Check Your Linux SSH Log To Stop Hackers

Silent Attacks

Your web server may be ticking over nicely and everything looks fine and dandy. However, unbeknownst to you your server could be under constant attack by hackers! How can you find out if this is happening? One of the first things to check is your SSH log.

What Is SSH?

SSH (secure shell) is a network protocol that allows Linux users to log into their shell accounts remotely over a secure connection that cannot be viewed by any third-parties that may be snooping.

SSH is used by Linux system administrators to connect to web servers. Logging in as the “root” user via SSH gives you complete control of the system and is a hacker’s ultimate goal.

SSH uses the standard TCP port 22 by default. Due to this it is possible for anyone (i.e. hackers) to connect to a web server via SSH on port 22 and try to gain access. Popular methods of attack are brute force and dictionary attacks. the chances are that this is happening to your web server without your knowledge.

Check If You Are Under Attack

Fortunately Linux systems log SSH activity so it’s possible to check back through your SSH logs and see if anyone is trying to login to your system.

Locations of SSH Logs

On Redhat systems the logs are stored at /var/log/secure and on other Linux flavours you should check /var/log/auth.log

How To View SSH Logs

You can view your SSH log in a couple of different ways. Firstly you can download the log via SFTP. (SFTP is secure FTP and is possible if you connect via SSH.)

However, the log can be large and you may not want to view all of it. The second option is to log in via SSH and use the Linux tail command to display the last x number of lines. When you’re logged in via SSH use the following command to view your SSH log:

tail /var/log/auth.log -n 100

That will display the last 100 lines of the SSH log on a non-Redhat system. Change the path to the log and the number of lines to display to suit your particular setup.

The log contains more than just SSH logins, so you’ll need to look through and identify any failed attempts to login via SSH. Failed attempts should show the username that the hacker tried and their IP address.

Hopefully there won’t be many hacking attempts, but if you’ve never investigated this issue before you might be surprised to learn how many people are trying to break into your system!

Prevent Hacking Attempts

The good news is that you can take proactive steps to prevent hackers gaining access to your system.

The first things that you can do is to take the SSH service off port 22 and put it on another random free port. That way if a hacker tries to attack you on port 22 he will get nowhere, and he has no idea which other ports to try!

Secondly you can use the DenyHosts tool. This will periodically access your SSH log and add a firewall rule blocking anyone trying to access your system via SSH who has multiple failed attempts logged.

Conclusion

There may be hackers trying to gain access to your server without your knowledge. However, you can track their attempts and take action to severely limit the chances of an unauthorised user gaining access to your system.

9 Comments

  1. Nayeem

    Hello, I was wondering if you could offer some additional help & advice or even possibly help me out. Daily I receive around 100+ “returned email” notices in my inbox claiming that I’m sending emails out to a variety of email addresses (all of which are unknown to me). I believe that there might be some php script or some other form of email attack on my server. I checked the logs as stated above and there seems to be constant activity. I’d like your opinion on how to stop the current attack and more importantly what can I do to prevent future attacks from occurring.

    Thanks!

  2. Barnaby Knowles

    Hi Nayeem,

    If your server is sending spam it’s unlikely to be related to the SSH attacks that these logs will show. They just show who is trying to login to your server via SSH.

    As you mentioned, there may be a compromised PHP script or some other exploit that a spammer is taking advantage of. Have a look at your mail log for further information and to try and trace the source.

    It’s also entirely possible that a spammer is using your email address as the “Return-Path”, which will then route any bounced emails to you.

    Regards,

    Barnaby

  3. Jay

    Good day guys,

    Can someone let me know how to track the FTP Logins on server?

    Like using WINSCP. That doesn’t show on the logs. What place I can go and check the logs of last FTP Users.

    Thanks and regards,

    Jay

  4. Christian Kim

    Hi,
    Im sure that my server is being attackeed using SSH, I know the attackers IP, but how can I block it?

  5. Jay, the exact log file to look for depends on your FTP server, but most log files are in /var/log.

  6. robpbyw

    Good advice.

    You could also try

    grep user /var/log/auth.log
  7. Justin Nahin

    Use fail2ban to protect SSH
    https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04

    Also, disable root user login, you will have to log in under a different account name, then type in the command “su -” to go into root. Every server has a “root” username so hackers are hitting servers and trying a bazillion passwords.

    Also, I took it one step further and only allow SSH-key authentication instead of passwords.

  8. Justin Nahin

    I like the grep method that robpbyw mentioned…

    I changed up the search query to this instead…

    grep "session opened for" /var/log/auth.log

Leave a Reply

Your email address will not be published. Required fields are marked *