Basic Potential SSH Compromise Test

This will show you all logins excluding your IP address.

last | tac | grep -v YOUR-IP-HERE

Check for password changes and cross reference with the login attempts

history | grep passwd

Finally run a whois based on the suspicious IP address. Now this isn’t fool proof, it’s very easy to fool your location however it should give you an idea if your system has accepted potentially dangerous connections. I recommend locking SSH down to IP address.

Categories: Linux