How to trace ssh tunneled/proxied connections

Almost everyone knows ssh port forward (-L/-R) or dynamic port forward (-D) features. They are very useful. For example when connecting to the internet using hotspot or other free access point it's very good idea to use ssh dynamic port forward. Doing so prevents other users from beeing able to see your traffic.

I share one of my servers for trusted users allowing them to use ssh port forwards. I don't really care when they connect using my sshd proxy (unless it's hacking or other not allowed activities), but I'm kinda worried about volume of traffic those users generate (cause traffic is not free :)). I don't need detail (at the moment), but I would like to see how often and how long they use redirects.

Since almost all ssh accounts used for port forward are not even allowed to do full ssh login (they do not got proper shell set), those logins are not even visible when issuing
w or who commands. They are not even visible when using last . Users are using -f and -N ssh client switches which causes ssh go background without executing any command (which is very useful). It's hard to easly see if someone is using ssh port forward at the moment or not. I can grep sshd processes or use iptraf to check it, but it would not show me useful data at once.

Recently I've found two nice ways to trace those connections.

First is lsof with -i switch, which traces all opened sockets. I trace connections kinda realtime with watch:
watch -t -n.1 "lsof -i -n -P | grep sshd | grep -v \*"

-n and -P switches turn off dns and port names display. Running lsof watch 10 times a second with lot of open connections can cause really big DNS UDP flood (anyway, who needs revdns names of hosts?). This watch is really nice, shows connections (and their status) and users which generates those connections.

Second is netstat with -e switch. I trace connections kinda realtime using watch:

watch -t -n.1 "netstat -eetup --numeric-hosts --numeric-ports | grep sshd"

Example above executes netstat ten times a second giving desired output. DNS name resolving is also off. This watch works really nice, it shows all connections related to all sshd processes, and extended info switch shows also users which generate those connections. Netstat also shows some traffic information (Recv-Q and Send-Q).

You should adjust number of watch runs because it could generate quite big cpu usage (lsof and netstat both seems to generate lot of system calls tracing connections).

Those 2 command can be used as nice start to do regular accounting of such tunneled/proxied connections (but since I trust my proxy users I'm not going to implement it, just gonna stick with volume accounting).

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

Main menu

Article | by Dr. Radut