Logging SSH access attempts

On Ubuntu servers, you can find who logged in when (and from where) in the file /var/log/auth.log. There, you find entries like:

May  1 16:17:02 owl CRON[9019]: pam_unix(cron:session): session closed for user root
May  1 16:17:43 owl sshd[9024]: Accepted publickey for root from 192.168.0.101 port 37384 ssh2
May  1 16:17:43 owl sshd[9024]: pam_unix(sshd:session): session opened for user root by (uid=0)

On Red Hat based distros such as Fedora/CentOS/RHEL you can check for the users logged in inside the file /var/log/secure.

If you want more information read this SuperUser Q&A titled: How can I log SSH access attempts and keep track of what SSH users end up doing on my server?.


On Ubuntu you can log in via SSH and use the Linux tail command to display the last x number of lines of your /var/log/auth.log file. When you’re logged in via SSH use the following command to view 100 last lines of your SSH log:

tail /var/log/auth.log -n 100

or even cleaner

tail -100 /var/log/auth.log | grep 'sshd'

Tags:

Ssh

Logs