SSH, or Secure Shell, provides encrypted channels for remote shell access, file transfers, and other services. Whenever someone connects to a server using SSH, the connection details are logged. This includes information about the user, IP address, time of access, and the method used for authentication.
Most Linux distributions will automatically display the last login information upon successful SSH access. This serves as a security measure to notify users of any unauthorized access attempts. However, if for any reason the message is suppressed or not shown by default, you can manually retrieve this information from the system logs or by using a specific command.
Monitoring and keeping track of SSH logins is crucial for maintaining system integrity and security. Regularly checking the SSH logins can help in identifying any unauthorized access attempts or breaches.
$ last -1 -i $USER
$ last -1 -i $USER john pts/1 192.168.1.103 Wed Sep 8 10:15 still logged in
This command retrieves the last login session of the specified user. If you wish to see more entries, adjust the number after the -1 parameter.
$ lastlog
Username Port From Latest root pts/1 192.168.1.101 Wed Sep 8 09:30:15 -0500 2023 john pts/2 192.168.1.102 Wed Sep 8 09:35:10 -0500 2023
If you're interested in a particular user's history, use lastlog -u username.
$ sudo cat /var/log/auth.log | grep 'sshd'
Ensure you have the appropriate permissions to access the /var/log/auth.log file. On some systems, this file might be under /var/log/secure.
By regularly monitoring and reviewing the SSH login information, system administrators can identify potential security threats, making it an essential routine in server management.
Comment anonymously. Login not required.