Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/dorkamotorka/ebpf-ssh-guardian
Monitoring SSH Sessions using eBPF
https://github.com/dorkamotorka/ebpf-ssh-guardian
Last synced: 16 days ago
JSON representation
Monitoring SSH Sessions using eBPF
- Host: GitHub
- URL: https://github.com/dorkamotorka/ebpf-ssh-guardian
- Owner: dorkamotorka
- License: gpl-2.0
- Created: 2024-08-09T09:47:06.000Z (5 months ago)
- Default Branch: main
- Last Pushed: 2024-08-09T11:58:22.000Z (5 months ago)
- Last Synced: 2024-08-09T12:51:44.020Z (5 months ago)
- Language: C
- Size: 686 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# ebpf-ssh-guardian
Monitoring SSH Sessions using eBPF## eBPF Attachment
First, we need to figure out where to attach our eBPF program to track logins.
Since we are insterested in the SSH, `sshd` (SSH Daemon) is the way to start. We figure out it's PID by using: `ps faux | grep sshd`.
Once we have the PID, we can check the linked libraries it uses using: `sudo cat /proc//maps`
We see that it uses e.g. `/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1` which is a Linux PAM (Pluggable Authentication Modules for Linux).
We can list the symbol table of the library and find the potential function we want to track using: `sudo readelf -s --wide /proc//root/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1`
We verify the function we are looking for using GitHub source-code and help ourself understand the function parameters so we can read them inside the eBPF program.