The primary location for SSH login records in CentOS is the /var/log/secure file. This log contains all authentication attempts, both successful and failed.
grep "sshd" /var/log/secure | grep "Accepted"
This command filters SSH daemon messages and shows only successful logins. A sample output looks like:
May 15 09:23:45 server1 sshd[12345]: Accepted password for root from 192.168.1.100 port 54321 ssh2
May 16 14:12:33 server1 sshd[23456]: Accepted publickey for admin from 203.0.113.42 port 12345 ssh2
The last command provides a more readable format of login sessions:
last -i -a | head -20
Options explanation:
-i shows IP addresses instead of hostnames
-a displays hostnames/IPs in the last column
head -20 limits to most recent 20 entries
For precise extraction of timestamps, usernames, and IPs:
awk '/sshd.*Accepted/ {print $1,$2,$3,$9,"from",$11}' /var/log/secure
To identify potential brute force attacks:
grep "Failed password" /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr
This shows IP addresses with their failed attempt counts, sorted descendingly.
Create a watch script for live tracking:
#!/bin/bash
tail -f /var/log/secure | grep --line-buffered "sshd" | awk '/Accepted/ {print "SUCCESS:",$1,$2,$3,$9,$11} /Failed/ {print "FAIL:",$1,$2,$3,$11}'
After identifying suspicious activity, consider these hardening measures:
# Disable root login
sed -i 's/^PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
# Change default port
sed -i 's/^#Port 22/Port 2222/' /etc/ssh/sshd_config
# Restart SSH service
systemctl restart sshd
When you suspect unauthorized root access to your CentOS server, the first step is checking authentication logs. The primary log file containing SSH login attempts is:
/var/log/secureUse this grep command to filter SSH-related entries:
grep "sshd" /var/log/secure | grep -i "accepted"This will show successful login attempts with timestamps and IP addresses. For a more detailed view including failed attempts:
grep "sshd" /var/log/secure | grep -iE "accepted|failed"For systems using systemd (CentOS 7+), journalctl provides powerful filtering:
journalctl -u sshd --since "2 hours ago" | grep -i "accepted"To see all SSH activity within a specific time window:
journalctl -u sshd --since "2023-11-01" --until "2023-11-15"To extract all unique IP addresses that attempted SSH connections:
grep "sshd" /var/log/secure | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | sort | uniq -c | sort -nThis command will show you each IP address along with the number of attempts.
For ongoing monitoring, create a script to log SSH access attempts:
#!/bin/bash
LOGFILE=/var/log/ssh_monitor.log
DATE=$(date "+%Y-%m-%d %H:%M:%S")
echo "=== SSH Login Report for $DATE ===" >> $LOGFILE
lastlog | grep -v "Never logged in" >> $LOGFILE
echo "" >> $LOGFILE
grep "sshd" /var/log/secure | grep -i "accepted" | tail -n 10 >> $LOGFILEAfter identifying unauthorized access, consider these security measures:
# Disable root login
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
# Change SSH port
sed -i 's/#Port 22/Port 2222/' /etc/ssh/sshd_config
# Restrict IP access
echo "sshd: ALL" >> /etc/hosts.deny
echo "sshd: 192.168.1.0/24" >> /etc/hosts.allow
# Restart SSH service
systemctl restart sshdSet up email alerts for root login attempts by adding this to /etc/ssh/sshd_config:
Match User root
ForceCommand echo 'ALERT - Root SSH access' | mail -s 'Root SSH Access' admin@example.com