Check Active SSH Connections on Linux with Netstat

Posted: Sep 27, 2015 by Bryan Tong

This is great if you are ever in a situation where seeing active SSH connections would benefit. Maybe for security auditing or dealing with intrusions, even firewall testing. I have found this command to be effective at filtering it out.

Command

netstat -aln | grep ":22  " | grep -v STREAM | grep -v 127.0.0.1

Result

You should see some output similar to

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 192.168.92.131:22       192.168.232.5:49351      ESTABLISHED
tcp6       0      0 :::22                   :::*                    LISTEN

I have doctored the IP addresses here. The left most IP address in this case 192.168.92.131 on port 22 (which is your server), has a connection established with 192.168.232.5 on port 49351.

If you see any IP addresses in the right or left column that should not be there, it is cause for action.

Please check my other blogs for tips on securing Linux servers on the internet.