Join egghead, unlock knowledge.

Want more egghead?

This lesson is for members. Join us? Get access to all 3,000+ tutorials + a community with expert developers around the world.

Unlock This Lesson
Become a member
to unlock all features

Level Up!

Access all courses & lessons on egghead today and lock-in your price for life.


    Monitoring and auditing SSH connection attempts

    Mark ShustMark Shust

    Learn how to audit SSH logs and trails to ensure your remote host has not been compromised. The lastlog command will help you with your audit trail to help scrutinize possibly undesired connection attempts.



    Become a Member to view code

    You must be a Member to view code

    Access all courses and lessons, track your progress, gain confidence and expertise.

    Become a Member
    and unlock code for this lesson




    Instructor: Connection attempts are logged to /var/log/off.log. Open that file and you will be able to see authentication attempts to the server, including the user that tried to log in, the IP address of the connection attempt, the port used, and other information.

    Type lastlog. This command will show you the most recent login attempt for all users. To find the last login for a specific user, type lastlog-u, followed by the username. You can use a combination of monitoring rights to the offlogfile, along with the lastlog command, as tools in your arsenal to audit or monitor SSH connection attempts.

    If you are concerned that someone has accessed the server with a specific username, you can log into that user account and view their Bash history file. This .bash_history file within a user's home directory will contain every command that was ever executed within a Bash prompt. You can use this history of executed commands to further scrutinize any possible unauthorized SSH connection attempts.