Home

Published

- 3 min read

Methods to Retrieve SSH User IP Addresses on Linux

IP Tracking Logs Server Server Logs Security Linux SSH Security Networking sysadmin
img of Methods to Retrieve SSH User IP Addresses on Linux

Retrieving SSH User IP Addresses on Linux

Monitoring SSH connections is crucial for maintaining server security. In this guide, we will explore multiple methods to retrieve SSH user IP addresses on a Linux system using various command-line tools. Whether you’re troubleshooting connection issues or auditing security logs, these techniques will help you identify user IPs efficiently.

1. Using the last Command

The last command reads from the system’s /var/log/wtmp file and shows a history of logins, including SSH sessions.

Example Usage

   last -i | grep ssh

Explanation: The -i flag displays the IP addresses along with the usernames. Filtering with grep ssh ensures you see only SSH related logins.

The last command might display older records depending on your log rotation settings.

2. Using the who Command

The who command displays who is currently logged in to the system, including the remote IP addresses for SSH sessions.

Example Usage

   who -u

Explanation: The -u flag adds extra details such as idle time and the originating IP address of each session.

3. Reviewing Authentication Logs

Authentication logs provide a detailed record of SSH login attempts, including both failed and successful connections. Depending on your Linux distribution, these logs might be stored in different locations.

Example Locations

  • Debian/Ubuntu: /var/log/auth.log
  • CentOS/RHEL: /var/log/secure

Example Usage

   grep "sshd" /var/log/auth.log

Explanation: This command filters log entries related to the SSH daemon (sshd). Look for lines indicating “Accepted” or “Failed” to determine which IP addresses attempted to log in.

4. Utilizing journalctl

For systems using systemd, journalctl is a powerful tool to query logs, including SSH events.

Example Usage

   journalctl -u sshd | grep "Accepted"

Explanation: The -u sshd flag specifies the SSH daemon’s service unit. Piping through grep "Accepted" filters for successful logins, which include the remote IP addresses.

5. Leveraging netstat and Similar Tools

netstat (and its modern alternative ss) can be used to inspect current network connections. This is useful for real-time monitoring of active SSH sessions.

Using netstat

   sudo apt install net-tools
   netstat -tnpa | grep 'ESTABLISHED.*sshd'

Explanation

  • -t: Displays TCP connections.
  • -n: Shows numerical addresses rather than resolving hostnames.
  • -p: Displays the PID and program name of the connection.
  • -a: Displays all connections.

Using ss

   ss -tnpa | grep 'ESTAB.*sshd'

Explanation: Similar to netstat, ss provides a quicker and more modern interface for inspecting socket statistics.

Best Practices for Enhanced Server Security

  • Regular Monitoring: Automate log monitoring with tools like fail2ban to block suspicious IP addresses.
  • Log Rotation: Configure log rotation policies to ensure logs are archived and maintained properly.
  • User Verification: Always verify the legitimacy of an IP address before taking any remedial action.
  • Update Tools: Keep your monitoring and logging tools updated to benefit from the latest security patches.

Conclusion

Retrieving SSH user IP addresses on Linux is an essential task for maintaining secure server environments. By combining the use of commands like last, who, journalctl, and network inspection tools such as netstat and ss, you can monitor and respond to unauthorized access attempts effectively. Regular log reviews and the implementation of security best practices will help safeguard your system against potential threats.

Happy securing!