[Linux] Checking the ssh access log


Writing time : 2016-03-01 01:53:03

Checking the ssh access log

Check log of successful ssh connection


Check if you have an IP that you haven't used in the log of successful connection.

# last  
root     pts/0        1.230.182.xxx    Fri Feb 26 01:01 - 02:04  (01:03)  
root     pts/1        1.242.47.xxx     Thu Feb 25 03:35 - 04:02  (00:26)  
root     pts/0        1.230.182.xxx    Thu Feb 25 01:34 - 04:00  (02:26)  
root     pts/0        1.242.51.xxx     Tue Feb 16 21:05 - 02:41  (05:36)  
root     pts/0        1.242.51.xxx     Mon Feb 15 23:22 - 02:51  (03:28)  

Check the ssh connection failure log

#last -f /var/log/btmp  
root     ssh:notty    183.3.202.102    Mon Feb  1 04:51 - 04:51  (00:00)  
root     ssh:notty    183.3.202.102    Mon Feb  1 04:50 - 04:51  (00:00)  
root     ssh:notty    183.3.202.102    Mon Feb  1 04:50 - 04:50  (00:00)  
root     ssh:notty    183.3.202.102    Mon Feb  1 04:50 - 04:50  (00:00)  
root     ssh:notty    183.3.202.102    Mon Feb  1 04:50 - 04:50  (00:00)  
root     ssh:notty    183.3.202.102    Mon Feb  1 04:50 - 04:50  (00:00)  
root     ssh:notty    183.3.202.102    Mon Feb  1 04:50 - 04:50  (00:00)  
root     ssh:notty    183.3.202.102    Mon Feb  1 04:50 - 04:50  (00:00)  
root     ssh:notty    183.3.202.102    Mon Feb  1 04:50 - 04:50  (00:00)  
root     ssh:notty    183.3.202.102    Mon Feb  1 04:50 - 04:50  (00:00)  
root     ssh:notty    183.3.202.102    Mon Feb  1 04:50 - 04:50  (00:00)  
root     ssh:notty    183.3.202.102    Mon Feb  1 04:50 - 04:50  (00:00)  
root     ssh:notty    183.3.202.102    Mon Feb  1 04:50 - 04:50  (00:00)  
root     ssh:notty    183.3.202.102    Mon Feb  1 04:50 - 04:50  (00:00)  
root     ssh:notty    183.3.202.102    Mon Feb  1 04:50 - 04:50  (00:00)  
root     ssh:notty    183.3.202.102    Mon Feb  1 04:50 - 04:50  (00:00)  
root     ssh:notty    183.3.202.102    Mon Feb  1 04:50 - 04:50  (00:00)  
root     ssh:notty    183.3.202.102    Mon Feb  1 04:50 - 04:50  (00:00)  

Looking at the log, even though it was a server under development, a lot of Chinese hackers' attacks were being attempted.

Such random attacks can be prevented to some extent by changing the ssh port.

Click the link below for an article about changing the ssh port~
Change port to prevent ssh hacking

Previous post

Next post

Other posts in the category