How to find SSH Logins via command line
To find SSH Logins via command line
SSH, or secure shell, is a secure protocol and the most common way of safely administering remote servers. Using a number of encryption technologies, SSH provides a mechanism for establishing a cryptographically secured connection between two parties, authenticating each side to the other, and passing commands and output back and forth. In this tutorial, you will get to know about the commands through with you can find information on SSH Logins.
Finding SSH Logins
You can use the w command which shows who is logged on and what they are doing in your machine. The list of users are displayed as follows when it is used with the -i option.
[root@linuxhelp ~]# w -i
12:33:40 up 25 min, 5 users, load average: 0.25, 0.73, 0.68
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root :0 :0 03Aug17 ?xdm? 3:18 0.05s gdm-session-wor
root pts/0 :0 03Aug17 4.00s 0.17s 0.01s w -i
root pts/1 192.168.7.103 12:31 2:05 0.05s 0.05s -bash
root pts/2 192.168.7.102 12:32 1:38 0.03s 0.03s -bash
root pts/3 192.168.7.13 12:32 1:09 0.02s 0.02s &ndash bash
If you want to check who are all logged on, you shall use who command as follows. The list of logged in IPs are listed as follows.
[root@linuxhelp ~]# who
root :0 2017-08-03 21:39 (:0)
root pts/0 2017-08-03 21:39 (:0)
root pts/1 2017-12-05 12:31 (192.168.7.103)
root pts/2 2017-12-05 12:32 (192.168.7.102)
root pts/3 2017-12-05 12:32 (192.168.7.13)
If you want to list out the users who are logged in, related to your SSH, you shall use the &ndash a option along with the who command. All information such as system boot, category, run time, etc. are listed as follows.
[root@linuxhelp ~]# who -a
system boot 2017-08-04 03:02
run-level 5 2017-08-03 21:33
root ? :0 2017-08-03 21:39 ? 2712 (:0)
root + pts/0 2017-08-03 21:39 00:01 3288 (:0)
root + pts/1 2017-12-05 12:31 00:10 4728 (192.168.7.103)
root + pts/2 2017-12-05 12:32 00:09 4787 (192.168.7.102)
root + pts/3 2017-12-05 12:32 00:09 4839 (192.168.7.13)
root + pts/4 2017-12-05 12:38 . 3288 (:0)
If you want to list the users who logged in your system, you can also use the following who command with &ndash u option.
[root@linuxhelp ~]# who -u
root :0 2017-08-03 21:39 ? 2712 (:0)
root pts/0 2017-08-03 21:39 00:02 3288 (:0)
root pts/1 2017-12-05 12:31 00:11 4728 (192.168.7.103)
root pts/2 2017-12-05 12:32 00:10 4787 (192.168.7.102)
root pts/3 2017-12-05 12:32 00:10 4839 (192.168.7.13)
root pts/4 2017-12-05 12:38 . 3288 (:0)
You can use the finger command to see SSH logins. The finger command, when used, displays the user' s login name, real name, terminal name, etc. You can check if the finger command is installed, if it isn’ t you can install it by making use of the yum install command.
[root@linuxhelp ~]# yum install finger
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirror.vbctv.in
* epel: epel.scopesky.iq
* extras: mirror.vbctv.in
* remi-php71: mirror.cedia.org.ec
* remi-safe: mirror.cedia.org.ec
* updates: mirror.vbctv.in
Resolving Dependencies
--> Running transaction check
---> Package finger.x86_64 0:0.17-52.el7 will be installed
--> Finished Dependency Resolution
.
.
.
Is this ok [y/d/N]: y
Downloading packages:
finger-0.17-52.el7.x86_64.rpm | 25 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : finger-0.17-52.el7.x86_64 1/1
Verifying : finger-0.17-52.el7.x86_64 1/1
Installed:
finger.x86_64 0:0.17-52.el7
Complete!
-s option
After finger command is installed, you can make full use of it by using all its available options. You shall use the finger command with the &ndash s option that displays many information of the user’ s login name, real name, terminal name, idle time, login time, office location and office phone number, etc.
[root@linuxhelp ~]# finger -s
Login Name Tty Idle Login Time Office Office Phone Host
root root *:0 Aug 3 21:39 (:0)
root root pts/0 Aug 3 21:39 (:0)
root root pts/1 6 Dec 5 12:31 (192.168.7.103)
root root pts/2 6 Dec 5 12:32 (192.168.7.102)
root root pts/3 5 Dec 5 12:32 (192.168.7.13)
root root pts/4 Dec 5 12:38 (:0)
-l option
You can use the &ndash l option with your finger command to display all of the information such as the user' s home directory, home phone number, login shell, mail status, and the contents of the files along with the information that can be obtained by the &ndash s option.
