In today’s online world, having a safe and dependable way to connect to other computers is very important. SSH, or Secure Shell, is like a secure door that allows administrators to safely manage and watch over servers from different locations. It’s a key tool for keeping networks safe. One major part of keeping servers secure is by regularly checking who is connected to them. By keeping track of active SSH connections, administrators can see who is accessing the system, what they are doing, and for how long they’ve been connected. This helps in quickly spotting any unusual or unwanted activities, making sure that the server runs smoothly and securely.
Methods to list all active SSH connections
- Using netstat Command: This command helps show all active network connections, making it easier to see who is connected through SSH.
- Using the
ss
Command: This tool helps to get more detailed information about the network connections, including SSH. - Utilizing the
lsof
Command: This command lists all open files and network connections, including those made using SSH. - Employing the
who
Command: A simple command that shows who is currently logged into the system. - Exploring the
ps
Command: This command shows details about the currently running processes, including SSH connections. - Using the pgrep Command: This command with
-a
option can also be used to display the full command lines of processes, allowing you to see SSH sessions. - Deploying the
w
Command: This command gives a quick look at who is logged in and what they are doing, including those connected through SSH. - Using the
last
Command: This command shows the login history, allowing you to see who is currently logged in through SSH.
Pre-requisite
Before diving into the various methods of listing active SSH connections, it is crucial to identify the specific port number that the SSH service is using. SSH typically operates on port 22, but it might be configured to use a different port, enhancing security through obscurity. Knowing the exact port and the service name ensures accurate monitoring and management of SSH sessions.
You can use sshd -T
which can show you the currently loaded configuration including the port number used:
# sshd -T | grep -i port port 22
So now we can use this port number to get the list of active SSH connections.
1. Using netstat
command
The netstat
command is a powerful utility available in the toolbox of most Unix-like operating systems. It provides a variety of details such as network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.
When dealing with SSH sessions, netstat
can help you identify who's currently connected to your SSH server. Here’s how you can utilize the netstat
command to achieve this:
netstat -tan | grep ':22'
This command will display all active connections on port 22, the default SSH port, both incoming and outgoing. You can also grep for 'sshd
' or any other port if used for your SSHD server.
To filter out only the connected SSH sessions you can grep for ESTABLISHED:
netstat -tan | grep ':22' | grep 'ESTABLISHED'
Sample Output:
tcp 0 0 100.73.169.37:22 10.143.92.122:56984 ESTABLISHED tcp 0 0 100.73.169.37:22 10.143.94.192:63776 ESTABLISHED tcp 0 84 100.73.169.37:22 10.143.94.192:63765 ESTABLISHED tcp 0 0 100.73.169.37:22 10.143.94.192:63779 ESTABLISHED tcp 0 0 100.73.169.37:22 10.143.94.192:63778 ESTABLISHED
2. Using ss
command
The ss
command, socket statistics, is a versatile command-line utility used to dump socket statistics and displays information in a manner similar to netstat
. It allows you to investigate sockets and helps in identifying network connections, providing detailed insights into how systems are interacting over a network, SSH sessions included.
To display all active SSH connections on port 22:
ss -tn state established '( dport = :22 or sport = :22 )'
Sample Output:
Recv-Q Send-Q Local Address:Port Peer Address:Port Process 0 0 100.73.169.37:22 10.143.92.122:56984 0 0 100.73.169.37:22 10.143.94.192:63776 0 100 100.73.169.37:22 10.143.94.192:63765 0 0 100.73.169.37:22 10.143.94.192:63779 0 0 100.73.169.37:22 10.143.94.192:63778
To view extended information on all connected SSH sessions:
ss -tnp state established '( dport = :22 or sport = :22 )'
Sample Output:
Recv-Q Send-Q Local Address:Port Peer Address:Port Process 0 0 100.73.169.37:22 10.143.92.122:56984 users:(("sshd",pid=2147471,fd=5),("sshd",pid=2147467,fd=5)) 0 0 100.73.169.37:22 10.143.94.192:63776 users:(("sshd",pid=2147848,fd=5),("sshd",pid=2147842,fd=5)) 0 100 100.73.169.37:22 10.143.94.192:63765 users:(("sshd",pid=2147817,fd=5),("sshd",pid=2147813,fd=5)) 0 0 100.73.169.37:22 10.143.94.192:63779 users:(("sshd",pid=2147898,fd=5),("sshd",pid=2147870,fd=5)) 0 0 100.73.169.37:22 10.143.94.192:63778 users:(("sshd",pid=2147874,fd=5),("sshd",pid=2147844,fd=5))
3. Using lsof
Command
The lsof
command in Linux serves as a tool to list open files and their corresponding network connections. Since everything in Linux is treated as a file, network connections inclusive, lsof becomes a powerful command when it comes to identifying active SSH connections among other things.
