In today’s cybersecurity landscape, where brute force attacks and unauthorized intrusions are constantly on the rise, monitoring who accesses our servers has become an essential practice. The SSH (Secure Shell) protocol, while designed to be secure, remains one of the most common attack vectors against Linux servers.
The Problem: SSH Access Visibility
System administrators frequently face critical questions: who is connecting to my server? From which locations? Are there suspicious access attempts? Without the proper tools, these questions may remain unanswered until it’s too late.
“Security that cannot be measured cannot be improved” is a fundamental principle in modern system administration. Therefore, implementing an effective SSH connection monitoring system is not just a best practice, but an imperative necessity.
Setting Up Monitoring: Beyond the Standard Port
Although SSH traditionally operates on port 22, many administrators opt to change this port as a basic security measure. However, monitoring principles remain constant, regardless of the port used.
Opening the Port with iptables
For our practical example, we’ll use the standard port 22, but these same commands apply to any custom port:
# For standard SSH port (22)
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# For any custom port (example: 65432)
sudo iptables -A INPUT -p tcp --dport 65432 -j ACCEPT
Code language: PHP (php)Important note: If your server uses a custom SSH port, simply replace “22” with your specific port in all the following commands.
Real-Time Monitoring Techniques
1. System Log Analysis
The /var/log/auth.log file on Ubuntu/Debian systems (or /var/log/secure on CentOS/RHEL) is the primary source of information about SSH authentications:
# Review recent SSH connections on port 22
sudo grep "sshd.*port 22" /var/log/auth.log | tail -20
# Filter only successful connections
sudo grep "Accepted password\|Accepted publickey" /var/log/auth.log | tail -10
# Identify failed access attempts
sudo grep "Failed password" /var/log/auth.log | tail -15
Code language: PHP (php)2. Active Connection Monitoring
To get a real-time view of who is connected:
# View active SSH connections
sudo netstat -tnpa | grep :22
# or using the more modern tool
sudo ss -tnp | grep :22
# Show currently connected users
w
who
Code language: PHP (php)3. Statistical Connection Analysis
One of the most revealing techniques is statistical analysis of connection attempts:
# Count attempts per IP address
sudo grep "sshd" /var/log/auth.log | grep -oE "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort | uniq -c | sort -nr | head -10
# View connection patterns by hour
sudo grep "$(date '+%b %d')" /var/log/auth.log | grep "sshd" | awk '{print $3}' | cut -d: -f1 | sort | uniq -c
Code language: PHP (php)Advanced Monitoring Tools
Automated Monitoring Script
For administrators requiring regular reports, here’s a complete script:
#!/bin/bash
# ssh_monitor.sh - SSH connection monitor
echo "=== SSH SECURITY REPORT - $(date) ==="
echo
echo "1. ACTIVE CONNECTIONS:"
sudo ss -tnp | grep :22 | awk '{print " - From:", $5, "to:", $4}'
echo
echo "2. LATEST SUCCESSFUL CONNECTIONS:"
sudo grep "Accepted" /var/log/auth.log | tail -5 | while read line; do
echo " - $line"
done
echo
echo "3. TOP 5 IPS WITH MOST CONNECTION ATTEMPTS:"
sudo grep "sshd" /var/log/auth.log | grep -oE "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort | uniq -c | sort -nr | head -5 | while read count ip; do
echo " - $ip: $count attempts"
# Optional: geolocation information
whois $ip | grep -i "country\|netname" | head -2 | sed 's/^/ /'
done
Code language: PHP (php)Continuous Monitoring with journalctl
For systems using systemd, journalctl offers advanced capabilities:
# Follow SSH logs in real-time
sudo journalctl -u ssh -f
# View SSH logs from the last 24 hours
sudo journalctl -u ssh --since "24 hours ago"
# Filter by specific events
sudo journalctl -u ssh --since "1 hour ago" | grep "Failed\|Accepted"
Code language: PHP (php)Threat Detection and Suspicious Patterns
Indicators of Compromise
Administrators should watch for these patterns:
- Multiple failed attempts from the same IP
- Connections from unusual geographical locations
- Connection attempts outside business hours
- Use of common usernames (admin, root, test)
Alert Automation
# Script to detect brute force attacks
#!/bin/bash
THRESHOLD=10
LOGFILE="/var/log/auth.log"
# Look for IPs with more than X failed attempts in the last hour
sudo grep "$(date '+%b %d %H:')" $LOGFILE | grep "Failed password" | \
awk '{print $(NF-3)}' | sort | uniq -c | \
while read count ip; do
if [ $count -gt $THRESHOLD ]; then
echo "ALERT: $ip has attempted $count failed connections in the last hour"
# Here you could send an email or Slack notification
fi
done
Code language: PHP (php)Universal Applicability: Beyond Port 22
It’s crucial to understand that these monitoring methods are completely scalable and applicable to any SSH configuration:
- Custom port (e.g., 2222): Just change
:22to:2222in the commands - Multiple SSH ports: Apply monitoring to each port individually
- Load balancer configurations: Adapt log filters according to your setup
Example for Custom Port
# For SSH on port 2222
sudo ss -tnp | grep :2222
sudo grep "port 2222" /var/log/auth.log | grep "Accepted"
Code language: PHP (php)Best Practices and Recommendations
Advanced Logging Configuration
For more detailed monitoring, consider adjusting SSH configuration:
# In /etc/ssh/sshd_config
LogLevel VERBOSE
# This will provide more detailed information in logs
Code language: PHP (php)Integration with Monitoring Tools
Collected data can be easily integrated with:
- Elastic Stack (ELK) for advanced visualization
- Prometheus + Grafana for real-time metrics
- Splunk for enterprise analysis
- Nagios/Zabbix for automatic alerts
Performance and Storage Considerations
Intensive monitoring can generate large volumes of logs. Implement rotation strategies:
# Configure logrotate for auth.log
sudo nano /etc/logrotate.d/rsyslog
# Example configuration
/var/log/auth.log {
daily
rotate 30
compress
delaycompress
missingok
postrotate
systemctl reload rsyslog
endscript
}
Code language: PHP (php)Conclusion: Proactive vs. Reactive Security
Effective SSH connection monitoring represents the difference between a reactive and proactive security posture. The tools and techniques presented in this article allow administrators to maintain complete visibility over system access, regardless of the port used.
Implementing these monitoring methods not only improves security posture but also provides valuable data for compliance audits and forensic analysis in case of incidents.
Important reminder: These techniques are applicable to any SSH port, simply by adjusting the port numbers in the presented commands. Security should not rely solely on port changes, but on continuous and effective monitoring.
To stay updated on Linux system security best practices, consider implementing these monitoring techniques as part of your comprehensive cybersecurity strategy.
