Remote Login Monitoring

SSH (Secure Shell) is a powerful tool for dedicated server management. With it, you can remotely log into your server and manage nearly every application, service, and website. On Unix and Linux operating systems, SSH usually comes installed by default, with one SSH-enabled user.

Under normal circumstances it is safer to only have that one user, so that you are the only one who can login to the server remotely. The services you may offer, however, may necessitate enabling other users to have SSH access. In such a situation, it is important to periodically monitor SSH activity.

For live monitoring, you can use shell commands like “who” to see who is currently logged in at any given time. If you have enabled access for other users, it should not be alarming to see them logged in, but if something is going wrong with the server while one of those users is logged in, you might be able to trace the problem to that account. In all likelihood, such an account has bee compromised.

Another way to monitor remote logins is to view system logs. Depending on your Linux distribution, SSH log information may be stored in /var/log/syslog or /var/log/messages. In either case, look for repeatedly failed login attempts and any other anomalies.

By actively monitoring remote logins, you can save yourself the unfortunate circumstance of having to take back control of your server from an attacker. This will benefit you and your losers by helping to keep your dedicated server safe.