Displaying All Network Connections Associated with SSH
This command will show all active network connections on port 22, the default port for SSH.
sudo lsof -i :22
Sample Output:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 1335 root 3u IPv4 14304 0t0 TCP *:ssh (LISTEN) sshd 1335 root 4u IPv6 14306 0t0 TCP *:ssh (LISTEN) sshd 4424 root 3u IPv4 51266 0t0 TCP cnb-dont-delete:ssh->10.143.94.192:64308 (ESTABLISHED) sshd 4469 root 3u IPv4 51365 0t0 TCP cnb-dont-delete:ssh->10.143.94.192:64355 (ESTABLISHED) sshd 4488 root 3u IPv4 51400 0t0 TCP cnb-dont-delete:ssh->10.143.94.192:64357 (ESTABLISHED)
Displaying SSH Daemon's Open Files and Connections
Here, the command lists all open files associated with processes containing the name "sshd," which includes network connections made by the SSH daemon.
sudo lsof -c sshd
Narrowing Down to IPv4 SSH Connections
By specifying tcp
, this example narrows down the results to show only TCP connections on the SSH port.
sudo lsof -i tcp:22
Combining with grep
for Specific Results
sudo lsof -i :22 | grep ESTABLISHED
4. Using the who
Command
The who
command in Linux is a straightforward tool that displays information about users who are currently logged in. It includes users who are connected via SSH, making it a simple yet effective way to identify active SSH connections.
Running the command who on its own in the terminal will display a list of logged-in users, including those connected through SSH.
who
Output:
root pts/0 2023-10-15 05:19 (10.143.92.122) root pts/1 2023-10-15 06:47 (10.143.94.192) root pts/2 2023-10-15 06:48 (10.143.94.192) root pts/3 2023-10-15 06:48 (10.143.94.192) root pts/5 2023-10-15 06:48 (10.143.94.192) root pts/8 2023-10-15 07:01 (10.143.92.122)
5. Using the ps
Command
The ps (process status) command in Linux is a powerful tool used primarily to display information about current processes running in the system. It can also be utilized effectively to glean information about active SSH connections by identifying SSH-related processes.
ps aux | grep sshd
Sample Output
root 1335 0.0 0.0 112924 4340 ? Ss Oct13 0:00 /usr/sbin/sshd -D root 4424 0.0 0.0 158928 5588 ? Ss 12:38 0:00 sshd: root@pts/0 root 4469 0.0 0.0 158928 5580 ? Ss 12:39 0:00 sshd: root@pts/1 root 4488 0.0 0.0 158928 5580 ? Ss 12:39 0:00 sshd: root@pts/2 root 4536 0.0 0.0 112812 980 pts/0 R+ 12:42 0:00 grep --color=auto sshd
But this also greps for other SSHD process which doesn't relate to connected sessions so let's add some additional pattern match to only list connected SSH sessions:
ps aux | grep 'sshd:' | grep pts | grep -v grep
Sample Output:
root 2147471 0.0 0.0 172880 5584 ? S 05:19 0:00 sshd: root@pts/0 root 2147817 0.0 0.0 163860 6252 ? S 06:47 0:00 sshd: root@pts/1 root 2147848 0.0 0.0 163756 5712 ? S 06:48 0:00 sshd: root@pts/2 root 2147874 0.0 0.0 163756 5700 ? S 06:48 0:00 sshd: root@pts/3 root 2147898 0.0 0.0 163756 5600 ? S 06:48 0:00 sshd: root@pts/5 root 2148160 0.0 0.0 172880 5680 ? S 07:15 0:00 sshd: root@pts/8
6. Using pgrep
command
The pgrep
command is a versatile tool that you can use to find active SSH sessions. It’s primarily used to look up processes based on their names and other attributes. When we use pgrep
in the context of SSH sessions, we aim to find the processes associated with SSH connections.
Here’s how you can use pgrep
to find active SSH sessions and filter the results further to get precise information.:
pgrep -a sshd | grep pts | awk '{print $1, $NF}'
Sample Output:
2147471 root@pts/0 2147817 root@pts/1 2147848 root@pts/2 2147874 root@pts/3 2147898 root@pts/5 2148160 root@pts/8
7. Using w
command
The w
command in Linux is a potent utility that displays information about the users currently on the machine and their ongoing processes. It’s particularly valuable for administrators who wish to monitor SSH sessions, among other user activities.
w
Sample Output:
07:25:05 up 97 days, 1:00, 6 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 10.143.92.122 05:19 2:05m 0.01s 0.00s bash root pts/1 10.143.94.192 06:47 1.00s 0.05s 0.00s w root pts/2 10.143.94.192 06:48 19:45 0.00s 0.00s -bash root pts/3 10.143.94.192 06:48 36:50 0.00s 0.00s -bash root pts/5 10.143.94.192 06:48 36:49 0.00s 0.00s -bash root pts/8 10.143.95.112 07:15 9.00s 0.02s 0.02s -bash
The output of the w
command contains several columns including the user name, terminal, remote host, login time, idle time, JCPU, PCPU, and the command currently being executed. Users logged in through SSH will have their remote host displayed, allowing you to identify SSH sessions.
