SSH is a protocol used for secure remote access to a server. Each time a user logs into a Linux server via SSH, the server records details of the login, including the user’s identity, the IP address used, and the time of access. Reviewing this login history is essential for maintaining the security and integrity of the server.
By default, most Linux systems display the last login information immediately after a user logs in via SSH. This information helps users detect any unauthorized access attempts. If the last login details are not displayed, you can manually retrieve this data from system logs.
Regularly checking SSH login history allows administrators to identify unauthorized access attempts. Monitoring these logs is crucial for protecting the server from potential security breaches.
Steps to display the last SSH login:
- Open the terminal of your SSH server.
- Display the details of the latest login.
$ last -1 -i username john pts/1 192.168.1.103 Wed Sep 8 10:15 still logged in
This command retrieves the last login session of the specified user. If you wish to see more entries, adjust the number after the -1 parameter.
- Use the lastlog command to get a more detailed login history.
$ lastlog Username Port From Latest root pts/1 192.168.1.101 Wed Sep 8 09:30:15 -0500 2023 john pts/2 192.168.1.102 Wed Sep 8 09:35:10 -0500 2023
If you're interested in a particular user's history, use lastlog -u username.
- Check the authentication logs to inspect SSH-specific logins.
$ sudo grep 'ssh' /var/log/auth.log
Ensure you have the appropriate permissions to access the /var/log/auth.log file. On some systems, this file might be under /var/log/secure.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
Comment anonymously. Login not required.