How to List and Terminate Active SSH Sessions in Linux: A Sysadmin’s Guide


4 views

To view all current SSH connections to your Linux server, you can use several command-line tools:

# Method 1: Using netstat
sudo netstat -tnpa | grep 'ESTABLISHED.*sshd'

# Method 2: Using ss (modern alternative to netstat)
sudo ss -tnp | grep sshd

# Method 3: Using who command
who -u

# Method 4: Using w command
w

The output typically includes these important columns:

  • Proto: Protocol (usually tcp)
  • Recv-Q/Send-Q: Queue sizes
  • Local Address: Server IP and port
  • Foreign Address: Client IP and port
  • State: Connection state (ESTABLISHED)
  • PID/Program: Process ID and name

To forcefully disconnect a session, you have several options:

Method 1: Using pkill with PID

# First find the PID
ps -ef | grep sshd

# Then kill the process
sudo kill -9 [PID]

Method 2: Using pkill with username

# Disconnect all sessions for a specific user
sudo pkill -9 -u [username]

Method 3: Using tcpkill

# Install tcpkill if needed
sudo apt install dsniff

# Kill connection by client IP
sudo tcpkill -i eth0 host [client_ip] and port 22

For more control over SSH sessions, consider these approaches:

# Set idle timeout in sshd_config
ClientAliveInterval 300
ClientAliveCountMax 2

# View login history
last

# Monitor real-time connections
sudo lsof -i :22

When managing SSH connections:

  • Always verify the session belongs to an actual intruder before termination
  • Consider implementing fail2ban for automated protection
  • Regularly check auth logs: sudo tail -f /var/log/auth.log
  • Disable root login and use key-based authentication

Remember that abruptly terminating sessions may cause data loss for legitimate users. Always notify users before disconnecting their sessions when possible.

To view all active SSH connections on your Linux server, you can use several commands:

# Method 1: Using netstat
sudo netstat -tnpa | grep 'ssh'

# Method 2: Using ss (modern alternative)
sudo ss -tnp | grep 'sshd'

# Method 3: Using who command
who

The output will show connection details including source IP, port, and process ID (PID). For more detailed information:

sudo lsof -i :22

When you need to find a particular connection, filter by IP or username:

# Filter by IP address
sudo netstat -tnpa | grep 'ssh' | grep '192.168.1.100'

# Filter by username
who | grep 'username'

To disconnect a specific SSH session, you'll need its process ID (PID):

# Find the PID of the target connection
sudo netstat -tnpa | grep 'ssh' | grep '192.168.1.100'

# Then kill the process (replace 1234 with actual PID)
sudo kill 1234

# For stubborn processes
sudo kill -9 1234

For quick termination without finding the PID manually:

# Disconnect all sessions from a specific IP
sudo pkill -9 -u $(who | grep '192.168.1.100' | awk '{print $1}')

# Terminate all sessions for a user
sudo pkill -9 -u username

For continuous monitoring, use watch command:

watch -n 5 'sudo netstat -tnpa | grep ssh'

Always verify before terminating connections. Consider these security practices:

# Configure session timeout in /etc/ssh/sshd_config:
ClientAliveInterval 300
ClientAliveCountMax 2

# Then reload SSH
sudo systemctl reload sshd