April 21, 2021



Folder-ssh-iconThe SSH log file is located here (on Debian based systems): /var/log/auth.log
And to view it, just type (need root or sudo):
cat /var/log/auth.log

This file most likely contains a lot of information. At least if it’s connected to the internet. All commands run through sudo will also show in this log. Here is a few examples to grab some of the useful information out from it.

See attempts to login at non existing users (often from simple “hack” scripts)
cat /var/log/auth.log | grep ‘sshd.* Invalid’
Note the capital I in Invalid.

See attempts to login at root user
cat /var/log/auth.log | grep ‘sshd.* Failed.* root’
Note the capital F in Failed.

See successful logins
cat /var/log/auth.log | grep ‘sshd.* opened’

The grep command is a text search function. If you want to know more about how to use grep, have a look here.

Happy investigating!