How to check ssh logs

Question : How  to Check  ssh  logs?

Answer: For example if your  box is hacked and you want to know  who has did that

  • First check  the  last  logged  existing   in /etc/password  with command  lastlogs
[root@unixmen-Fedora14 ~]# lastlog 
Username         Port     From             Latest
root             pts/1    wsp243101wss.bra Wed Mar  2 15:13:32 +0100 2011
bin                                        **Never logged in**
daemon                                     **Never logged in**
adm                                        **Never logged in**
lp                                         **Never logged in**
sync                                       **Never logged in**
shutdown                                   **Never logged in**
smmsp                                      **Never logged in**
sshd                                       **Never logged in**
smolt                                      **Never logged in**
pulse                                      **Never logged in**
gdm                                        **Never logged in**
pirat9           pts/1    10.33.19.127     Fri Jan 28 17:58:32 +0100 2011
mysql                                      **Never logged in**

 

  •  The  second  method  is  to  check  in  the  logs

In Fedora/Centos/RHEL   check   /var/log/secure

in Ubuntu/Ubunut based  check  /var/log/auth

you will  see  something  like

May 12 14:58:50 unixmen-Fedora14 sshd[2774]: warning: /etc/hosts.allow, line 11: missing ":" separator
May 12 14:58:50 unixmen-Fedora14 sshd[2774]: warning: /etc/hosts.allow, line 12: missing ":" separator
May 12 14:58:50 unixmen-Fedora14 sshd[2776]: Connection closed by 127.0.0.1
May 12 15:01:13 unixmen-Fedora14 sshd[2869]: warning: /etc/hosts.allow, line 11: missing ":" separator
May 12 15:01:13 unixmen-Fedora14 sshd[2869]: warning: /etc/hosts.allow, line 12: missing ":" separator
May 12 15:01:21 unixmen-Fedora14 sshd[2869]: Accepted password for root from 10.61.10.131 port 60100 ssh2
May 12 15:01:21 unixmen-Fedora14 sshd[2869]: pam_unix(sshd:session): session opened for user root by (uid=0)

 

  •  To  clear the  logs  just   remove the  content  of  the  files  with :

cat /dev/null > /var/log/auth

cat /dev/null > /var/log/secure

{module user9-footer}