the commands saved in .bash_history
inside home directory. I assume you use bash.
Reply
Steven E. Protter
Exalted Contributor

‎01-15-2006 06:09 AM

‎01-15-2006 06:09 AM

Re: log every keystorke of a user

shalom njia

HISTFILE=/root/.bash_history
HISTSIZE=5000
export HISTFILE HISTSIZE

Its standard in the bash shell. .bash_profile

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
njia_1
Trusted Contributor

‎01-15-2006 10:49 AM

‎01-15-2006 10:49 AM

Re: log every keystorke of a user

Hi

Thanks for your reply, history file does not do the job I want.

History files only has record of all the commands, what I want to do is to record all the keystorkes, including typing errors. The log will happen on both local and a remote log host. History files can be deleted and modified easily.

thanks
0 Kudos
Reply
Joseph Loo
Honored Contributor

‎01-15-2006 06:12 PM

‎01-15-2006 06:12 PM

Re: log every keystorke of a user

hi,

if u got $$$, take a look at this:

http://www.symark.com/powerbroker.htm

else, another way is to use the script command which u define in the user's profile. "man script" for more detail.

regards.
(p.s. wat happen to the post u started on "interesting...")
what you do not see does not mean you should not believe
Reply
Steven E. Protter
Exalted Contributor

‎01-15-2006 06:48 PM

‎01-15-2006 06:48 PM

Re: log every keystorke of a user

Okay, you are going overboard.

The HISTFILE logs mistakes if enter is hit.

This level of monitoring, if applied to all users can impede performance. If only for root, the HISTFILE is a good enough tool.

Good Luck,

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Huc_1
Honored Contributor

‎01-15-2006 09:13 PM

‎01-15-2006 09:13 PM

Re: log every keystorke of a user

Hello Nija

If what you need is to log everything for someone you gave priv to "like root for install of a product/applic" you can ask then to use something like the following.

ssh 'hostname' | tee install_product.log

every modification will be in the install_product.log and if you keep an eye on the content of last and use command stat you will be able to figure out if the file has been edited/modified after log out.

Hope this is helps.

Jean-Pierre Huc
Smile I will feel the difference
Reply
Ivan Ferreira
Honored Contributor

‎01-15-2006 10:39 PM

‎01-15-2006 10:39 PM

Re: log every keystorke of a user

If you want to really log absolutly ALL keystrokes, you can use the script command.

You can also configure auditing, take in account that if you configure the HISTORY variables, root can easily modify that configurations.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Reply
Bill Thorsteinson
Honored Contributor

‎01-16-2006 02:40 AM

‎01-16-2006 02:40 AM

Re: log every keystorke of a user

There is a package which allows you to
snoop the tty. Highly invasive though.
Reply
Alan_152
Honored Contributor

‎01-16-2006 02:55 AM

‎01-16-2006 02:55 AM

Re: log every keystorke of a user

do a google for "linux keylogger"... lots of good ones are listed...
Reply
njia_1
Trusted Contributor

‎01-16-2006 10:05 AM

‎01-16-2006 10:05 AM

Re: log every keystorke of a user

Hi All,

Thanks to all your replies, the reason I want to do this is that someone is trying to login into my homenetwork everyday. Last Thuresday, a guy from Japan spent 7.5 hours running a program to guess my root password.

Now I have a dual firewall setup, first one is a cisco router and second is a Linux based Firewall/VPN application. I also want to setup a honey port to let those people get in and then I can study them, get some idea what they want, so I would like to know every keystorkes for a specific user. Also this log must happen on a remote host as well, because these files can be easily destoried on a host they can login.

thanks again :)
0 Kudos
Reply
njia_1
Trusted Contributor

‎01-16-2006 10:17 AM

‎01-16-2006 10:17 AM

Re: log every keystorke of a user

Hi Bill,

Where can I find that software you mentioned ? I also think tty is the correct direction as all these users only has remote access.

Just remembered something is it possible to do this when a user login using ssh ? Maybe I should modify ssdh source code to do this :)

thanks
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎01-16-2006 08:45 PM

‎01-16-2006 08:45 PM

Re: log every keystorke of a user

Shalom,

I suggest you do the following:

1) Knowing the guys keystrokes will not help. STOP the login.
2) Disable telnet in /etc/xinetd.d/ service restart xinetd if it was disable=no
3) Have your firewalls limit ssh login to known good addresses. You can include a range that includes your home ISP if you work on the system at home. If necessary, use a simple iptables setup to stop this. This is serious and can't wait for a software installation that will not help stop the abuse.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Huc_1
Honored Contributor

‎01-16-2006 10:52 PM

‎01-16-2006 10:52 PM

Re: log every keystorke of a user

I agree with limiting the inbound/port trafic to a stric, very tailored minimun, if you are using ssh there is also a tool denyhosts-1.1.4 that help you monitor ssh port and puts into the offender ip address it find into hosts_deny, this can run from crontab or as a deamon, and is very configurable (it is weitten in python)

you will find more info on this at

http://denyhosts.sourceforge.net/

but first as pointed out by SEP i would shut every thing not know to be safe .. It may also be that your system is now too compromise/suspect... you have good restorable backup ? or maybe this is not a very important system ?

anyhow the above tool is good to have!

Jean-Pierre Huc
Smile I will feel the difference
Reply
Alan_152
Honored Contributor

‎01-17-2006 02:39 AM

‎01-17-2006 02:39 AM

Re: log every keystorke of a user

In this case, you don't need a keylogger -- you need a firewall and a packet sniffer. Also, you need to trace back to the source of the intrusion, and talk to the netadmins of each network in between you and the cracker to get the offender blocked at as many sources as possible.

Final note -- you'll want to preserve as best you can your evidence. Do a search on "chain of custody" at any good CISSP web site.
Reply
njia_1
Trusted Contributor

‎01-17-2006 01:04 PM

‎01-17-2006 01:04 PM

Re: log every keystorke of a user

Hi

thanks again for your replies, setup a honey port and let them login to that host and study them that is what I want to do. Currently my firewall/access control list and very strong passwords are doing a good job for me. I am not saying no one can break in but I do not think someone will spend that amount of time and resources to try to break into my home network. Even if they break in, there is nothing there :)

So, I want to let them login (SSH only of course) and I want to know what they are looking for and what they want to do, do you think the first thing they do is to destory my hard disk ? It would be very interesting to find out, wouldn't ? :)

Will take all your advices and have a look at all the tools recommended by your guys thanks again

thanks
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.