Logging SSH access attempts
I’ve configured an ubuntu server with openssh in order to connect to it and execute commands from a remote system like a phone or a laptop. The problem is. I’m probably not the only one. Is there a way to know all the login attempts that have been made to the server?
You should also consider running sshd on a non-standard port. Also, it is possible to set up iptables to deny new connection attempts if a single IP attempts a new ssh connection X times in a minute.
8 Answers 8
On Ubuntu servers, you can find who logged in when (and from where) in the file /var/log/auth.log . There, you find entries like:
May 1 16:17:02 owl CRON[9019]: pam_unix(cron:session): session closed for user root May 1 16:17:43 owl sshd[9024]: Accepted publickey for root from 192.168.0.101 port 37384 ssh2 May 1 16:17:43 owl sshd[9024]: pam_unix(sshd:session): session opened for user root by (uid=0) @JoelDavis My Ubuntu 12.04 does, but the output is a single line that doesn’t look like your output at all. Maybe it needs to be configure.
On Red Hat based distros such as Fedora/CentOS/RHEL you can check for the users logged in inside the file /var/log/secure .
@Anthon, surprisingly I do not have /var/log/auth in my systems. That’s why before posting the answer, I checked if I had /var/log/secure in my system, which is also a Ubuntu server 🙂
I had checked 14.04, 12.04 and and old machine under 8.04. Which version are you running? Done anything special to get that file?
@Anthon, turns out the server in which I tested was RHEL. However, the answer in the link that I had provided was for Ubuntu which seems weird, since you had checked 3 variations of ubuntu and there is no /var/log/secure .
Note that the default configuration on Ubuntu is to NOT log ssh logins to the /var/log/auth file. This is the INFO logging level.
If you want to have it include login attempts in the log file, you’ll need to edit the /etc/ssh/sshd_config file (as root or with sudo) and change the LogLevel from INFO to VERBOSE .
After that, restart the sshd daemon with
sudo service rsyslog restart After that, the ssh login attempts will be logged into the /var/log/auth.log file.
On Ubuntu you can log in via SSH and use the Linux tail command to display the last x number of lines of your /var/log/auth.log file. When you’re logged in via SSH use the following command to view 100 last lines of your SSH log:
tail -100 /var/log/auth.log | grep 'sshd' Wouldn’t an even cleaner way be: grep sshd /var/log/auth.log | tail -100 ? That way you know you’re getting 100 sshd auth event items if there are 100 or more, unlike your commands.
My recommendation is to use auditd. This is logging using the linux kernel’s audit subsystem and in my opinion the proper way to do it if you are serious. And given the nature of the question you should be using PAM as well. At the default level of just having auditd and PAM installed, you should automatically be getting all successful and unsuccessful SSH attempts logged in your audit.log file. So you really don’t have to configure anything, just have auditd and PAM installed. I know this first hand for SLES. And would bet RHEL and any other enterprise version of linux would operate similarly.
within the raw audit log generated by auditd you can use either use something like aureport to filter it which is described in the auditd man pages, write your own text parser, or just use VI and search for keywords.
here is an except of my /var/log/audit/audit.log file with me ssh’ing into my linux server.
node=shark type=CRED_DISP msg=audit(1480622612.317:2211277): user pid=117768 uid=0 auid=23456 ses=2201 msg='op=PAM:setcred acct="ron" exe="/usr/sbin/sshd" (hostname=abc415.mycompany.us, addr=172.16.152.5, terminal=ssh res=success)' - from the above, my server name is shark.
- many lines like this are in audit.log, I want this one based on exe=»/usr/sbin/sshd»
- the uid of the account being ssh’d into is the value of auid, which is 23456 for this example
- the name of the user account associated with auid is specified by acct=»ron»
- most times the audit system will record the dns hostname of the system trying to connect, but it always has it’s ip address
- the date of the entry which is in epoch time, so you’ll have to convert that via something like date —date @1480622612.317 which results in Thu Dec 1 15:03:32 EST 2016 and is when I ssh’d into my server.
When res=failed is when you want to investigate those ip addresses and hostnames to see what systems were trying to connect, under what attempted user name. And obviously the successful ssh attempts to understand what’s happening on your system — for example your coworker bob who sits at same desk everyday with hostname=bobscomputer and ip address=192.168.5.5; if you see a successful ssh attempt at 2am yesterday under his username from ip address 10.10.5.6 for example then it might be in your best interest to talk to bob to investigate. Possible hack attempt by someone else? And shortly after are there su attempts to root in audit log from bob’s account?
when you see repetitive res=failed and auid=0 and acct=root then that’s someone trying to ssh into your box into the root account, and is when you modify /etc/hosts.deny with that IP address for SSHD.
