Can someone please tell me where to find the SSHD log on RedHat and SELinux.... I would like to view the log to see who is logging into my account..
-
5Sheesh - if you have to ask "who is logging into my account", it's already game over. See [How do I deal with a compromised server](http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server). – EEAA Jan 10 '13 at 15:36
-
2Given the fact that RHEL7 will use a different logging system, could you add a tag with the specific version you're using? – Cristian Ciupitu May 22 '14 at 14:14
6 Answers
Login records are usually in /var/log/secure. I don't think there is a log specific to the SSH daemon process, unless you've broken it out from other syslog messages.
- 8,920
- 1
- 28
- 34
-
2
-
If you're on Red Hat Enterprise Linux, Fedora, or a RHEL derivative like CentOS, then yes, this is a bad sign. Something is wrong. – John May 22 '14 at 11:31
-
3I've read that fedora uses journalctl instead of `/var/log/secure`. With `journalctl _COMM=sshd` I could see all ssh activity and everything seems fine :D – marcio May 22 '14 at 13:37
In addition to @john answer, some distributions are now using journalctl by default. If that's your case, you're probably able to see sshd
activity through:
_> journalctl _COMM=sshd
You will see output like this:
Abr 15 02:28:17 m sshd[26284]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Abr 15 02:28:18 m sshd[26284]: Failed password for root from 127.0.0.1 port **** ssh2
Abr 15 02:28:19 m sshd[26284]: Connection closed by 127.0.0.1 [preauth]
Abr 15 02:28:25 m sshd[26296]: Accepted password for **** from 127.0.0.1 port **** ssh2
Abr 15 02:28:25 m sshd[26296]: pam_unix(sshd:session): session opened for user **** by (uid=0)
Abr 15 02:28:28 m sshd[26301]: Received disconnect from 127.0.0.1: 11: disconnected by user
Abr 15 02:28:58 m sshd[26231]: Received signal 15; terminating.
Abr 15 02:28:58 m sshd[26828]: Server listening on 0.0.0.0 port 22.
- 181
- 1
- 6
-
1There's also `journalctl _SYSTEMD_UNIT=sshd.service` the difference being that it will get only the logs for the service excluding any other possible **sshd** instances (for example someone runs another SSH server in parallel). – Cristian Ciupitu May 22 '14 at 14:12
The log is in fact located at /var/log/secure on RHEL systems. A SSHD connection will look something like this;
Jan 10 09:49:04 server sshd[28651]: Accepted publickey for [username] from x.x.x.x port 61000 ssh2
Jan 10 09:49:04 server sshd[28651]: pam_unix(sshd:session): session opened for user [username] by (uid=0)
The most important part for determining whether or not your account has been compromised is the IP Address.
If you are using RHEL/CentOS 7, your system will be using systemd, and therefore journalctl. As mentioned above, you can use the journalctl _COMM=sshd
. However, you should also be able to view this with the following command:
# journalctl -u sshd
You can verify your version of redhat by the following command as well:
# cat /etc/*release
This will show you version information about your version of linux.
- 237,123
- 42
- 477
- 940
- 241
- 2
- 3
You can simply use the below command to see who is logging into my account:
log file in redhat: /var/log/secure
Using journalctl command:
$journalctl -u sshd
Using ausearch command
$ausearch --message USER_LOGIN --success no --interpret
- 301
- 1
- 6
Check out /var/log/secure
Secure logs get rotated so you may need to search previous files as well.
E.G. /var/log/secure-20190903
You may also be interested in searching the logfile for specific lines (I just banged on the keyboard to generate those sample ip addresses so please don't attribute too much meaning to them)
sudo grep -e 52.32.98.225 -e 56.33.22.215 /var/log/secure*
- 101