Managing user sessions is a critical security and operational task. Knowing who is logged in, what they are doing, and how long they have been idle helps detect unauthorized access, manage server resources, and maintain compliance. This guide covers practical session management techniques for Linux sysadmins.
Monitoring Active Sessions
# Who is logged in
who -u
# What are they doing (includes load average)
w
# Simple username list
users
# Active SSH connections
ss -tnp dport = :22The w command is the most informative, showing username, TTY, login time, idle time, and current process for each session.
Session Types
Linux sessions come in different types:
- pts/N — Pseudo-terminal (SSH, tmux, screen sessions)
- ttyN — Physical/virtual console
- :N — X11/Wayland graphical session
Idle Session Detection
Idle sessions consume resources and pose security risks. Monitoring idle time helps enforce session policies:
# Set automatic logout for idle sessions
# Add to /etc/profile or ~/.bashrc:
TMOUT=1800 # 30 minutes
export TMOUT
readonly TMOUTLogin History Analysis
# Recent login history
last -n 20
# Failed login attempts
lastb -n 20
# Last login for each user
lastlog
# Total connect time per user
ac -pAutomated Session Management
pip install dargslan-user-sessions
dargslan-sessions report # Full session report
dargslan-sessions active # Current sessions
dargslan-sessions idle 30 # Sessions idle >30 minutes
dargslan-sessions types # Sessions by type
dargslan-sessions last 20 # Recent login historySecurity Best Practices
- Set TMOUT to auto-logout idle sessions
- Use PAM
pam_limits.soto restrict concurrent sessions per user - Monitor for sessions from unexpected IP addresses or countries
- Log and alert on root logins
- Regularly audit active sessions during security reviews
Download our free User Session Management Cheat Sheet. For advanced security techniques, explore our Security & Hardening eBooks.
