Is there a log for sshd where I can see who has used ssh to access my PC?

Question

I am running the OpenSSH daemon (sshd) on CrunchBang Linux, and I want to see a history of who (i.e. IP address) has logged in using SSH.

score 2 · Answer 1 · answered Jul 12 '14 at 00:15

2

As CrunchBang is a debian variant, the openssh server logs would be in:

/var/log/auth.log

answered Jul 12 '14 at 00:15

beginer

2,708

score 2 · Answer 2 · answered Jul 12 '14 at 00:16

Look in /var/log/auth.log for lines of the form:

Jul  6 06:25:57 hostname sshd[10135]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.y.z  user=root
Jul  6 06:25:59 hotname sshd[10135]: Failed password for root from 50.30.34.7 port 5673 ssh2

(failed attempts) and:

Jul 12 12:12:43 hostname sshd[29412]: Accepted publickey for username from 1.2.3.4 9 port 32986 ssh2
Jul 12 12:12:43 hostname sshd[29412]: pam_unix(sshd:session): session opened for user username by (uid=0)

(successful logins).

score 1 · Answer 3 · answered Jul 12 '14 at 00:18

sshd logs are typically stored in /var/log/auth.log

sshd logs to the AUTHPRIV syslog facility by default. As long as rsyslog is configured to send those messages to /var/log/auth.log you'll be in business.

Uncomment the following in /etc/rsyslog.d/50-default.conf

auth,authpriv.*                  /var/log/auth.log

Restart rsyslog for the changes to take effect

sudo service rsyslog restart

Login to the machine via SSH and check that the logs are being written

Is there a log for sshd where I can see who has used ssh to access my PC?

3 Answers3