If you want to view the details of a specific user, you can use w username
. This will filter the output to show information relevant only to the specified username.
w root
Sample Output:
07:26:40 up 97 days, 1:02, 6 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 10.143.92.122 05:19 2:07m 0.01s 0.00s bash root pts/1 10.143.94.192 06:47 0.00s 0.05s 0.00s w root root pts/2 10.143.94.192 06:48 21:20 0.00s 0.00s -bash root pts/3 10.143.94.192 06:48 38:25 0.00s 0.00s -bash root pts/5 10.143.94.192 06:48 38:24 0.00s 0.00s -bash root pts/8 10.143.95.112 07:15 1:44 0.02s 0.02s -bash
8. Using last
command
The last command in Linux is a powerful tool for reviewing user login history, including SSH logins. Here’s a guide to using the last
command effectively, particularly focusing on identifying active SSH sessions:
Executing the last
command alone will display a comprehensive login history, showing all user logins including SSH sessions. You can couple the last command with grep 'still logged in' to specifically filter and display the users who are currently active. For SSH sessions, look for entries associated with remote hosts.
last | grep 'still logged in'
Sample Output:
root pts/8 10.143.95.112 Sun Oct 15 07:15 still logged in root pts/5 10.143.94.192 Sun Oct 15 06:48 still logged in root pts/3 10.143.94.192 Sun Oct 15 06:48 still logged in root pts/2 10.143.94.192 Sun Oct 15 06:48 still logged in root pts/1 10.143.94.192 Sun Oct 15 06:47 still logged in root pts/0 10.143.92.122 Sun Oct 15 05:19 still logged in
The output includes columns such as the username, terminal type (e.g., pts/0 for SSH sessions), IP address or hostname, date, and duration, which are instrumental in analyzing the SSH activity.
Frequently Asked Questions
How can I list all active SSH connections on my Linux server?
You can use commands like ps
, netstat
, ss
, and w
to list active SSH connections. Each command provides a different format of output and a level of detail regarding the connections.
What is the easiest command to show active SSH sessions?
The w
command is quite straightforward and displays who is currently logged in and what they are doing, including users connected via SSH.
How do I identify the IP addresses of connected SSH clients?
You can use the netstat
command, which will show the IP addresses and the connection status, among other details
Can I see the usernames of the connected SSH sessions?
Yes, commands like w
and who
will display usernames along with the terminal, IP, and other details.
How can I see the command line activity of active SSH sessions?
The ps
command paired with specific options and filters can show the commands being executed in the SSH sessions.
Is there a way to see how long the SSH sessions have been active?
Yes, the w
command can show the idle time and how long the users have been connected.
Can I check the history of SSH connections?
The last
command can be used to check the history of SSH logins and logouts, providing a list of sessions.
Is it possible to monitor SSH connections in real-time?
Yes, it's possible to monitor SSH connections in real-time. You can use a combination of commands to filter out SSH sessions and refresh the output periodically. You can combine netstat
, ss
, lsof
, ps
, who
commands with watch
to monitor the active SSH connections. For Example: watch "ss -o state established '( dport = :ssh or sport = :ssh )'"
How do I filter the active SSH connections from all network connections?
Commands like netstat
or ss
can be used in conjunction with grep
to filter out SSH-specific connections using port number or service name.
Summary
Monitoring active SSH connections on a Linux server is crucial for ensuring system security and optimal performance. Various commands and methods, such as w
, last
, ps
, pgrep
, and lsof
, facilitate the administrator in tracking and managing connected SSH sessions. Utilizing these commands, one can effectively identify the users currently accessing the system, their originating IP addresses, and the specific activities they are engaged in. For instance, the w
command provides a real-time view of active users, while the last
command, when paired with specific filters, reveals the ongoing SSH sessions.
By employing a strategic combination of these commands, an administrator can gain comprehensive insights into the active SSH connections, ensuring that the server operates securely and efficiently, and that resources are allocated optimally for various processes and user activities. Thus, mastering these commands is essential for maintaining a robust, secure, and well-monitored server environment.
Further Reading
Linux Man Pages:
Also lsof -i tcp | grep ssh
Using echo command:
echo $SSH_CONNECTION
It doesn’t seems to show in my distro RHEL/CentOS, in which distro do you use this?
This approach is worked for me on following distributions:
1. Ubuntu 16.04 and Ubuntu 18.04.
2. Red Hat Enterprise Linux 8.2
Thank you for sharing this information
Thank God help us with our code