Note: depending on the system configuration, some of the commands we are going to discuss may require you to have root or sudo privileges.
1. Using the WHO Command
The first command you can use to show active SSH connections is the who command. The who command is used to show who is currently logged in to the system. It allows us to view the connected users and the source IP addresses. To use the who command, simply enter who without any parameters. In the above output, you can see one debian user connected via tty and two SSH sessions from a remote IP address. You can also add parameters to the who command to show detailed information. For example, to show the last boot for connected users, add the -b -u flag: The who command offers more options to get customized results. Check out the manual page to learn more.
2. Using the W Command
The next command you can use to show the status of various SSH sessions and users connected to the server is the w command. Unlike the who command, the w command gives you more information about the running processes for each user. Additionally, the w command will give you information about idle SSH connections, which is very helpful when you need to terminate them. If you run the command without any other options, you should get an output similar to the one below. In the above example, the w command gives detailed information, such as the username, TTY method, source IP address, time of login, idle time and more. Like the who command, you can also use the w command with various parameters. The table below shows the various parameters you can use with the w command. The example below shows the w command used with the -s and -f parameters to show an abridged output of the current SSH sessions with the FROM part truncated. Although rarely used, you can also use the w command with environmental and file parameters. To learn more about these parameters, consider the man pages.
3. Using the Last Command
You can also use the last command to show all connected SSH sessions. The last command shows the list of last logged-in users. It works by checking the designated file. For example, “/var/log/wtmp” shows all the users who have logged in and out since the file’s creation. The command also gives you information about the created SSH sessions between the client and server. The general syntax for the last command is: Here’s an example. Since the output from the last command is massive, we can use the grep command to show the active sessions only. For example: You can also modify the output from the last command to show detailed information. For example, to show the full usernames and domains, we can use the -w flag. The last command supports numerous options. Here are the most commonly used options for the last command.
4. Using the netstat Command
We cannot forget about the netstat command. Netstat is used to show all network connections, network interfaces, routing tables and more. You can also use the netstat command to filter for established or connected SSH sessions on your Linux server: The above command shows only the established SSH connections. To show all connections including listening and non-listening, we can use the -a flag as:
5. Using the ss Command
If you want to learn more information about the connected SSH sessions, you can use the ss command, which shows socket data, making it similar to netstat. For example, we can grep the output from the ss command with the -a option (all) to show all connected SSH sessions. The syntax for that is: The output above displays all the SSH connections on the remote host. This will include the SSHD daemon. To filter for the established SSH connections, you can pipe the output back to grep. The commands above will only return the active SSH connections. The ss command also has tons of other options you can use to learn various things about active server connections. For example, you can use the -e flag to show more about the socket information.
Wrapping Up
It is good practice to keep monitoring your remote hosts for unauthorized SSH logins and take necessary actions, such as securing your server or disabling password authentication. Meanwhile, you can also use reverse SSH tunneling to allow external connection to your PC.