List All Active SSH connections in Linux [8 Methods]


SSH, How To, Linux, Security

In today’s online world, having a safe and dependable way to connect to other computers is very important. SSH, or Secure Shell, is like a secure door that allows administrators to safely manage and watch over servers from different locations. It’s a key tool for keeping networks safe. One major part of keeping servers secure is by regularly checking who is connected to them. By keeping track of active SSH connections, administrators can see who is accessing the system, what they are doing, and for how long they’ve been connected. This helps in quickly spotting any unusual or unwanted activities, making sure that the server runs smoothly and securely.

 

Methods to list all active SSH connections

  1. Using netstat Command: This command helps show all active network connections, making it easier to see who is connected through SSH.
  2. Using the ss Command: This tool helps to get more detailed information about the network connections, including SSH.
  3. Utilizing the lsof Command: This command lists all open files and network connections, including those made using SSH.
  4. Employing the who Command: A simple command that shows who is currently logged into the system.
  5. Exploring the ps Command: This command shows details about the currently running processes, including SSH connections.
  6. Using the pgrep Command: This command with -a option can also be used to display the full command lines of processes, allowing you to see SSH sessions.
  7. Deploying the w Command: This command gives a quick look at who is logged in and what they are doing, including those connected through SSH.
  8. Using the last Command: This command shows the login history, allowing you to see who is currently logged in through SSH.

 

Pre-requisite

Before diving into the various methods of listing active SSH connections, it is crucial to identify the specific port number that the SSH service is using. SSH typically operates on port 22, but it might be configured to use a different port, enhancing security through obscurity. Knowing the exact port and the service name ensures accurate monitoring and management of SSH sessions.

You can use sshd -T which can show you the currently loaded configuration including the port number used:

# sshd -T | grep -i port 
port 22

So now we can use this port number to get the list of active SSH connections.

 

1. Using netstat command

The netstat command is a powerful utility available in the toolbox of most Unix-like operating systems. It provides a variety of details such as network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.

When dealing with SSH sessions, netstat can help you identify who's currently connected to your SSH server. Here’s how you can utilize the netstat command to achieve this:

netstat -tan | grep ':22'

This command will display all active connections on port 22, the default SSH port, both incoming and outgoing. You can also grep for 'sshd' or any other port if used for your SSHD server.

To filter out only the connected SSH sessions you can grep for ESTABLISHED:

netstat -tan | grep ':22' | grep 'ESTABLISHED'

Sample Output:

tcp        0      0 100.73.169.37:22        10.143.92.122:56984     ESTABLISHED
tcp        0      0 100.73.169.37:22        10.143.94.192:63776     ESTABLISHED
tcp        0     84 100.73.169.37:22        10.143.94.192:63765     ESTABLISHED
tcp        0      0 100.73.169.37:22        10.143.94.192:63779     ESTABLISHED
tcp        0      0 100.73.169.37:22        10.143.94.192:63778     ESTABLISHED

 

2. Using ss command

The ss command, socket statistics, is a versatile command-line utility used to dump socket statistics and displays information in a manner similar to netstat. It allows you to investigate sockets and helps in identifying network connections, providing detailed insights into how systems are interacting over a network, SSH sessions included.

To display all active SSH connections on port 22:

ss -tn state established '( dport = :22 or sport = :22 )'

Sample Output:

Recv-Q                     Send-Q                                         Local Address:Port                                           Peer Address:Port                      Process                     
0                          0                                              100.73.169.37:22                                            10.143.92.122:56984                                                 
0                          0                                              100.73.169.37:22                                            10.143.94.192:63776                                                 
0                          100                                            100.73.169.37:22                                            10.143.94.192:63765                                                 
0                          0                                              100.73.169.37:22                                            10.143.94.192:63779                                                 
0                          0                                              100.73.169.37:22                                            10.143.94.192:63778                                                 

To view extended information on all connected SSH sessions:

ss -tnp state established '( dport = :22 or sport = :22 )'

Sample Output:

Recv-Q             Send-Q                           Local Address:Port                            Peer Address:Port              Process                                                                  
0                  0                                100.73.169.37:22                             10.143.92.122:56984              users:(("sshd",pid=2147471,fd=5),("sshd",pid=2147467,fd=5))             
0                  0                                100.73.169.37:22                             10.143.94.192:63776              users:(("sshd",pid=2147848,fd=5),("sshd",pid=2147842,fd=5))             
0                  100                              100.73.169.37:22                             10.143.94.192:63765              users:(("sshd",pid=2147817,fd=5),("sshd",pid=2147813,fd=5))             
0                  0                                100.73.169.37:22                             10.143.94.192:63779              users:(("sshd",pid=2147898,fd=5),("sshd",pid=2147870,fd=5))             
0                  0                                100.73.169.37:22                             10.143.94.192:63778              users:(("sshd",pid=2147874,fd=5),("sshd",pid=2147844,fd=5))             

 

3. Using lsof Command

The lsof command in Linux serves as a tool to list open files and their corresponding network connections. Since everything in Linux is treated as a file, network connections inclusive, lsof becomes a powerful command when it comes to identifying active SSH connections among other things.

