Monitoring login activity is a fundamental security practice. Every SSH session, failed authentication attempt, and suspicious login pattern should be tracked and analyzed. This guide covers practical techniques for login monitoring, brute force detection, and automated alerting on Linux servers.
Monitoring Current Sessions
# Who is logged in
who -u
# What are users doing
w
# Active SSH connections
ss -tnp dport = :22The w command shows not just who is logged in, but their current activity, idle time, and login source β essential for investigating suspicious sessions.
Login History Analysis
# Recent login history
last -n 20
# Failed login attempts (requires root)
lastb -n 50
# Last login time per user
lastlog
# SSH authentication in journal
journalctl -u sshd -g "Accepted\|Failed" --no-pagerBrute Force Detection
Brute force attacks target SSH with thousands of password guesses. Detection patterns include:
- Multiple failed logins from a single IP in a short time
- Failed logins for non-existent usernames (dictionary attacks)
- Logins from unusual geographic locations
- Successful login after many failures (possible compromise)
pip install dargslan-login-tracker
dargslan-logins report # Full login analysis
dargslan-logins brute # Brute force detection
dargslan-logins failed # Failed login listing
dargslan-logins active # Current sessionsDefense Measures
- Deploy fail2ban for automatic IP blocking after failed attempts
- Use SSH key authentication instead of passwords
- Change the default SSH port from 22
- Restrict SSH access with AllowUsers/AllowGroups
- Enable two-factor authentication (Google Authenticator PAM module)
- Use TCP wrappers (/etc/hosts.allow, /etc/hosts.deny)
Download our free Login Tracking & Security Cheat Sheet for essential monitoring commands. For comprehensive security training, explore our Security & Hardening eBooks.
