Solved Trying to view active sshd connections

[Mike Z]

Hello everyone, this is my first time posting on the FreeBSD forums.

I recently set up my first FreeBSD server at home. I'm using it as a SFTP server. This is my first experience configuring and attempting to harden a Unix server. I guess, due to my inexperience with servers, I was completely astonished when I checked the /var/log/auth.log file and I saw the enormous number of attempted unauthorized connections after just my first day of deployment.

My question to the community is how can I view active ssh connections to my system? I have tried who(1), and it only shows me logged in locally as root even though I am connected via ssh to my user account on a remote machine. I have also tried w and w -a with similar results (i.e. it doesn't show the remote connection). I have also tried the last command but I can't seem to glean the desired information from the output as it doesn't show remote connections via ssh. Lastly I have tried zgrep sshd /var/log/auth.log but it doesn't show me real time connections. Any advice on how to see active ssh connections would be great!

Thanks

 

[tobik@]

how to see active ssh connections

Try netstat -p tcp | grep ssh

 

[SirDice]

Both w(1) and who(1) will show connections:

dice@molly:~ % w
 8:31AM  up 15 days, 10:01, 1 user, load averages: 0.49, 0.49, 0.58
USER       TTY      FROM                      LOGIN@  IDLE WHAT
dice       pts/1    2001:470:1f15:bcd:8109:a  8:31AM     - w
dice@molly:~ % who
dice             pts/1        Mar 11 08:31 (2001:470:1f15:bcd:8109:a6cc:3f41:785b)

Notice the IPv6 address? That's my source address.

 

[tobik@]

Not if you connect e.g. via ssh -N (SSH never executes a remote command then) or sftp.

 

[kpa]

There's sockstat(8) that can display connected sockets:

sockstat -c46 -p22

 

[Mike Z]

That netstat command worked perfectly tobik. A thousand thanks!