Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/dorkamotorka/ebpf-ssh-guardian

Monitoring SSH Sessions using eBPF
https://github.com/dorkamotorka/ebpf-ssh-guardian

Last synced: 16 days ago
JSON representation

Monitoring SSH Sessions using eBPF

Awesome Lists containing this project

README

        

# ebpf-ssh-guardian
Monitoring SSH Sessions using eBPF

## eBPF Attachment

First, we need to figure out where to attach our eBPF program to track logins.

Since we are insterested in the SSH, `sshd` (SSH Daemon) is the way to start. We figure out it's PID by using: `ps faux | grep sshd`.

Once we have the PID, we can check the linked libraries it uses using: `sudo cat /proc//maps`

We see that it uses e.g. `/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1` which is a Linux PAM (Pluggable Authentication Modules for Linux).

We can list the symbol table of the library and find the potential function we want to track using: `sudo readelf -s --wide /proc//root/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1`

We verify the function we are looking for using GitHub source-code and help ourself understand the function parameters so we can read them inside the eBPF program.