Solved

How to identify SSH user interactive login?

Posted on 2016-08-03
15
93 Views
Last Modified: 2016-08-12
Hi, on windows we can check the event log for login event that is login type 3 RDP interactive login session.

On Linux and Unix OS, I need to detect SSH user interactive login where the user login from laptop / pc but not the ssh session initial by the script, the common is wtmp log,  is that a way to identify?

root     pts/1        1.1.1.1       Thu Aug  4 09:35 - 14:45  (05:09)

Open in new window

0
Comment
Question by:Julio Jose
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 3
  • +1
15 Comments
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 41741047
Did you try the who command? Does it show what you're after?
0
 
LVL 4

Expert Comment

by:Steven Roman
ID: 41741362
Hello

You can also run the following
w
who
wall (then ask them what they are ing and who they are)

Always create users and make them perform sudo or su for root access.

Hope this helps

Thanks
0
 

Author Comment

by:Julio Jose
ID: 41741558
I need to identify this user session from the log but not run any other command
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 4

Expert Comment

by:Steven Roman
ID: 41741561
Hello

Try to view the log below

tail /var/log/secure

Or you can try
tail /var/log/secure | grep root
0
 

Author Comment

by:Julio Jose
ID: 41741817
I can check the secure log for the root user but how do I know if root user are login via the script or application, I only need to capture if user login from the laptop / pc ssh client interactive login.
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 41741906
Which exact Linux version is this about? On Ubuntu for example, you have to look at /var/log/auth.log - lines with sshd in it.
0
 

Author Comment

by:Julio Jose
ID: 41741908
interest on RHEL 4,5,6, Solaris and AIX
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 41741945
It is /var/log/secure on Red Hat - about the others: AIX should be in syslog, Solaris as well (but has to be configured in syslog.conf).
0
 

Author Comment

by:Julio Jose
ID: 41742488
I tried SFTP and SSH both having same log in the "secure" I need to identify which one actually user login from the SSH client software
0
 
LVL 38

Expert Comment

by:Gerwin Jansen, EE MVE
ID: 41742610
You are very unclear, first you talk about a script, now sftp. Both ssh and sftp use the same port (ssh). I do not understand what you want.
0
 

Author Comment

by:Julio Jose
ID: 41742651
apologize, I want to check exiting log for real user login with password using SSH client software
0
 
LVL 4

Expert Comment

by:Steven Roman
ID: 41742856
Hello,


I think with the answers posted that should get you what you need.

Or are you wanting to be alerted by some way when someone does login to the Server?
If so you are looking for a script or crontab job.  This will get more complex but can be done.

I have a script when ever someone logs in as root or su's in to send me an email
0
 
LVL 21

Expert Comment

by:tfewster
ID: 41743451
If someone starts an interactive session via ssh (or, $DEITY forbid, telnet), whether using the password or an ssh key,  it's logged in wtmp (on AIX, HP-UX and Linux and I believe Solaris as well), and the `last` command will show that session.

If some runs `ssh root@yourserver "command"`, it's logged in syslog but not wtmp. That's still a security issue  - Someone has direct root login and is using it, but it's harder to detect.

Setting PermitRootLogin = no in sshd_config solves the problem
0
 

Author Comment

by:Julio Jose
ID: 41746843
So we should check WTMP to identify the user SSH interactive session?
0
 
LVL 21

Accepted Solution

by:
tfewster earned 500 total points
ID: 41747971
Yes, if you're only interested in interactive sessions, `last` will show you the contents of wtmp.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I am a long time windows user and for me it is normal to have spaces in directory and file names. Changing to Linux I found myself frustrated when I moved my windows data over to my new Linux computer. The problem occurs when at the command line.…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question