Monitoring and auditing SSH connection attempts
Learn how to audit SSH logs and trails to ensure your remote host has not been compromised. The lastlog command will help you with your audit trail to help scrutinize possibly undesired connection attempts.
Instructor: [00:00] Connection attempts are logged to /var/log/off.log. Open that file and you will be able to see authentication attempts to the server, including the user that tried to log in, the IP address of the connection attempt, the port used, and other information.
[00:20] Type lastlog. This command will show you the most recent login attempt for all users. To find the last login for a specific user, type lastlog-u, followed by the username. You can use a combination of monitoring rights to the offlogfile, along with the lastlog command, as tools in your arsenal to audit or monitor SSH connection attempts.
[00:46] If you are concerned that someone has accessed the server with a specific username, you can log into that user account and view their Bash history file. This .bash_history file within a user's home directory will contain every command that was ever executed within a Bash prompt. You can use this history of executed commands to further scrutinize any possible unauthorized SSH connection attempts.
Member comments are a way for members to communicate, interact, and ask questions about a lesson.
The instructor or someone from the community might respond to your question Here are a few basic guidelines to commenting on egghead.io
Be on-Topic
Comments are for discussing a lesson. If you're having a general issue with the website functionality, please contact us at support@egghead.io.
Avoid meta-discussion
Code Problems?
Should be accompanied by code! Codesandbox or Stackblitz provide a way to share code and discuss it in context
Details and Context
Vague question? Vague answer. Any details and context you can provide will lure more interesting answers!