How to see incoming ips in my ssh server for scp and ssh

How I can know the ip’s that try to access to my server, like
the ip try to copy files using SCP command
the ip try to login using user account “I have some user account on my server”
for all time, not for real time, or where Ubuntu save log file for ssh and scp login ??

I am going to break down the answer into two groups.

How to see incoming IP addresses when using the ssh

Say client run

ssh foo@server-ip

Then you can see their IP address using the w or who command on the Linux server:

who
w

The w displays information about the users currently on the machine and their processes, including FROM section indicating their IP. Example:

 05:19:46 up 17:23,  1 user,  load average: 0.00, 0.05, 0.03
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
monkad   pts/0    192.168.1.138    05:15    0.00s  0.07s  0.01s sshd: ubuntu [priv]          

ssh log file on the server

The second place is to look inside the /var/log/auth.log file when using Debian or Ubuntu Linux:

tail -f /var/log/auth.log
grep "ip-address" /var/log/auth.log
grep "userName" /var/log/auth.log

For RHEL and CentOS look for the /var/log/secure file:

tail -f /var/log/secure
grep "ip-address" /var/log/secure
grep "userName" /var/log/secure

How to monitor file copies with scp and IP address

You can see login information such as username and IP address in /var/log/auth.log or /var/log/secure but it will not tell you anything like it was scp or ssh or rsync or what files were copied using the scp. So, currently, it is not possible and is not supported by the scp command to log file names. The scp command is deprecated. Recommend CLI alternatives are:

  1. rsync
  2. sftp
  3. Any GUI tool that either use sftp or rsync protocol

Configuring sftp server to log file names, user names and IP address

You can configure sftp-server to log various information in a file in /etc/sshd/sshd_config section. Look for the following line:

# override default of no subsystems
Subsystem       sftp    /usr/lib/openssh/sftp-server

Update it as follows:

Subsystem       sftp    /usr/lib/openssh/sftp-server -l INFO

Reload the service:

sudo systemctl reload sshd

Then you will see scp log as follows including username, IP and files:

Aug 25 05:41:35 box01 sftp-server[530708]: session opened for local user monkad from [192.168.1.138]
Aug 25 05:41:46 box01 sftp-server[530708]: open "/home/monkad/./resolv.conf" flags WRITE,CREATE,TRUNCATE mode 0644
Aug 25 05:41:47 box01 sftp-server[530708]: close "/home/monkad/./resolv.conf" bytes read 0 written 80

I hope this clarifies the topic. Let us know if you have any more questions.

cannot open ‘/var/log/auth.log’ for reading: No such file or directory
cannot open ‘/var/log/secure’ for reading: No such file or directory
:roll_eyes: :roll_eyes:

Are you running command as root user? Maybe try it as

sudo ls /var/log/

Can you list files? Are you on Ubuntu or Debian? Tell us your OS name.

I already root " Ubuntu 18.04.5 LTS "
this files and folders

alternatives.log dist-upgrade installer landscape mail.err nginx
apt dpkg.log journal lxd mail.log unattended-upgrades

@cryptops
Make sure the following line exists in /etc/rsyslog.d/50-default.conf

auth,authpriv.*			/var/log/auth.log

If not add it and then restart the service:

systemctl restart rsyslog.service

@nixcraft @monk
I used this command,

find .  -name \*.log -ls 

but I don’t know if there are log files with different extensions,
However, I couldn’t figure out who copied the files SCP


Linux sysadmin blog - Linux/Unix Howtos and Tutorials - Linux bash shell scripting wiki