How to View SSH Logs on Linux

Who is accessing your Linux system via SSH? Who is trying to but failing to access your system via SSH? If someone can not access the system via SSH, why is that?

You can get these kinds of answers by looking at SSH logs.

How do you view SSH logs? Well, that depends on if your system uses systemd or not.

Since most Linux distributions use systemd these days, you can check the SSH logs with:

sudo journalctl -u ssh

Here's the result for a public facing production server:

Nov 10 08:15:00 ghost-itsfoss sshd[955225]: Received disconnect from 152.200.181.42 port 60683:11: Bye Bye [preauth]
Nov 10 08:15:00 ghost-itsfoss sshd[955225]: Disconnected from invalid user tricomtek 152.200.181.42 port 60683 [preauth]
Nov 10 08:28:05 ghost-itsfoss sshd[955422]: error: kex_exchange_identification: Connection closed by remote host
Nov 10 08:28:05 ghost-itsfoss sshd[955422]: Connection closed by 195.178.110.112 port 41804
Nov 10 08:33:12 ghost-itsfoss sshd[955500]: Connection reset by authenticating user root 92.255.85.253 port 38845 [preauth]
Nov 10 08:33:39 ghost-itsfoss sshd[955506]: Invalid user oracle from 195.178.110.112 port 49372
Nov 10 08:33:39 ghost-itsfoss sshd[955506]: Connection closed by invalid user oracle 195.178.110.112 port 49372 [preauth]
Nov 10 08:40:08 ghost-itsfoss sshd[955575]: Invalid user hadoop from 195.178.110.112 port 55372
Nov 10 08:40:08 ghost-itsfoss sshd[955575]: Connection closed by invalid user hadoop 195.178.110.112 port 55372 [preauth]
Nov 10 08:46:39 ghost-itsfoss sshd[955647]: Invalid user tomcat from 195.178.110.112 port 41450
Nov 10 08:46:39 ghost-itsfoss sshd[955647]: Connection closed by invalid user tomcat 195.178.110.112 port 41450 [preauth]
Nov 10 08:52:14 ghost-itsfoss sshd[955710]: error: kex_exchange_identification: read: Connection reset by peer

Let's see it in details with more examples.

Viewing SSH logs for a specified time period

💡
You will need to be root user or run the journalctl commands with sudo to access SSH logs.

For a public server, there will be hundreds of lines for the past several days. You can further filter the journal logs based on time and days.

For example, if you want recent SSH logs, let's for the last 5 minutes, use:

sudo journalctl -u ssh --since -5m

To get SSH activities past one hour:

sudo journalctl -u ssh --since -1h

To get it for past 3 days:

journalctl -u ssh --since -3d

You can also view journalctl logs till certain time:

sudo journalctl -u ssh --until "2024-11-20 09:00:00"
📋
Journalctl is part of systemd and it uses systemd notations. Here, -u denotes a systemd unit. When you use journalctl -u ssh, you are telling it to show journal logs for ssh systemd unit.

Follow SSH logs in real time

You can also watch SSH logs in real time:

sudo journalctl -fu ssh

The -f option of journalctl means follow, similar to what you see in tail and other commands.

Press Ctrl+C to stop viewing the logs.

💡
If SSH connections are being blocked by the firewall, then you won't see them in the SSH logs. That's what happened with me. In such case, you should check the firewall logs.

Viewing SSH logs in non-systemd way

If your server doesn't use systemd, no worries. You can find the SSH logs in classic syslog fashion.

sudo grep sshd /var/log/auth.log

And you'll see similar information here as well:

Nov 20 10:50:05 ghost-itsfoss sshd[1256793]: Disconnected from authenticating user root 167.71.106.220 port 42716 [preauth]
Nov 20 10:50:23 ghost-itsfoss sshd[1256803]: Received disconnect from 185.158.94.255 port 58624:11: Bye Bye [preauth]
Nov 20 10:50:23 ghost-itsfoss sshd[1256803]: Disconnected from authenticating user root 185.158.94.255 port 58624 [preauth]
Nov 20 10:50:45 ghost-itsfoss sudo:     root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/bin/grep sshd /var/log/auth.log
Nov 20 10:50:47 ghost-itsfoss sshd[1256812]: Invalid user debian from 209.141.33.193 port 34928
Nov 20 10:50:47 ghost-itsfoss sshd[1256812]: Received disconnect from 209.141.33.193 port 34928:11: Bye Bye [preauth]
Nov 20 10:50:47 ghost-itsfoss sshd[1256812]: Disconnected from invalid user debian 209.141.33.193 port 34928 [preauth]
💡
If you are just interested in seeing who logged in to the server, use commands like last, lastlog ,w etc.

Why so many SSH connection attempts and what can you do about it?

Did you notice there were so many connection attempts? That's what happens when you have a server on public network with SSH enabled.

There are bots that keep on trying to gain access via SSH. But they don't know your system's username or password so why do they try it? Because they try with some common username or application or service name with common or default passwords.

No one is doing this manually. It's all automated.

If someone uses the default user-password for some services or system (such as Pi or Kali), the attackers might gain access.

There are several tools to resist such attacks. Try Fail2Ban for the start.

How to Install and Configure Fail2Ban to Secure Linux Server
This detailed guide teaches you what is Fail2Ban, how to configure it and how to use it for providing an additional layer of security on your Linux system.

I hope with SSH logs, you'll have a little better time troubleshooting the connection issues.