Monitoring active connections to an SSH server is important for managing security and server performance. Knowing who is connected to your server helps in identifying unauthorized access and monitoring user activity. This process is essential for preventing potential security breaches and ensuring that server resources are used appropriately.

Several tools in Linux allow you to check active connections. These tools provide different types of information, such as user activity, connection details, and network statistics. Each tool offers specific insights that help you maintain control over your server environment.

Reviewing past login activities is also crucial. It allows you to identify patterns or repeated unauthorized access attempts. Combining different tools provides a comprehensive view of SSH connection activity, making it easier to monitor and secure your server.

Steps to monitor active SSH connections on Linux server:

  1. Use the who command to see a list of users currently logged into the server.
    $ who
    user1    pts/0        2024-08-20 10:25 (192.168.1.10)
    user2    pts/1        2024-08-20 11:00 (192.168.1.11)
  2. Run the w command to get detailed information about active users and their activities.
    $ w
    10:35:50 up  2:14,  2 users,  load average: 0.10, 0.20, 0.15
    USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
    user1    pts/0    192.168.1.10      10:25    1:00   0.01s  0.00s bash
    user2    pts/1    192.168.1.11      11:00    0.20s  0.01s  0.00s sshd
  3. Use the ss command to view established SSH connections.
    ss -t | grep ssh
    ESTAB   0      0      192.168.1.10:ssh  192.168.1.1:52022
    ESTAB   0      0      192.168.1.11:ssh  192.168.1.2:54012
  4. Install and run iftop to monitor live network traffic on your server.
    $ sudo apt-get install iftop
    iftop -i eth0
    192.168.1.10          => 192.168.1.1             0b    1.26Kb  1.08Kb
                          <=                        96b    2.01Kb  1.90Kb
    192.168.1.11          => 192.168.1.2             0b    2.00Kb  1.95Kb
                          <=                        200b   3.50Kb  3.30Kb
  5. Use the lastlog command to review the most recent login activity for all users.
    $ lastlog
    Username         Port     From             Latest
    user1            pts/0    192.168.1.10     Mon Aug 20 10:25:00 +0000 2024
    user2            pts/1    192.168.1.11     Mon Aug 20 11:00:00 +0000 2024
Discuss the article:

Comment anonymously. Login not required.