Monitoring active connections to an SSH server is important for managing security and server performance. Knowing who is connected to your server helps in identifying unauthorized access and monitoring user activity. This process is essential for preventing potential security breaches and ensuring that server resources are used appropriately.
Several tools in Linux allow you to check active connections. These tools provide different types of information, such as user activity, connection details, and network statistics. Each tool offers specific insights that help you maintain control over your server environment.
Reviewing past login activities is also crucial. It allows you to identify patterns or repeated unauthorized access attempts. Combining different tools provides a comprehensive view of SSH connection activity, making it easier to monitor and secure your server.
Related: How to force logout a user in Linux
Steps to monitor active SSH connections on Linux server:
- Use the who command to see a list of users currently logged into the server.
$ who user1 pts/0 2024-08-20 10:25 (192.168.1.10) user2 pts/1 2024-08-20 11:00 (192.168.1.11)
- Run the w command to get detailed information about active users and their activities.
$ w 10:35:50 up 2:14, 2 users, load average: 0.10, 0.20, 0.15 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT user1 pts/0 192.168.1.10 10:25 1:00 0.01s 0.00s bash user2 pts/1 192.168.1.11 11:00 0.20s 0.01s 0.00s sshd
- Use the ss command to view established SSH connections.
ss -t | grep ssh ESTAB 0 0 192.168.1.10:ssh 192.168.1.1:52022 ESTAB 0 0 192.168.1.11:ssh 192.168.1.2:54012
- Install and run iftop to monitor live network traffic on your server.
$ sudo apt-get install iftop iftop -i eth0 192.168.1.10 => 192.168.1.1 0b 1.26Kb 1.08Kb <= 96b 2.01Kb 1.90Kb 192.168.1.11 => 192.168.1.2 0b 2.00Kb 1.95Kb <= 200b 3.50Kb 3.30Kb
- Use the lastlog command to review the most recent login activity for all users.
$ lastlog Username Port From Latest user1 pts/0 192.168.1.10 Mon Aug 20 10:25:00 +0000 2024 user2 pts/1 192.168.1.11 Mon Aug 20 11:00:00 +0000 2024
Mohd Shakir Zakaria is an experienced cloud architect with a strong development and open-source advocacy background. He boasts multiple certifications in AWS, Red Hat, VMware, ITIL, and Linux, underscoring his expertise in cloud architecture and system administration.
Comment anonymously. Login not required.