Whether you are a Linux admin with servers and multiple users under your supervision or a regular Linux user, it is always good to be proactive in keeping your systems secure.
One of the ways you can actively protect your system is by monitoring user logins, specifically monitoring currently logged-in users and failed logins or login attempts.
There are four main types of logins you should be monitoring on your system: successful logins, failed logins, SSH logins, and FTP logins. Let’s see how you can monitor each of these on Linux.
1. Using the last command
Last is a powerful command-line utility for monitoring past logins on your system, including successful and unsuccessful logins. Apart from this, it also displays system shutdown, reboot and logout.
You can also use the w command to show logged-in users what they’re doing; To do this, just enter w in the terminal.
2. Using lastlog command
LastLog utility displays login details of all users including standard users, system users and service account users.
The output includes all users, displayed in a neat format that shows their username, the port they are using, the original IP address, and the timestamp they logged in at.
See the lastlog man page Using the command man lastlog to learn more about its usage and command options.
3. Monitoring SSH Logins on Linux
One of the most common ways to gain remote access to a Linux server is via SSH. If your PC or server is connected to the Internet, you must secure your SSH connection (for example, by disabling password-based SSH login).
Monitoring SSH logins will give you a good overview of whether someone is trying to brute force your system.
By default, SSH logging is disabled on some systems. You can enable it by editing the /etc/ssh/sshd_config file. Use any text editor you like and uncomment the line loglevel info and edit it to loglevel verbose. After changes it should look like the following.
In addition to watching for failed login attempts, it’s also a good idea to watch logged-in users and see if any are suspicious; For example, former employees.
4. Monitoring FTP Logins on Linux
FTP is a widely used protocol for transferring files between clients and servers. You must be authenticated on the server to be able to transfer files.
Since the service involves the transfer of files, any security breach could have serious implications for your privacy. Fortunately, you can easily monitor FTP logins and all other related activity by filtering out “FTP” in the /var/log/syslog file using the following command.
Monitor logins on Linux for better security
Every system administrator should be proactive in securing their systems. Monitoring your logins from time to time is the best way to spot suspicious activity.
You can also use a tool like fail2ban to automatically take preventive measures on your behalf.