Monitoring active connections to an SSH server keeps administrative access under control and reveals who is logged in at any moment. Continuous visibility of interactive sessions and their source addresses reduces the chance of unnoticed compromises and helps explain unexpected activity on a host.
On Linux, tools such as who, w, ss, iftop, and lastlog read from session databases, kernel socket tables, and login records to expose both user-level and network-level information. Combining these views shows which accounts are connected, which processes handle each connection, and how much traffic flows through the SSH service.
Accurate interpretation of this data depends on the environment, especially when jump hosts, VPNs, or network address translation hide client addresses. Some commands require sudo to read kernel or log structures, and running them on busy servers can briefly add load. Consistent monitoring and comparison against expected patterns provides early warning of suspicious SSH activity without interrupting legitimate administration.
Steps to monitor active SSH connections on Linux server:
- Open a terminal session on the Linux server with an account that can use sudo.
$ ssh user@host.example.net Welcome to Ubuntu 24.04.3 LTS (GNU/Linux 6.12.54-linuxkit aarch64) ##### snipped #####
Use a dedicated administrative account so access remains auditable in login records.
- Use the who command to list currently logged-in sessions and their source addresses.
$ who user pts/1 Dec 29 21:57 (203.0.113.10) user pts/0 Dec 29 21:57 (203.0.113.11)
Entries with pts TTYs usually represent interactive SSH logins.
- Run the w command for more detail about active users and what each session is doing.
$ w 21:57:47 up 9 days, 23:26, 1 user, load average: 0.59, 0.35, 0.32 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT user 203.0.113.10 21:57 19:17m 0.00s 0.01s sshd: user [priv]
Columns such as IDLE and WHAT help identify stuck sessions and unexpected commands.
- Inspect established SSH TCP sessions using ss and a simple filter.
$ sudo ss --tcp | grep ssh ESTAB 0 0 203.0.113.10:34402 203.0.113.50:ssh ESTAB 0 0 203.0.113.50:ssh 203.0.113.10:34402
Output shows local and remote addresses for each SSH connection along with its state.
- Include process information in the socket listing to see which sshd worker owns each connection.
$ sudo ss --tcp --process | grep sshd ESTAB 0 0 203.0.113.50:ssh 203.0.113.10:34402 users:(("sshd",pid=7699,fd=4),("sshd",pid=7680,fd=4))PID values correlate sockets with entries in tools such as ps, top, or htop.
- Install iftop on Ubuntu or Debian if live bandwidth monitoring of SSH traffic is required.
$ sudo apt-get update && sudo apt-get install --assume-yes iftop
Use the appropriate package manager, such as dnf or zypper, on non-Debian systems.
- Run iftop on the interface that carries SSH traffic to observe per-connection bandwidth usage in real time.
$ sudo iftop -i lo -t -s 2 -o 2s -L 5 interface: lo IP address is: 127.0.0.1 IPv6 address is: ::1 MAC address is: 00:00:00:00:00:00 Listening on lo ##### snipped #####
Use the interface that carries SSH traffic in your environment (for example eth0 on a server or lo for local testing).
- Review most recent login times and source IPs with lastlog to correlate current sessions with past activity.
$ sudo lastlog -u user Username Port From Latest user pts/1 203.0.113.10 Mon Dec 29 21:57:17 +0000 2025
Unexpected logins from unfamiliar addresses or times can indicate compromised credentials.
- Verify the connection overview by comparing usernames from who with remote addresses from ss and bandwidth patterns in iftop.
Terminate or force logout suspicious sessions using the procedure in How to force logout a user in Linux to limit potential impact.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
