SSH is a popular and effective protocol that allows you to log in and manage remote hosts from your local machine. This guide walks you through various commands you can use to check for active SSH connections on the remote host.
Note: depending on the system configuration, some of the commands we are going to discuss may require you to have root or sudo privileges.
Also read: How to Set Up and Use SSH in Linux
1. Using the WHO Command
The first command you can use to show active SSH connections is the who command.
The who command is used to show who is currently logged in to the system. It allows us to view the connected users and the source IP addresses.
To use the who command, simply enter who without any parameters.
In the above output, you can see one debian user connected via tty and two SSH sessions from a remote IP address.
You can also add parameters to the who command to show detailed information.
For example, to show the last boot for connected users, add the -b -u flag:
who -b -u
The who command offers more options to get customized results. Check out the manual page to learn more.
Also read: How to Create an SSH Honeypot to Catch Hackers in Your Linux Server
2. Using the W Command
The next command you can use to show the status of various SSH sessions and users connected to the server is the w command. Unlike the who command, the w command gives you more information about the running processes for each user.
Additionally, the w command will give you information about idle SSH connections, which is very helpful when you need to terminate them.
If you run the command without any other options, you should get an output similar to the one below.
In the above example, the w command gives detailed information, such as the username, TTY method, source IP address, time of login, idle time and more.
Like the who command, you can also use the w command with various parameters. The table below shows the various parameters you can use with the w command.
| Parameter | What it does |
|---|---|
| -h, –no-header | Informs the terminal not to print the header |
| -u, –no-current | Prompts the terminal to ignore the username as it displays connected users’ processes and CPU time |
| -s, –short | Tells the terminal to print a shortened output – excluding login time, JCPU and PCPU |
| -f, –from | Enables/disables the FROM option of the print output |
| –help | Displays the various w command options/parameters and exits |
| -v, –version | Displays information about the version and exits |
| user | Narrows down the results to the specified user |
The example below shows the w command used with the -s and -f parameters to show an abridged output of the current SSH sessions with the FROM part truncated.
Although rarely used, you can also use the w command with environmental and file parameters. To learn more about these parameters, consider the man pages.
3. Using the Last Command
You can also use the last command to show all connected SSH sessions. The last command shows the list of last logged-in users.
It works by checking the designated file. For example, “/var/log/wtmp” shows all the users who have logged in and out since the file’s creation. The command also gives you information about the created SSH sessions between the client and server.
The general syntax for the last command is:
lastHere’s an example.
Since the output from the last command is massive, we can use the grep command to show the active sessions only.
For example:
last | grep still
You can also modify the output from the last command to show detailed information.
For example, to show the full usernames and domains, we can use the -w flag.
last -w
The last command supports numerous options. Here are the most commonly used options for the last command.
| Parameter | What it does |
|---|---|
| -a, –hostlast | Displays the hostname in the last column |
| -d, –dns | Linux stores the hostname and IP address of all remote hosts. This parameter turns the IP into a hostname |
| -file, –file | Informs the last command to use a designated file other than /var/log/wtmp |
| -F, –fulltimes | Prompts last to print all login and logout dates and times |
| -i, –ip | Similar to the -dns, except instead of showing the host’s hostname, it shows the IP number |
4. Using the netstat Command
We cannot forget about the netstat command. Netstat is used to show all network connections, network interfaces, routing tables and more.
You can also use the netstat command to filter for established or connected SSH sessions on your Linux server:
netstat | grep ssh
The above command shows only the established SSH connections.
To show all connections including listening and non-listening, we can use the -a flag as:
nestat -a | grep ssh
5. Using the ss Command
If you want to learn more information about the connected SSH sessions, you can use the ss command, which shows socket data, making it similar to netstat.
For example, we can grep the output from the ss command with the -a option (all) to show all connected SSH sessions. The syntax for that is:
ss -a | grep ssh
The output above displays all the SSH connections on the remote host. This will include the SSHD daemon.
To filter for the established SSH connections, you can pipe the output back to grep.
ss -a | grep ssh | grep ESTAB
The commands above will only return the active SSH connections.
The ss command also has tons of other options you can use to learn various things about active server connections. For example, you can use the -e flag to show more about the socket information.
Wrapping Up
It is good practice to keep monitoring your remote hosts for unauthorized SSH logins and take necessary actions, such as securing your server or disabling password authentication. Meanwhile, you can also use reverse SSH tunneling to allow external connection to your PC.
Our latest tutorials delivered straight to your inbox
