How to identify SSH user interactive login?

Hi, on windows we can check the event log for login event that is login type 3 RDP interactive login session.

On Linux and Unix OS, I need to detect SSH user interactive login where the user login from laptop / pc but not the ssh session initial by the script, the common is wtmp log,  is that a way to identify?

root     pts/1        1.1.1.1       Thu Aug  4 09:35 - 14:45  (05:09)

Open in new window

Julio JoseAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gerwin Jansen, EE MVETopic Advisor Commented:
Did you try the who command? Does it show what you're after?
Steven RomanCommented:
Hello

You can also run the following
w
who
wall (then ask them what they are ing and who they are)

Always create users and make them perform sudo or su for root access.

Hope this helps

Thanks
Julio JoseAuthor Commented:
I need to identify this user session from the log but not run any other command
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Steven RomanCommented:
Hello

Try to view the log below

tail /var/log/secure

Or you can try
tail /var/log/secure | grep root
Julio JoseAuthor Commented:
I can check the secure log for the root user but how do I know if root user are login via the script or application, I only need to capture if user login from the laptop / pc ssh client interactive login.
Gerwin Jansen, EE MVETopic Advisor Commented:
Which exact Linux version is this about? On Ubuntu for example, you have to look at /var/log/auth.log - lines with sshd in it.
Julio JoseAuthor Commented:
interest on RHEL 4,5,6, Solaris and AIX
Gerwin Jansen, EE MVETopic Advisor Commented:
It is /var/log/secure on Red Hat - about the others: AIX should be in syslog, Solaris as well (but has to be configured in syslog.conf).
Julio JoseAuthor Commented:
I tried SFTP and SSH both having same log in the "secure" I need to identify which one actually user login from the SSH client software
Gerwin Jansen, EE MVETopic Advisor Commented:
You are very unclear, first you talk about a script, now sftp. Both ssh and sftp use the same port (ssh). I do not understand what you want.
Julio JoseAuthor Commented:
apologize, I want to check exiting log for real user login with password using SSH client software
Steven RomanCommented:
Hello,


I think with the answers posted that should get you what you need.

Or are you wanting to be alerted by some way when someone does login to the Server?
If so you are looking for a script or crontab job.  This will get more complex but can be done.

I have a script when ever someone logs in as root or su's in to send me an email
tfewsterCommented:
If someone starts an interactive session via ssh (or, $DEITY forbid, telnet), whether using the password or an ssh key,  it's logged in wtmp (on AIX, HP-UX and Linux and I believe Solaris as well), and the `last` command will show that session.

If some runs `ssh root@yourserver "command"`, it's logged in syslog but not wtmp. That's still a security issue  - Someone has direct root login and is using it, but it's harder to detect.

Setting PermitRootLogin = no in sshd_config solves the problem
Julio JoseAuthor Commented:
So we should check WTMP to identify the user SSH interactive session?
tfewsterCommented:
Yes, if you're only interested in interactive sessions, `last` will show you the contents of wtmp.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.