VPS.NET Public Knowledge Base Ultimate source of useful information

Monitor outgoing ssh connections with writing log to /var/log/messages :

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LOG tcp — anywhere anywhere tcp dpt:ssh LOG level info prefix `SSH attempt: ‘
DROP tcp — anywhere anywhere tcp dpt:ssh

The /var/log/messages record looks like this:

Apr 4 13:20:46 widget kernel: SSH attempt: IN= OUT=eth0 SRC=123.456.78.9 DST=97.74.182.1 LEN=40 TOS=0×00 PREC=0×00 TTL=64 ID=0 DF PROTO=TCP SPT=39375 DPT=22 WINDOW=0 RES=0×00 RST URGP=0

Commands to add such rules:

iptables -A OUTPUT -p tcp --dport 22 -j DROP

iptables -I OUTPUT -p tcp --dport 22 -j LOG --log-level info --log-prefix 'SSH attempt: '

Save this article