When managing an Ubuntu server, it's crucial to monitor SSH access to ensure security and track user activity. This guide covers various methods to check SSH access history, providing explanations and use cases for each.

1. Checking Authentication Logs

Explanation

The primary log file for SSH access is /var/log/auth.log. This file contains entries for all authentication-related events, including SSH logins.

Use Cases

• Audit: Review who has accessed your server and when.
• Security: Detect unauthorized access attempts.
• Troubleshooting: Identify issues related to SSH login failures.

How to Check

To view the SSH access history, use the grep command to filter SSH-related entries:

sudo grep sshd /var/log/auth.log

This command searches for all lines containing sshd in the auth.log file.

2. Checking Login History

Explanation

The last command displays a list of all logins (including SSH logins) by reading from the /var/log/wtmp file.

Use Cases

• User Activity Monitoring: Track login sessions of users.
• Session Auditing: Verify user login and logout times.

How to Check

last

This command shows a detailed list of login sessions.

3. Checking Failed Login Attempts

Explanation

The lastb command is used to display failed login attempts, reading from the /var/log/btmp file.

Use Cases

• Security: Identify brute force attacks or unauthorized login attempts.
• Account Management: Help users troubleshoot login issues.

How to Check

sudo lastb

This command lists all failed login attempts.

4. Detailed Log Analysis

Explanation

For more granular analysis, tools like grep, awk, or sed can be used to filter and process logs. This allows you to pinpoint specific events or patterns.

Use Cases

• Security Audits: Find specific types of login attempts.
• Incident Response: Analyze logs after a security incident.

How to Check

Find Successful SSH Logins

sudo grep "Accepted" /var/log/auth.log

Find Failed SSH Login Attempts

sudo grep "Failed" /var/log/auth.log

Find SSH Logouts

sudo grep "session closed for user" /var/log/auth.log

5. Viewing Logs with Journalctl (for Systemd Systems)

Explanation

On systems using systemd, the journalctl command provides an efficient way to view logs, including SSH access logs.

Use Cases

• Centralized Logging: Aggregate and analyze logs managed by systemd.
• Advanced Filtering: Use powerful time-based filters to locate specific events.

How to Check

View Recent SSH Logs

sudo journalctl -u ssh

View SSH Logs Since Boot

sudo journalctl -u ssh --since "today"

View SSH Logs for a Specific Date Range

sudo journalctl -u ssh --since "2024-07-01" --until "2024-07-17" 

Summary

Monitoring SSH access history on Ubuntu is essential for maintaining security and managing user activity. Whether using simple commands like grep and last or more sophisticated tools like journalctl, these methods enable you to keep track of who is accessing your server, when, and how. By leveraging these techniques, you can ensure your server remains secure and efficiently manage user sessions.

By implementing these practices, you'll enhance your ability to monitor and secure SSH access on your Ubuntu servers, helping to safeguard your infrastructure against unauthorized access and potential security threats.