[root@linuxhelp ~]# finger -l
Login: root Name: root
Directory: /root Shell: /bin/bash
On since Thu Aug 3 21:39 (IST) on :0 from :0 (messages off)
On since Thu Aug 3 21:39 (IST) on pts/0 from :0
42 seconds idle
On since Tue Dec 5 12:31 (IST) on pts/1 from 192.168.7.103
6 minutes 51 seconds idle
On since Tue Dec 5 12:32 (IST) on pts/2 from 192.168.7.102
6 minutes 24 seconds idle
On since Tue Dec 5 12:32 (IST) on pts/3 from 192.168.7.13
5 minutes 55 seconds idle
On since Tue Dec 5 12:38 (IST) on pts/4 from :0
2 seconds idle
New mail received Thu Aug 3 21:33 2017 (IST)
Unread since Tue Feb 7 15:27 2017 (IST)
No Plan.
Last Command
Last command can also be used for searching SSH logins. The last command searches back through the file /var/log/wtmp (or the file designated by the -f flag) and displays a list of all users logged in (and out) since that file was created. Names of users and tty' s can be given, in which case last will show only those entries matching the arguments.
[root@linuxhelp ~]# last -w
root pts/4 :0 Tue Dec 5 12:38 still logged in
root pts/3 192.168.7.13 Tue Dec 5 12:32 still logged in
root pts/2 192.168.7.102 Tue Dec 5 12:32 still logged in
root pts/1 192.168.7.103 Tue Dec 5 12:31 still logged in
root pts/0 :0 Thu Aug 3 21:39 still logged in
root :0 :0 Thu Aug 3 21:39 still logged in
(unknown) :0 :0 Thu Aug 3 21:33 - 21:39 (00:05)
reboot system boot 3.10.0-123.el7.x86_64 Fri Aug 4 03:02 - 12:48 (123+09:45)
root pts/0 :0 Tue Mar 14 13:50 - 21:32 (142+07:42)
root pts/0 :0 Tue Mar 14 13:48 - 13:50 (00:01)
root :0 :0 Tue Mar 14 13:48 - 21:32 (142+07:43)
(unknown) :0 :0 Tue Mar 14 13:48 - 13:48 (00:00)
reboot system boot 3.10.0-123.el7.x86_64 Tue Mar 14 19:17 - 21:32 (142+02:14)
root pts/0 :0 Tue Feb 7 15:40 - 15:42 (00:02)
root pts/0 :0 Tue Feb 7 15:38 - 15:39 (00:00)
root :0 :0 Tue Feb 7 15:26 - 15:47 (00:21)
(unknown) :0 :0 Tue Feb 7 15:26 - 15:26 (00:00)
reboot system boot 3.10.0-123.el7.x86_64 Tue Feb 7 20:55 - 15:47 (-5:-7)
wtmp begins Tue Feb 7 20:55:23 2017
You can use the &ndash F option along with the last command to bring out the full report including log in and log out details.
[root@linuxhelp ~]# last -F
root pts/4 :0 Tue Dec 5 12:38:02 2017 still logged in
root pts/3 192.168.7.13 Tue Dec 5 12:32:31 2017 still logged in
root pts/2 192.168.7.102 Tue Dec 5 12:32:02 2017 still logged in
root pts/1 192.168.7.103 Tue Dec 5 12:31:35 2017 still logged in
root pts/0 :0 Thu Aug 3 21:39:26 2017 still logged in
root :0 :0 Thu Aug 3 21:39:10 2017 still logged in
(unknown :0 :0 Thu Aug 3 21:33:17 2017 - Thu Aug 3 21:39:10 2017 (00:05)
reboot system boot 3.10.0-123.el7.x Fri Aug 4 03:02:56 2017 - Tue Dec 5 12:49:18 2017 (123+09:46)
root pts/0 :0 Tue Mar 14 13:50:10 2017 - Thu Aug 3 21:32:25 2017 (142+07:42)
root pts/0 :0 Tue Mar 14 13:48:56 2017 - Tue Mar 14 13:50:08 2017 (00:01)
root :0 :0 Tue Mar 14 13:48:38 2017 - Thu Aug 3 21:32:30 2017 (142+07:43)
(unknown :0 :0 Tue Mar 14 13:48:11 2017 - Tue Mar 14 13:48:38 2017 (00:00)
reboot system boot 3.10.0-123.el7.x Tue Mar 14 19:17:51 2017 - Thu Aug 3 21:32:40 2017 (142+02:14)
root pts/0 :0 Tue Feb 7 15:40:17 2017 - Tue Feb 7 15:42:32 2017 (00:02)
root pts/0 :0 Tue Feb 7 15:38:48 2017 - Tue Feb 7 15:39:01 2017 (00:00)
root :0 :0 Tue Feb 7 15:26:26 2017 - Tue Feb 7 15:47:47 2017 (00:21)
(unknown :0 :0 Tue Feb 7 15:26:05 2017 - Tue Feb 7 15:26:26 2017 (00:00)
reboot system boot 3.10.0-123.el7.x Tue Feb 7 20:55:23 2017 - Tue Feb 7 15:47:54 2017 (-5:-7)
wtmp begins Tue Feb 7 20:55:23 2017
If you want to generate the summary report of your machine you can use the aureport. Use the &ndash l option with your aureport command to list the login report of your SSH.
