Несколько способов мониторинга пользователей, подключённых по SSH в режиме реального времени.
С помощью netstat
# netstat -tnpa | grep "ESTABLISHED.*sshd"
tcp 0 64 172.16.32.178:22 172.16.3.22:50915 ESTABLISHED 23897/sshd: user1 tcp 0 0 172.16.32.178:22 172.16.3.22:49345 ESTABLISHED 23168/sshd: user1 tcp 0 0 172.16.32.178:22 172.16.33.200:59452 ESTABLISHED 1597/sshd: user1
С помощью lsof
# lsof -n -a -itcp -stcp:established -c sshd
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 1597 root 3u IPv4 29944 0t0 TCP 172.16.32.178:ssh->172.16.33.200:59452 (ESTABLISHED) sshd 1603 user1 3u IPv4 29944 0t0 TCP 172.16.32.178:ssh->172.16.33.200:59452 (ESTABLISHED) sshd 23168 root 3u IPv4 176479 0t0 TCP 172.16.32.178:ssh->172.16.3.22:49345 (ESTABLISHED) sshd 23170 user1 3u IPv4 176479 0t0 TCP 172.16.32.178:ssh->172.16.3.22:49345 (ESTABLISHED) sshd 23897 root 3u IPv4 179696 0t0 TCP 172.16.32.178:ssh->172.16.3.22:50915 (ESTABLISHED) sshd 23906 user1 3u IPv4 179696 0t0 TCP 172.16.32.178:ssh->172.16.3.22:50915 (ESTABLISHED)
С помощью ss
# ss -o state established '( dport = :ssh or sport = :ssh )'
Netid Recv-Q Send-Q Local Address:Port Peer Address:Port tcp 0 0 172.16.32.178:ssh 172.16.3.22:50915 timer:(keepalive,118min,0) tcp 0 0 172.16.32.178:ssh 172.16.3.22:49345 timer:(keepalive,61min,0) tcp 0 0 172.16.32.178:ssh 172.16.33.200:59452 timer:(keepalive,53sec,0)
С помощью w
# w
22:55:40 up 1 day, 13:51, 3 users, load average: 0,00, 0,00, 0,00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT user1 pts/0 172.16.3.22 21:57 43:16 0.10s 0.04s sshd: user1 [priv] user1 pts/1 172.16.33.200 Вт04 1:17m 0.09s 0.20s sshd: user1 [priv] user1 pts/2 172.16.3.22 22:54 0.00s 0.08s 0.04s sshd: user1 [priv]
С помощью who
# who
user1 pts/0 2022-10-05 21:57 (172.16.3.22) user1 pts/1 2022-10-04 10:56 (172.16.33.200) user1 pts/2 2022-10-05 22:54 (172.16.3.22)