SSH, or Secure Shell, provides encrypted channels for remote shell access, file transfers, and other services. Whenever someone connects to a server using SSH, the connection details are logged. This includes information about the user, IP address, time of access, and the method used for authentication.
Most Linux distributions will automatically display the last login information upon successful SSH access. This serves as a security measure to notify users of any unauthorized access attempts. However, if for any reason the message is suppressed or not shown by default, you can manually retrieve this information from the system logs or by using a specific command.
Monitoring and keeping track of SSH logins is crucial for maintaining system integrity and security. Regularly checking the SSH logins can help in identifying any unauthorized access attempts or breaches.
Steps to display the last SSH login:
- Connect to the desired server using SSH.
- Once logged in, enter the following command to display the last login details:
$ last -1 -i $USER
- The output will show the most recent login attempt, the IP address, date, and duration.
$ last -1 -i $USER john pts/1 192.168.1.103 Wed Sep 8 10:15 still logged in
This command retrieves the last login session of the specified user. If you wish to see more entries, adjust the number after the -1 parameter.
- To get a more detailed login history, you can use:
$ lastlog
- This will provide a list of users and their last login details.
Username Port From Latest root pts/1 192.168.1.101 Wed Sep 8 09:30:15 -0500 2023 john pts/2 192.168.1.102 Wed Sep 8 09:35:10 -0500 2023
If you're interested in a particular user's history, use lastlog -u username.
- To further inspect SSH logins, check the auth logs:
$ sudo cat /var/log/auth.log | grep 'sshd'
Ensure you have the appropriate permissions to access the /var/log/auth.log file. On some systems, this file might be under /var/log/secure.
By regularly monitoring and reviewing the SSH login information, system administrators can identify potential security threats, making it an essential routine in server management.
Mohd Shakir Zakaria is an experienced cloud architect with a strong development and open-source advocacy background. He boasts multiple certifications in AWS, Red Hat, VMware, ITIL, and Linux, underscoring his expertise in cloud architecture and system administration.
Comment anonymously. Login not required.