How do I find out the recent SSH logins for Centos and their IP address?

centos

Solution 1:

lastlog(8) will report the most recent information from the /var/log/lastlog facility, if you have pam_lastlog(8) configured.

aulastlog(8) will make a similar report, but from the audit logs in /var/log/audit/audit.log. (Recommended, as auditd(8) records are harder to tamper with than syslog(3) records.)

ausearch -c sshd will search your audit logs for reports from the sshd process.

last(8) will search through /var/log/wtmp for the most recent logins. lastb(8) will show bad login attempts.

/root/.bash_history might contain some details, assuming the goober who fiddled with your system was incompetent enough to not remove it before logging out.

Make sure you check ~/.ssh/authorized_keys files for all users on the system, check crontabs to make sure no new ports are scheduled to be opened at some point in the future, etc. While you really should just rebuild the machine from scratch, it wouldn't hurt to take the time to learn what the attacker did.

Note that all logs stored on the local machine are suspect; the only logs you can realistically trust are forwarded to another machine that wasn't compromised. Perhaps it would be worth investigating centralized log handling via rsyslog(8) or auditd(8) remote machine handling.

Solution 2:

Use:

last | grep [username]

or

last | head

Related

Git clone/pull across local network [closed]
How to start a service with certain start parameters on Windows
Is carpet, or another floor covering, appropriate for a server room?
Getting a list of all the snapshots in VMs managed by vCenter?
Command line active directory query email address for username
Linux shell command to filter a text file by line length
How can artificially create a slow query in mysql?
How To limit Nginx Auth_Basic re-tries?
How can Let's Encrypt verify the identity over insecure http?
Determining PostgreSQL's port
ssmtp change " From: "root" <xy@com>" root name
Bad to be logged in as admin all the time?