Where to find SSH Login log files on centos
I have shared a .pem file with few a developers and now something went wrong on the server. I would like to track logins in a log so that I can see who (IP) made changes and when (if even possible) what all change happened in that session. I tried looking /var/logs/auth.log, I cannot find such file in my machine. Few more details: Hosted on AWS Created and shared .pem file CentOS — centos-release-7-2.1511.el7.centos.2.10.x86_64 EC2 instance I have not set flow log Can someone help to track SSH login details ?
5 Answers 5
On CentOS login information is logged in /var/log/secure , not /var/logs/auth.log .
In Centos 7 the SSH logs are located at «/var/log/secure«
If you want to monitoring in real time, you may use the tail command as shown below:
tail -f -n 50 /var/log/secure | grep sshd lastlog(8) will report the most recent information from the /var/log/lastlog facility, if you have pam_lastlog(8) configured.
aulastlog(8) will make a similar report, but from the audit logs in /var/log/audit/audit.log . (Recommended, as auditd(8) records are harder to tamper with than syslog(3) records.)
ausearch -c sshd will search your audit logs for reports from the sshd process.
last(8) will search through /var/log/wtmp for the most recent logins. lastb(8) will show bad login attempts .
/root/.bash_history might contain some details, assuming the goober who fiddled with your system was incompetent enough to not remove it before logging out.
Make sure you check ~/.ssh/authorized_keys files for all users on the system, check crontab s to make sure no new ports are scheduled to be opened at some point in the future, etc.
Note that all logs stored on the local machine are suspect; the only logs you can realistically trust are forwarded to another machine that wasn’t compromised. Perhaps it would be worth investigating centralized log handling via rsyslog(8) or auditd(8) remote machine handling.
grep sshd /var/log/audit/audit.log Where to Find sshd Logs in Linux?
The “sshd” is an abbreviation of the “Secure Shell Daemon” of an OpenSSH server. It manages incoming connections utilizing the SSH protocol as a server. It also allows the user to access the details like encryption, file transfers, terminal connections, tunneling, and user authentication. The “sshd-logs” handles the user authentication details, i.e., authorized/unauthorized login attempts.
This post illustrates the sshd logs’ exact location and how the user can check them in Ubuntu.
Method 1: Using the “auth.log” File
The “sshd logs” are in the “auth.log” file which is located in the “/var/log/” directory. It stores the authorization attempts details of the system like user logins, used authorized mechanism, and sshd logs.
Run the “grep” to filter out the “sshd logs” details from the “/var/log/auth.log” file:
$ grep ‘sshd’ /var/log/secure #For Fedora/CentOS/RHEL $ grep ‘sshd’ /var/log/auth.log #For Ubuntu/Debian-Based
The output shows all the “sshd” sessions details such as date, hostname, logname, port no and many others with the process ID “28569”.
Method 2: Using the “lastlog” Command
The “lastlog” command line utility is a program that displays the last login attempts details of the system accounts. The login details include port, login name, last login, and also the sshd logs.
Execute the “lastlog” command without any of its supported flags to list down the “sshd logs” details:
All the login attempts information has been displayed on the terminal.
To filter out only the “sshd logs” details, use the combination of “lastlog” and “grep” commands with the “|(Pipe)” character in this way:
The “sshd logs” contains no logged-in attempts.
Method 3: Using the “journalctl” Command
The “journalctl” is another command line tool that provides the log (including sshd logs) details of the systemd journaling system. It provides the systemd logs collection and systemd services and gets the messages from the kernel.
Use the “journalctl” command followed by the “-u(specifies unit “systemd”)” flag to show the “sshd logs” in the terminal:
The “sshd logs” contains “No entries” same as the “lastlog” output.
Conclusion
In Linux, the “sshd logs” are stored in the “/var/log/auth.log” file. These log details can be displayed using the “grep”, “lastlog”, and the “journalctl” command line utilities. All these utilities are pre-installed in the commonly used Linux distribution like “Fedora”, “CentOS”, “RHEL”, “Ubuntu/Debian”, and many others.
This post has listed down the sshd logs’ exact location and all possible methods to view them.