Displaying All Network Connections Associated with SSH

This command will show all active network connections on port 22, the default port for SSH.

sudo lsof -i :22

Sample Output:

COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
sshd    1335 root    3u  IPv4  14304      0t0  TCP *:ssh (LISTEN)
sshd    1335 root    4u  IPv6  14306      0t0  TCP *:ssh (LISTEN)
sshd    4424 root    3u  IPv4  51266      0t0  TCP cnb-dont-delete:ssh->10.143.94.192:64308 (ESTABLISHED)
sshd    4469 root    3u  IPv4  51365      0t0  TCP cnb-dont-delete:ssh->10.143.94.192:64355 (ESTABLISHED)
sshd    4488 root    3u  IPv4  51400      0t0  TCP cnb-dont-delete:ssh->10.143.94.192:64357 (ESTABLISHED)

Displaying SSH Daemon's Open Files and Connections

Here, the command lists all open files associated with processes containing the name "sshd," which includes network connections made by the SSH daemon.

sudo lsof -c sshd

Narrowing Down to IPv4 SSH Connections

By specifying tcp, this example narrows down the results to show only TCP connections on the SSH port.

sudo lsof -i tcp:22

Combining with grep for Specific Results

sudo lsof -i :22 | grep ESTABLISHED

 

4. Using the who Command

The who command in Linux is a straightforward tool that displays information about users who are currently logged in. It includes users who are connected via SSH, making it a simple yet effective way to identify active SSH connections.

Running the command who on its own in the terminal will display a list of logged-in users, including those connected through SSH.

who

Output:

root     pts/0        2023-10-15 05:19 (10.143.92.122)
root     pts/1        2023-10-15 06:47 (10.143.94.192)
root     pts/2        2023-10-15 06:48 (10.143.94.192)
root     pts/3        2023-10-15 06:48 (10.143.94.192)
root     pts/5        2023-10-15 06:48 (10.143.94.192)
root     pts/8        2023-10-15 07:01 (10.143.92.122)

 

5. Using the ps Command

The ps (process status) command in Linux is a powerful tool used primarily to display information about current processes running in the system. It can also be utilized effectively to glean information about active SSH connections by identifying SSH-related processes.

ps aux | grep sshd

Sample Output

root      1335  0.0  0.0 112924  4340 ?        Ss   Oct13   0:00 /usr/sbin/sshd -D
root      4424  0.0  0.0 158928  5588 ?        Ss   12:38   0:00 sshd: root@pts/0
root      4469  0.0  0.0 158928  5580 ?        Ss   12:39   0:00 sshd: root@pts/1
root      4488  0.0  0.0 158928  5580 ?        Ss   12:39   0:00 sshd: root@pts/2
root      4536  0.0  0.0 112812   980 pts/0    R+   12:42   0:00 grep --color=auto sshd

But this also greps for other SSHD process which doesn't relate to connected sessions so let's add some additional pattern match to only list connected SSH sessions:

ps aux | grep 'sshd:' |  grep pts | grep -v grep

Sample Output:

root     2147471  0.0  0.0 172880  5584 ?        S    05:19   0:00 sshd: root@pts/0
root     2147817  0.0  0.0 163860  6252 ?        S    06:47   0:00 sshd: root@pts/1
root     2147848  0.0  0.0 163756  5712 ?        S    06:48   0:00 sshd: root@pts/2
root     2147874  0.0  0.0 163756  5700 ?        S    06:48   0:00 sshd: root@pts/3
root     2147898  0.0  0.0 163756  5600 ?        S    06:48   0:00 sshd: root@pts/5
root     2148160  0.0  0.0 172880  5680 ?        S    07:15   0:00 sshd: root@pts/8

 

6. Using pgrep command

The pgrep command is a versatile tool that you can use to find active SSH sessions. It’s primarily used to look up processes based on their names and other attributes. When we use pgrep in the context of SSH sessions, we aim to find the processes associated with SSH connections.

