Home Linux Server SSH Proxy Configuration Guide

SSH Proxy Configuration Guide

by Thạch Phạm
configure SSH Proxy

About SSH Proxy

Welcome back to the documentation channel of AZDIGI. In today’s article, AZDIGI will introduce you to SSH Proxy so that you can build it on your own server for monitoring the work history of employees, logging executed commands and their returned results.

SSH Proxy Functions

  • Log employee SSH information such as login time, user login, server IP…
  • Log the commands typed through SSH and their output.
  • The administrator can check the rta log in case of need.

SSH Proxy Operation Model

For example, your unit is a large system, every morning when employees go to work, they will use personal devices with the granted user to access the system to work. Therefore, all employees must SSH via SSH proxy to get inside and the specific methods of logging information on the SSH proxy server are:

  • The servers/VPS that need to log in must implement IP restrictions to allow login and only login from the SSH Proxy’s IP
  • On SSH Proxy, grant the user staff to SSH into the Proxy server before SSHing into another server
  • On the server, the SSH proxy implements measures to log SSH information, commands and output…

For example:

  • SSH Proxy Server has IP:
  • Server needs SSH to work:

Steps to install SSH Proxy server

Step 1: Configure SSH to only allow authentication with SSH key

To configure to allow SSH Key authentication and not use the root password, you need to open the file sshd_config and edit it as follows:

AZDIGI Tutorial
vi  /etc/ssh/sshd_config
configure SSH Proxy

After fixing it, restart the sshd service with the following command:

AZDIGI Tutorial
systemctl restart sshd

Step 2: Configure Firewall

Please install the CSF firewall on the SSH Proxy server. If you haven’t done the installation, you can refer to the following instructions:

Then you open the /etc/csf/csf.conf file and correct it as follows:

AZDIGI Tutorial
vi /etc/csf/csf.conf
AZDIGI Tutorial
# Allow incoming TCP ports
TCP_IN = ""

# Allow outgoing
TCP por ts TCP_OUT = "53"

# Allow incoming UDP ports
UDP_IN = "53"

# Allow outgoing UDP ports
UDP_OUT = "53"

Next, configure it to only allow SSH users whose IP is VPN IP at /etc/csf/csf.allow

AZDIGI Tutorial
tcp | in | d=22 | s= # VPN IP (Thay IP này bằng IP VPN của bạn)

Note: You can also create a file-name.allow file. Then include in /etc/csf/csf.allow

To configure not to track these VPN IPs in the file /etc/csf/csf.ignore

Note: You can also create a file-name.ignore file. Then include in /etc/csf/csf.ignore

Step 3: Install scripts to log the SSH session

1. log-session

  • Please create a /usr/local/sbin/log-session file and paste the following content:
AZDIGI Tutorial
vi /usr/local/sbin/log-session
  • File content log-session
 NOW=date +%Y -%m -%d.%H%M%S
 IP=echo $SSH_CLIENT | sed 's/ .*//'
 LOGDIR="/log -session"
 echo ======================================== >> $LOGFILE echo Starting interactive shell session by user $USER - IP: $IP - $NOW >>
 echo ======================================== >> $LOGFILE exec script -a -f -q
  • File permissions /usr/local/sbin/log-session
AZDIGI Tutorial
chmod 755 /usr/local/sbin/log-session

This script when run will get information about the user that is ssh in via the whoami command and get the ssh time using the date command. The script command will copy an SSH terminate copy to the log file.

This log-session script is called first when the SSH user enters by specifying the command in the public key file ($HOME/.ssh/.authorized_keys)

2. Script adduser

Create script vi /root/adduser.sh. This script is used to create users for technical members, the content is as follows:

