Monitoring and auditing SSH connection attempts

Mark Shust
InstructorMark Shust
Share this video with your friends

Social Share Links

Send Tweet
Published 6 years ago
Updated 4 years ago

Learn how to audit SSH logs and trails to ensure your remote host has not been compromised. The lastlog command will help you with your audit trail to help scrutinize possibly undesired connection attempts.

Instructor: [00:00] Connection attempts are logged to /var/log/off.log. Open that file and you will be able to see authentication attempts to the server, including the user that tried to log in, the IP address of the connection attempt, the port used, and other information.

[00:20] Type lastlog. This command will show you the most recent login attempt for all users. To find the last login for a specific user, type lastlog-u, followed by the username. You can use a combination of monitoring rights to the offlogfile, along with the lastlog command, as tools in your arsenal to audit or monitor SSH connection attempts.

[00:46] If you are concerned that someone has accessed the server with a specific username, you can log into that user account and view their Bash history file. This .bash_history file within a user's home directory will contain every command that was ever executed within a Bash prompt. You can use this history of executed commands to further scrutinize any possible unauthorized SSH connection attempts.