Monitoring and auditing SSH connection attempts

Mark Shust
InstructorMark Shust
Share this video with your friends

Social Share Links

Send Tweet
Published 6 years ago
Updated 4 years ago

Learn how to audit SSH logs and trails to ensure your remote host has not been compromised. The lastlog command will help you with your audit trail to help scrutinize possibly undesired connection attempts.

Instructor: [00:00] Connection attempts are logged to /var/log/off.log. Open that file and you will be able to see authentication attempts to the server, including the user that tried to log in, the IP address of the connection attempt, the port used, and other information.

[00:20] Type lastlog. This command will show you the most recent login attempt for all users. To find the last login for a specific user, type lastlog-u, followed by the username. You can use a combination of monitoring rights to the offlogfile, along with the lastlog command, as tools in your arsenal to audit or monitor SSH connection attempts.

[00:46] If you are concerned that someone has accessed the server with a specific username, you can log into that user account and view their Bash history file. This .bash_history file within a user's home directory will contain every command that was ever executed within a Bash prompt. You can use this history of executed commands to further scrutinize any possible unauthorized SSH connection attempts.

egghead
egghead
~ 14 minutes ago

Member comments are a way for members to communicate, interact, and ask questions about a lesson.

The instructor or someone from the community might respond to your question Here are a few basic guidelines to commenting on egghead.io

Be on-Topic

Comments are for discussing a lesson. If you're having a general issue with the website functionality, please contact us at support@egghead.io.

Avoid meta-discussion

  • This was great!
  • This was horrible!
  • I didn't like this because it didn't match my skill level.
  • +1 It will likely be deleted as spam.

Code Problems?

Should be accompanied by code! Codesandbox or Stackblitz provide a way to share code and discuss it in context

Details and Context

Vague question? Vague answer. Any details and context you can provide will lure more interesting answers!

Markdown supported.
Become a member to join the discussionEnroll Today