How to Find Active SSH Connections on Linux
On this page
If you are Linux system administrator and responsible for managing servers then you may often need to know how many ssh connections are active on your server and where the connections come from. There are several commands and tools available in Linux to find the active SSH connections on your server.
In this tutorial, we will show how to find active SSH connections with different methods in Linux.
Prerequisites
- A server running Linux operating system.
- You have root access on that server.
Find Active SSH Connection with who command
who is the Linux command-line utility used to displays a list of users who are currently logged into the server.
Open your terminal and run the who command to find the active connections on your server:
who
You should get the following output:
root pts/0 2020-05-01 02:37 (27.61.161.61) root pts/1 2020-05-01 02:39 (45.58.38.21)
As you can see there are two active SSH connections from the IP 27.61.161.61 and 45.58.38.21.
Find Active SSH Connection with w command
w is another command-line utility that displays the information about currently login user on your server. This command provides more information than who command like active sessions and running process on those sessions.
You can run the w command as shown below:
w
You should get the following output:
02:40:07 up 1 day, 18:35, 2 users, load average: 0.02, 0.02, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 27.61.161.61 02:37 1.00s 0.04s 0.01s ssh [email protected] root pts/1 45.58.38.21 02:39 1.00s 0.02s 0.00s w
As you can see this command also displays the idle time details, source IP, login time, load average and processes.
Find Active SSH Connection with ps command
ps command also gives you the information about active SSH sessions in your server. It gives you some additional information like PID of the active SSH connections.
You can run the ps command as shown below
ps auxwww | grep sshd: | grep -v grep
You should see the following output:
root 609 0.0 0.1 12160 7268 ? Ss Apr29 0:01 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups root 35532 0.0 0.2 13864 8796 ? Ss 02:37 0:00 sshd: root@pts/0 root 35669 0.0 0.2 13860 8916 ? Ss 02:38 0:00 sshd: root@pts/1
Find Active SSH Connection with netstat command
Netstat is a command-line tool that can be used to show active or Established SSH connections from the remote hosts to your server.
You can run the netstat command as shown below:
netstat -tnpa | grep 'ESTABLISHED.*sshd'
You should see the following output:
tcp 0 88 45.58.38.21:22 27.61.161.61:8363 ESTABLISHED 35532/sshd: root@pt tcp 0 0 45.58.38.21:22 45.58.38.21:51166 ESTABLISHED 35669/sshd: root@pt
Find Active SSH Connection with last command
The last command is used to displays the list of all users that are logged in and log out since the file /var/log/wtmp created. With last command you can also find the active SSH connection information between client and server.
Run the following command to find the active SSH connections in your server.
last -a | grep -i still
You should see the following output:
root pts/1 Fri May 1 02:39 still logged in 45.58.38.21 root pts/0 Fri May 1 02:37 still logged in 27.61.161.61 reboot system boot Wed Apr 29 08:04 still running 5.4.0-26-generic
Find Active SSH Connection with ss command
ss is very similar to netstat and used to display more information than other tools. You can use ssh command with grep to list the active SSH connection in your server.
Run the ss command with grep as shown below:
ss | grep -i ssh
You should see the following output:
tcp ESTAB 0 0 45.58.38.21:51166 45.58.38.21:ssh tcp ESTAB 0 56 45.58.38.21:ssh 27.61.161.61:8363 tcp ESTAB 0 0 45.58.38.21:ssh 45.58.38.21:51166
As you can see, there are two active connections from the client IP 45.58.38.21 and 27.61.161.61.
Conclusion
In the above guide, we learned how to find active SSH connections with different methods. You can now easily monitor who are logged in to your server.
