How to Show All Active SSH Connections in Linux

Active Ssh Connections Linux Featured

SSH is a popular and effective protocol that allows you to log in and manage remote hosts from your local machine. This guide walks you through various commands you can use to check for active SSH connections on the remote host.

Note: depending on the system configuration, some of the commands we are going to discuss may require you to have root or sudo privileges.

1. Using the WHO Command

The first command you can use to show active SSH connections is the who command.

The who command is used to show who is currently logged in to the system. It allows us to view the connected users and the source IP addresses.

To use the who command, simply enter who without any parameters.

Who

In the above output, you can see one debian user connected via tty and two SSH sessions from a remote IP address.

You can also add parameters to the who command to show detailed information.

For example, to show the last boot for connected users, add the -b -u flag:

Who B U

The who command offers more options to get customized results. Check out the manual page to learn more.

2. Using the W Command

The next command you can use to show the status of various SSH sessions and users connected to the server is the w command. Unlike the who command, the w command gives you more information about the running processes for each user.

Additionally, the w command will give you information about idle SSH connections, which is very helpful when you need to terminate them.

If you run the command without any other options, you should get an output similar to the one below.

W Command

In the above example, the w command gives detailed information, such as the username, TTY method, source IP address, time of login, idle time and more.

Like the who command, you can also use the w command with various parameters. The table below shows the various parameters you can use with the w command.

ParameterWhat it does
-h, –no-headerInforms the terminal not to print the header
-u, –no-currentPrompts the terminal to ignore the username as it displays connected users’ processes and CPU time
-s, –shortTells the terminal to print a shortened output – excluding login time, JCPU and PCPU
-f, –fromEnables/disables the FROM option of the print output
–helpDisplays the various w command options/parameters and exits
-v, –versionDisplays information about the version and exits
userNarrows down the results to the specified user

The example below shows  the w command used with the -s and -f parameters to show an abridged output of the current SSH sessions with the FROM part truncated.

Who S F

Although rarely used, you can also use the w command with environmental and file parameters. To learn more about these parameters, consider the man pages.

3. Using the Last Command

You can also use the last command to show all connected SSH sessions. The last command shows the list of last logged-in users.

It works by checking the designated file. For example, “/var/log/wtmp” shows all the users who have logged in and out since the file’s creation. The command also gives you information about the created SSH sessions between the client and server.

The general syntax for the last command is:

Here’s an example.

Last Command

Since the output from the last command is massive, we can use the grep command to show the active sessions only.

For example:

Last Grep Still

You can also modify the output from the last command to show detailed information.

For example, to show the full usernames and domains, we can use the -w flag.

The last command supports numerous options. Here are the most commonly used options for the last command.

ParameterWhat it does
-a, –hostlastDisplays the hostname in the last column
-d, –dnsLinux stores the hostname and IP address of all remote hosts. This parameter turns the IP into a hostname
-file, –fileInforms the last command to use a designated file other than /var/log/wtmp
-F, –fulltimesPrompts last to print all login and logout dates and times
-i, –ipSimilar to the –dns, except instead of showing the host’s hostname, it shows the IP number

4. Using the netstat Command

We cannot forget about the netstat command. Netstat is used to show all network connections, network interfaces, routing tables and more.

You can also use the netstat command to filter for established or connected SSH sessions on your Linux server:

Netstat Grep Ssh

The above command shows only the established SSH connections.

To show all connections including listening and non-listening, we can use the -a flag as:

Netstat A Grep Ssh

5. Using the ss Command

If you want to learn more information about the connected SSH sessions, you can use the ss command, which shows socket data, making it similar to netstat.

For example, we can grep the output from the ss command with the -a option (all) to show all connected SSH sessions. The syntax for that is:

Ss Grep Ssh

The output above displays all the SSH connections on the remote host. This will include the SSHD daemon.

To filter for the established SSH connections, you can pipe the output back to grep.

Ss Double Grep

The commands above will only return the active SSH connections.

The ss command also has tons of other options you can use to learn various things about active server connections. For example, you can use the -e flag to show more about the socket information.

Wrapping Up

It is good practice to keep monitoring your remote hosts for unauthorized SSH logins and take necessary actions, such as securing your server or disabling password authentication. Meanwhile, you can also use reverse SSH tunneling to allow external connection to your PC.

John Wachira

John is a technical writer at MTE, when is not busy writing tech tutorials, he is staring at the screen trying to debug code.

Leave a Comment

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.