AZDIGI Tutorial
vi /root/adduser.sh
  • Content adduser.sh
 Script add user to log ssh session
 PASSWORD=< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c12;echo
 if [ -z "$USER" ] || [ -z "$KEY_TYPE" ] || [ -z "$SSH_KEY" ]; then
 echo Error. User or SSH key is not empty exit 0
 useradd $USER -p $PASSWORD && echo Success create user $USER || echo Fail create user $USER
 mkdir -p /log-session/$USER
 touch $LOG_DIR/$USER/$USER.log && chmod 200 $LOG_DIR/$USER/$USER.log && chown $USER. $LOG_DIR/$USER/$USER.log && chattr +a $LOG_DIR/$USER/$USER.log && echo Success create and change permission log file || echo Fail create and change permission log file
 mkdir /home/$USER/.ssh && chown $USER. /home/$USER/.ssh && chmod 700 /home/$USER/.ssh && echo Success create /home/$USER/.ssh directory || echo Fail create /home/$USER/.ssh directory
 echo command=\"/usr/local/sbin/log-session\" $KEY_TYPE $SSH_KEY> /home/$USER/.ssh/authorized_keys && chmod 400 /home/$USER/.ssh/authorized_keys && chown -R $USER. /home/$USER/.ssh && chattr +i /home/$USER/.ssh/authorized_keys && echo Success create /home/$USER/.ssh/authorized_keys file || echo Fail create /home/$USER/.ssh/authorized_keys file
 echo Done!

This script is used to add a user when it is necessary to grant a user to a proxy user, and at the same time to add a public key, create a log file, and authorize the log file to prevent users from viewing and editing the log file. Detail:

  • Read user information, input the public key with the read command
  • Add user information via useradd
  • Create a directory containing log files for each user via the command mkdir -p /log-session/$USER
  • Create a log file for that user via touch


  • 200 with logfile
  • change the owner user/group to be that user
  • chattr +a log file so that users only add content without having the right to edit or delete content
  • Create directory /home/$USER/.ssh, give permission 700 for this directory.
  • Create the file /home/$USER/.ssh/authorized_keys, choose user/group as root.$USER with permission of 750. Permissions as above will help users only read files in /home/$USER/.ssh directory and cannot create more files in this directory. Add the content of the user’s public key in the format: command = “/usr/local/sbin/log-session” ssh-rsa AAAQE…… user@quandt@azdigi.vn
  • chattr +i /home/$USER/.ssh/authorized_keys so that users cannot edit this file

3. Create script log_rotate.sh

  • Create rotate log script at /root/log_rotate.sh and the following content:
AZDIGI Tutorial
vi /root/log_rotate.sh
 TIMESTAMP=date +%d-%m-%Y
 find $LOGDIR -name '*.log' -type f -size +$MAX_SIZE | while read LOGFILE
  • Permissions for scripts /root/log_rotate.sh
AZDIGI Tutorial
chmod 755 /root/log_rotate.sh
  • Add cronjob to automatically rotate log

Script used to rotate the log file, log files larger than the $MAX_SIZE variable will be rotated

AZDIGI Tutorial
0 2 * * * /root/log_rotate.sh > /dev/null

Step 4: Install on server/VPS need to log SSH session

On the server/VPS that needs to log SSH, it is necessary to limit SSH login, allowing only the SSH Proxy’s IP to be allowed in. Do the following:

On the server/VPS need to log SSH, go to/etc/ssh/sshd_config, add the following value to the end of the file.

AZDIGI Tutorial
vi /etc/ssh/sshd_config
AZDIGI Tutorial
Match Address  
PasswordAuthentication no 
PermitRootLogin yes 

Step 5: Create a user

To create a user, SSH into the proxy to work, and to create a user you do it with the following syntax:

In there:

  • username: Is the user of the user
  • ssh-dss AAAAB3…: That user’s public_key
AZDIGI Tutorial
./root/adduser.sh username ssh-dss AAAAB3...

Once the creation is complete, the user can use private key and user to ssh into the Proxy. And upload the Private key to ssh to other servers.


Hopefully, this article will help you set up a proxy system. from which you can better monitor the activities of employees when they log in to their work sessions.

If you need assistance, you can contact support in the ways below:

Đánh giá

Bài viết cùng chuyên mục

AZDIGI – Không chỉ là đơn vị hàng đầu trong lĩnh vực Web Hosting và Máy chủ, chúng tôi mong muốn mang lại những kiến thức bổ ích nhất và luôn cập nhật thường xuyên cho cộng đồng người đam mê thiết kế website, công nghệ,…

Vui lòng không sao chép nội dung nếu chưa xin phép. Designed and Developed by PenciDesign