Here’s how you can use pgrep to find active SSH sessions and filter the results further to get precise information.:

pgrep -a sshd | grep pts | awk '{print $1, $NF}'

Sample Output:

2147471 root@pts/0
2147817 root@pts/1
2147848 root@pts/2
2147874 root@pts/3
2147898 root@pts/5
2148160 root@pts/8

 

7. Using w command

The w command in Linux is a potent utility that displays information about the users currently on the machine and their ongoing processes. It’s particularly valuable for administrators who wish to monitor SSH sessions, among other user activities.

w

Sample Output:

 07:25:05 up 97 days,  1:00,  6 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    10.143.92.122    05:19    2:05m  0.01s  0.00s bash
root     pts/1    10.143.94.192    06:47    1.00s  0.05s  0.00s w
root     pts/2    10.143.94.192    06:48   19:45   0.00s  0.00s -bash
root     pts/3    10.143.94.192    06:48   36:50   0.00s  0.00s -bash
root     pts/5    10.143.94.192    06:48   36:49   0.00s  0.00s -bash
root     pts/8    10.143.95.112    07:15    9.00s  0.02s  0.02s -bash

The output of the w command contains several columns including the user name, terminal, remote host, login time, idle time, JCPU, PCPU, and the command currently being executed. Users logged in through SSH will have their remote host displayed, allowing you to identify SSH sessions.

If you want to view the details of a specific user, you can use w username. This will filter the output to show information relevant only to the specified username.

w root

Sample Output:

 07:26:40 up 97 days,  1:02,  6 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    10.143.92.122    05:19    2:07m  0.01s  0.00s bash
root     pts/1    10.143.94.192    06:47    0.00s  0.05s  0.00s w root
root     pts/2    10.143.94.192    06:48   21:20   0.00s  0.00s -bash
root     pts/3    10.143.94.192    06:48   38:25   0.00s  0.00s -bash
root     pts/5    10.143.94.192    06:48   38:24   0.00s  0.00s -bash
root     pts/8    10.143.95.112    07:15    1:44   0.02s  0.02s -bash

 

8. Using last command

The last command in Linux is a powerful tool for reviewing user login history, including SSH logins. Here’s a guide to using the last command effectively, particularly focusing on identifying active SSH sessions:

Executing the last command alone will display a comprehensive login history, showing all user logins including SSH sessions. You can couple the last command with grep 'still logged in' to specifically filter and display the users who are currently active. For SSH sessions, look for entries associated with remote hosts.

last | grep 'still logged in'

Sample Output:

root     pts/8        10.143.95.112    Sun Oct 15 07:15   still logged in
root     pts/5        10.143.94.192    Sun Oct 15 06:48   still logged in
root     pts/3        10.143.94.192    Sun Oct 15 06:48   still logged in
root     pts/2        10.143.94.192    Sun Oct 15 06:48   still logged in
root     pts/1        10.143.94.192    Sun Oct 15 06:47   still logged in
root     pts/0        10.143.92.122    Sun Oct 15 05:19   still logged in

The output includes columns such as the username, terminal type (e.g., pts/0 for SSH sessions), IP address or hostname, date, and duration, which are instrumental in analyzing the SSH activity.

 

Frequently Asked Questions

How can I list all active SSH connections on my Linux server?

You can use commands like ps, netstat, ss, and w to list active SSH connections. Each command provides a different format of output and a level of detail regarding the connections.

What is the easiest command to show active SSH sessions?

The w command is quite straightforward and displays who is currently logged in and what they are doing, including users connected via SSH.

How do I identify the IP addresses of connected SSH clients?

You can use the netstat command, which will show the IP addresses and the connection status, among other details

Can I see the usernames of the connected SSH sessions?

Yes, commands like w and who will display usernames along with the terminal, IP, and other details.

How can I see the command line activity of active SSH sessions?

The ps command paired with specific options and filters can show the commands being executed in the SSH sessions.

Is there a way to see how long the SSH sessions have been active?

Yes, the w command can show the idle time and how long the users have been connected.

Can I check the history of SSH connections?

The last command can be used to check the history of SSH logins and logouts, providing a list of sessions.

Is it possible to monitor SSH connections in real-time?

Yes, it's possible to monitor SSH connections in real-time. You can use a combination of commands to filter out SSH sessions and refresh the output periodically. You can combine netstat, ss, lsof, ps, who commands with watch to monitor the active SSH connections. For Example: watch "ss -o state established '( dport = :ssh or sport = :ssh )'"

How do I filter the active SSH connections from all network connections?

Commands like netstat or ss can be used in conjunction with grep to filter out SSH-specific connections using port number or service name.

 

Summary

Monitoring active SSH connections on a Linux server is crucial for ensuring system security and optimal performance. Various commands and methods, such as w, last, ps, pgrep, and lsof, facilitate the administrator in tracking and managing connected SSH sessions. Utilizing these commands, one can effectively identify the users currently accessing the system, their originating IP addresses, and the specific activities they are engaged in. For instance, the w command provides a real-time view of active users, while the last command, when paired with specific filters, reveals the ongoing SSH sessions.

By employing a strategic combination of these commands, an administrator can gain comprehensive insights into the active SSH connections, ensuring that the server operates securely and efficiently, and that resources are allocated optimally for various processes and user activities. Thus, mastering these commands is essential for maintaining a robust, secure, and well-monitored server environment.

 

Further Reading

Linux Man Pages:

 

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

6 thoughts on “List All Active SSH connections in Linux [8 Methods]”

Leave a Comment