[root@linuxhelp ~]# aureport -l
Login Report
============================================
# date time auid host term exe success event
============================================
1. 02/07/2017 15:26:26 0 ? ? /usr/libexec/gdm-session-worker yes 359
2. 03/14/2017 13:48:36 0 ? ? /usr/libexec/gdm-session-worker yes 354
3. 08/03/2017 21:39:09 0 ? ? /usr/libexec/gdm-session-worker yes 361
4. 12/05/2017 12:31:35 0 192.168.7.103 ssh /usr/sbin/sshd yes 505
5. 12/05/2017 12:31:35 0 192.168.7.103 /dev/pts/1 /usr/sbin/sshd yes 510
6. 12/05/2017 12:31:59 root 192.168.7.102 ssh /usr/sbin/sshd no 523
7. 12/05/2017 12:32:02 0 192.168.7.102 /dev/pts/2 /usr/sbin/sshd yes 539
8. 12/05/2017 12:32:02 0 192.168.7.102 ssh /usr/sbin/sshd yes 551
9. 12/05/2017 12:32:31 0 192.168.7.13 /dev/pts/3 /usr/sbin/sshd yes 567
You can find the hardware type, MAC address, etc, of the users by using the arp command.
[root@linuxhelp ~]# arp
Address HWtype HWaddress Flags Mask Iface
192.168.7.102 ether 4c:72:b9:98:8e:26 C eno16777736
192.168.7.13 ether 00:0c:29:e1:c1:72 C eno16777736
192.168.7.12 (incomplete) eno16777736
192.168.7.103 ether 00:22:4d:9f:8f:d5 C eno16777736
192.168.7.1 ether 3c:61:04:6c:d6:81 C eno16777736
Apart from the above commands, you can also view SSH user details through the following command.
[root@linuxhelp ~]# tailf /var/log/secure
Dec 5 12:32:01 linuxhelp sshd[4783]: Accepted password for root from 192.168.7.102 port 53600 ssh2
Dec 5 12:32:01 linuxhelp sshd[4783]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 5 12:32:02 linuxhelp sshd[4785]: Accepted password for root from 192.168.7.102 port 53601 ssh2
Dec 5 12:32:02 linuxhelp sshd[4785]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 5 12:32:02 linuxhelp sshd[4785]: subsystem request for sftp by user root
Dec 5 12:32:31 linuxhelp sshd[4833]: Accepted password for root from 192.168.7.13 port 44820 ssh2
Dec 5 12:32:31 linuxhelp sshd[4833]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 5 12:52:58 linuxhelp useradd[34043]: failed adding user ' user1' , exit code: 9
Dec 5 12:53:05 linuxhelp su: pam_unix(su:session): session opened for user user1 by root(uid=0)
Dec 5 12:55:16 linuxhelp su: pam_unix(su:session): session closed for user user1
Or, to view the SSH details in a very simple way you shall grep the sshd as follows.
[root@linuxhelp ~]# tailf /var/log/secure | grep sshd
Dec 5 12:32:01 linuxhelp sshd[4783]: Accepted password for root from 192.168.7.102 port 53600 ssh2
Dec 5 12:32:01 linuxhelp sshd[4783]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 5 12:32:02 linuxhelp sshd[4785]: Accepted password for root from 192.168.7.102 port 53601 ssh2
Dec 5 12:32:02 linuxhelp sshd[4785]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 5 12:32:02 linuxhelp sshd[4785]: subsystem request for sftp by user root
Dec 5 12:32:31 linuxhelp sshd[4833]: Accepted password for root from 192.168.7.13 port 44820 ssh2
Dec 5 12:32:31 linuxhelp sshd[4833]: pam_unix(sshd:session): session opened for user root by (uid=0)
With this, the methods to find and view the SSH Logins through commands, comes to an end.
Comments ( 0 )
No comments available