SSLH is a SSL/SSH multiplexer. If you want to run SSH on port 443 (to bypass restrictions?) and run an HTTPS server there as well, this is the program for you. Unfortunately, this will make the connections appear to come from 127.0.0.1. I don't run a serious HTTPS server so no problem about that, but I would like to know where the SSH connections are coming from.
In this post I will detail how I configured the logging on a Debian Lenny system using rsyslog, logrotate and Logwatch. SSLH logs to syslog, it will be filtered using rsyslog configuration to its own separate log (so it doesn't get lost in the noise in auth.log). The new SSLH log file also needs to be rotated so it doesn't grow too large. Logwatch will then be configured to read the SSLH log file for SSH connections.
Just filters based on program name and disables further logging so it doesn't go to the default (auth.log)
4 files to keep, one file per week. No error if no file, don't rotate if empty. Compress files with gzip but delay compression of the first one (log.0).
Logwatch log files definition
This file specifies a set of log files for sslh. This is separate from the service definition. The date format is the standard syslog date format. Logwatch already comes with a date range filter for this format.
Logwatch service definition
Not much config here, just the title and the name of the log file set.
Logwatch service script
This filters the log file. The log file has already been filtered through ApplyStdDate so all this script needs to do is filter out the connections which were forwarded to SSL.
Summarization and separate detail levels in the service script is left as an exercise to the reader :)
Random Notes >