Wednesday, May 22, 7:03 am

How to check ssh logs

Written by Mel Kham on May 20, 2011. Posted in Frequently Asked Questions

Question : How to Check ssh logs?

Answer: For example if your box is hacked and you want to know who has did that

First check the last logged existing in /etc/password with command lastlogs

[root@unixmen-Fedora14 ~]# lastlog 
Username         Port     From             Latest
root             pts/1    wsp243101wss.bra Wed Mar  2 15:13:32 +0100 2011
bin                                        **Never logged in**
daemon                                     **Never logged in**
adm                                        **Never logged in**
lp                                         **Never logged in**
sync                                       **Never logged in**
shutdown                                   **Never logged in**
smmsp                                      **Never logged in**
sshd                                       **Never logged in**
smolt                                      **Never logged in**
pulse                                      **Never logged in**
gdm                                        **Never logged in**
pirat9           pts/1    10.33.19.127     Fri Jan 28 17:58:32 +0100 2011
mysql                                      **Never logged in**

The second method is to check in the logs

In Fedora/Centos/RHEL check /var/log/secure

in Ubuntu/Ubunut based check /var/log/auth

you will see something like

May 12 14:58:50 unixmen-Fedora14 sshd[2774]: warning: /etc/hosts.allow, line 11: missing ":" separator

May 12 14:58:50 unixmen-Fedora14 sshd[2774]: warning: /etc/hosts.allow, line 12: missing ":" separator

May 12 14:58:50 unixmen-Fedora14 sshd[2776]: Connection closed by 127.0.0.1

May 12 15:01:13 unixmen-Fedora14 sshd[2869]: warning: /etc/hosts.allow, line 11: missing ":" separator

May 12 15:01:13 unixmen-Fedora14 sshd[2869]: warning: /etc/hosts.allow, line 12: missing ":" separator

May 12 15:01:21 unixmen-Fedora14 sshd[2869]: Accepted password for root from 10.61.10.131 port 60100 ssh2

May 12 15:01:21 unixmen-Fedora14 sshd[2869]: pam_unix(sshd:session): session opened for user root by (uid=0)

To clear the logs just remove the content of the files with :

cat /dev/null > /var/log/auth

cat /dev/null > /var/log/secure

{module user9-footer}

For questions please refer to our Q/A forum at : http://ask.unixmen.com

logs

openssh

security

ssh

0 Comment(s)

Mel Kham

Founder of Unixmen, Living in Amsterdam. Am working in my free time to help people to understand the Opensource and to explain them in easy way how to make the fist steps to the the light. Working day and night with my Co-founder Zinovsky to keep this website live even with less resources.

Like us on Facebook

This week Top Posts

Top Things to do After Installing Ubuntu 13.04 ‘Raring Ringtail’ : Ubuntu 13.04 Raring Ringtail final is almost out. The final release it scheduled for release on Apri...0 comment(s) | by M. Zinoune
Install lamp with 1 command in Ubuntu 12.10, 13.04 Raring Ringtail & LinuxMint13 : Updated: 10/09/2012 :LAMP (Linux, Apache, MySQL and PHP) is an open source Web development platform ...0 comment(s) | by Mel Kham
Howto: Upgrade to Ubuntu 13.04 Raring Ringtail from 12.04, 12,10 | Desktop & Server : Updated 05-04-2013: Ubuntu 13.04 Raring Ringtail will be released Soon, If you have ubuntu 12,10, 12...0 comment(s) | by M. Zinoune
Steganography- Hide Your Files Inside An Image in Linux : Nowadays, our personal computer is not only a work tool, it is also our private space where we sto...3 comment(s) | by Ambition
How to use Remote Desktop in Ubuntu : Sometimes, we need to access our computer from other locations when we’re not at home and such. This...0 comment(s) | by Mel Kham
Configure conky-Lua in Ubuntu (12.10 & 13.04 Raring Ringtail), Fedora, debian and LinuxMint | Howto Conky : Updated 05-04-2013: Conky is a free, light-weight system monitor for X, that displays any informatio...0 comment(s) | by M. Zinoune