How to Check Active SSH Connections on Linux Server - Complete Guide
Are you wondering how to check active SSH connections on your Linux server? Need to monitor remote access and detect unauthorized connections automatically? This comprehensive guide shows you multiple methods to check active SSH connecti...
How to Check Active SSH Connections on Linux Server - Complete Guide
Are you wondering how to check active SSH connections on your Linux server? Need to monitor remote access and detect unauthorized connections automatically? This comprehensive guide shows you multiple methods to check active SSH connections, monitor connection patterns, detect suspicious activity, and maintain security compliance on your Linux server.
Why Monitoring SSH Connections Matters
Monitoring active SSH connections on your Linux server is critical for security, compliance, and access management. Unauthorized SSH connections can indicate security breaches, compromised accounts, or brute force attacks. Regular SSH connection monitoring helps detect suspicious access patterns, maintain audit trails, investigate security incidents, and ensure compliance with security policies.
Method 1: Check SSH Connections with ss Command
The ss command is the modern replacement for netstat and provides detailed information about network connections, including SSH.
Show Active SSH Connections
To see active SSH connections:
# Show active SSH connections
ss -o state established '( dport = :22 or sport = :22 )'
# Show SSH connections with process information
ss -tunp | grep :22
# Show all SSH-related connections
ss -tnp | grep sshd
Show Connection Details
To see detailed connection information:
# Show connections with timers
ss -o state established '( dport = :22 or sport = :22 )'
# Show connections with process IDs
ss -tunp | grep :22
# Count active SSH connections
ss -o state established '( dport = :22 or sport = :22 )' | wc -l
Method 2: Check SSH Connections with netstat
The netstat command is available on most Linux systems and can show SSH connection information.
Show Active SSH Connections
# Show active SSH connections
netstat -an | grep :22 | grep ESTABLISHED
# Show SSH connections with process information
netstat -tunp | grep :22
# Count active SSH connections
netstat -an | grep :22 | grep ESTABLISHED | wc -l
Show Who Is Logged In
# Show currently logged in users
who
# Show detailed login information
w
# Show last login information
last
Method 3: Automated SSH Connection Monitoring with Zuzia.app
Manually checking SSH connections works for occasional audits, but for production servers, you need automated monitoring that alerts you immediately when suspicious connections occur. Zuzia.app provides comprehensive SSH connection monitoring through scheduled command execution.
Setting Up Automated SSH Monitoring
-
Add Scheduled Task in Zuzia.app Dashboard
- Navigate to your server in Zuzia.app
- Click "Add Scheduled Task"
- Choose "Command Execution" as the task type
-
Configure SSH Connection Check Command
- Enter command:
ss -o state established '( dport = :22 or sport = :22 )' - Set execution frequency: Every 30 minutes to 1 hour
- Configure alert conditions: Alert when unexpected connections appear
- Set up filtering for specific IP addresses or users
- Enter command:
-
Set Up Notifications
- Choose notification channels (email, webhook, Slack, etc.)
- Configure alert thresholds (e.g., alert if new connections detected)
- Set up escalation rules for suspicious connections
Monitor Connection Patterns
Track SSH connection patterns over time:
# Save current SSH connections
ss -o state established '( dport = :22 or sport = :22 )' > /tmp/ssh-connections-$(date +%Y%m%d-%H%M%S).txt
# Compare with previous snapshot
diff /tmp/ssh-connections-old.txt /tmp/ssh-connections-new.txt
Zuzia.app stores all command outputs in its database, allowing you to track SSH connection patterns over time and identify suspicious access patterns.
Method 4: Advanced SSH Connection Monitoring Techniques
Track Connections by IP Address
To identify connection sources:
# Show connections grouped by IP
ss -tnp | grep :22 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn
# Show connections from specific IP
ss -tnp | grep :22 | grep "192.168.1.100"
# Count connections per IP
ss -tnp | grep :22 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c
Monitor Failed Connection Attempts
To detect brute force attacks:
# Check failed SSH attempts
sudo grep "Failed password" /var/log/auth.log | tail -20
# Count failed attempts by IP
sudo grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn
Real-World Use Cases for SSH Connection Monitoring
Security Audit
For security audits:
# Generate SSH connection report
ss -o state established '( dport = :22 or sport = :22 )' > ssh-audit-$(date +%Y%m%d).txt
# Check for root logins
who | grep root
# Check connection history
last | grep ssh
Incident Investigation
When investigating security incidents:
# Check active connections during incident
ss -tnp | grep :22
# Check connection history
last | head -20
# Check failed login attempts
sudo grep "Failed password" /var/log/auth.log | tail -50
Best Practices for SSH Connection Monitoring
1. Monitor SSH Connections Regularly
Check SSH connections every 30 minutes to 1 hour. More frequent checks may be needed for high-security environments. Use Zuzia.app automated monitoring to check connections continuously without manual intervention.
2. Monitor Failed Login Attempts
Failed login attempts can indicate brute force attacks. Monitor failed attempts and alert when thresholds are exceeded.
3. Track Connection Patterns
Monitor connection patterns over time to identify unusual activity. Alert on connections from unusual IP addresses or unusual times.
4. Monitor Root Logins
Root logins should be monitored closely. Alert on all root logins and verify they are authorized.
5. Maintain Audit Trails
Keep SSH connection logs for compliance and investigation purposes. Use Zuzia.app to store connection history in its database.
Troubleshooting Common SSH Connection Issues
Too Many Connections
If there are too many SSH connections:
# Identify connection sources
ss -tnp | grep :22 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn
# Check for connection abuse
ss -tnp | grep :22 | wc -l
# Review connection logs
sudo tail -100 /var/log/auth.log
Unauthorized Connections
If unauthorized connections are detected:
# Check active connections
ss -tnp | grep :22
# Check who is logged in
who
# Review connection history
last | head -20
FAQ: Common Questions About Checking SSH Connections
How often should I check SSH connections?
We recommend checking SSH connections every 30 minutes to 1 hour. More frequent checks may be needed for high-security environments. Use Zuzia.app automated monitoring to check connections continuously without manual intervention.
What if unexpected connections are detected?
You'll receive notifications when SSH connections are detected through Zuzia.app. You can then verify whether connections are authorized or indicate a security concern. Check connection details, verify with users, and take appropriate security actions if unauthorized connections are confirmed.
Can I see connection details?
Yes, the ss command shows connection details including source IP addresses, connection states, and process information, which can help identify the source of connections. Use ss -tnp | grep :22 for detailed information.
How do I detect unauthorized SSH connections?
Set up automated monitoring in Zuzia.app that compares current connections with expected patterns. Alert on connections from unusual IP addresses, unusual times, or for users who shouldn't have access. Monitor failed login attempts as they can indicate brute force attacks.
Can I track SSH connection patterns over time?
Yes, use Zuzia.app to store SSH connection data in its database. This allows you to track connection patterns over time, identify trends, and detect anomalies. Compare current connections with historical patterns to identify unusual activity.
How can I monitor SSH connections across multiple servers?
Zuzia.app allows you to add multiple servers and monitor SSH connections across all of them simultaneously. Each server executes commands independently, and all results are stored in Zuzia.app's database for centralized monitoring and analysis.
Does Zuzia.app use AI to analyze SSH connection patterns?
Yes, if you have Zuzia.app's full package, AI analysis is enabled. The AI can detect patterns in SSH connection activity, identify suspicious access patterns, predict potential security threats, and suggest security improvements based on historical SSH connection data and machine learning algorithms.