How to Check Active SSHFS Mounts on a Linux Server: Command Line Guide


3 views

Unlike regular SSH shell sessions that appear in last, w, or who outputs, SSHFS mounts operate at the filesystem layer. When clients mount directories via SSHFS, these connections don't create traditional login sessions.

The most reliable way to identify active SSHFS mounts is through these system-level checks:

# Method 1: Check mounted filesystems
mount | grep fuse.sshfs

# Method 2: Examine process table
ps aux | grep 'sshfs'

# Method 3: Inspect network connections
ss -tulpn | grep 'ssh'

For comprehensive monitoring, combine multiple approaches:

# Detailed mount information
findmnt -t fuse.sshfs -o TARGET,SOURCE,OPTIONS

# Cross-reference with network connections
lsof -i :22 | grep ESTABLISHED

Create a monitoring script to track SSHFS activity:

#!/bin/bash
ACTIVE_MOUNTS=$(mount | grep -c fuse.sshfs)
CONNECTIONS=$(ss -tulpn | grep -c ':22.*ESTAB')

echo "[$(date)] Active SSHFS mounts: $ACTIVE_MOUNTS"
echo "[$(date)] Established SSH connections: $CONNECTIONS"

For security-conscious environments:

# Check for suspicious mounts
grep sshfs /etc/mtab /proc/mounts

# Audit via system logs
journalctl -u sshd | grep 'Accepted publickey'

Implement continuous monitoring with auditd:

# /etc/audit/rules.d/sshfs.rules
-a always,exit -F arch=b64 -S mount -F fstype=fuse.sshfs -k sshfs_mount

Remember that SSHFS uses the SFTP subsystem, so connections typically appear as sshd: sftp processes rather than shell sessions.

Unlike regular SSH shell sessions that appear in last, w, or who outputs, SSHFS mounts operate at a different layer. These FUSE-based connections don't create traditional login sessions, making them invisible to standard user tracking commands.

Here are several approaches to identify active SSHFS connections on your server:

1. Checking FUSE Mounts

The most direct method examines the mount table for FUSE filesystems:

mount | grep fuse.sshfs

Sample output:

user@client:/remote/path on /local/mountpoint type fuse.sshfs (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)

2. Inspecting Network Connections

SSHFS uses SSH as transport, so checking active SSH connections can reveal mounts:

ss -tnp | grep sshd

For more detailed information:

lsof -i :22 | grep ESTABLISHED

3. Process Examination

SSHFS creates specific processes that can be detected:

ps aux | grep 'sshfs'

Or more precisely:

pgrep -lf sshfs

For regular monitoring, create a script that combines these checks:

#!/bin/bash

echo "=== Active SSHFS Mounts ==="
mount | grep fuse.sshfs || echo "No SSHFS mounts found"

echo -e "\n=== Related SSH Connections ==="
ss -tnp | grep sshd

echo -e "\n=== SSHFS Processes ==="
pgrep -lf sshfs || echo "No active SSHFS processes"

For servers with many users, consider these security enhancements:

# Log SSHFS mount attempts in auth.log
echo "session required pam_exec.so /usr/local/bin/log_sshfs.sh" >> /etc/pam.d/sshd

Create the logging script:

#!/bin/bash
if [[ $PAM_TYPE == "open_session" ]]; then
    echo "$(date): SSHFS mount by $PAM_USER from $PAM_RHOST" >> /var/log/sshfs_mounts.log
fi

For systemd-based systems, you can create a service to monitor mounts:

[Unit]
Description=SSHFS Mount Monitor

[Service]
ExecStart=/bin/bash -c 'while true; do mount | grep fuse.sshfs >> /var/log/sshfs.log; sleep 60; done'

[Install]
WantedBy=multi-user.target