Keeping track of who's accessing your Linux servers and what they're doing is crucial for security and troubleshooting. This guide covers the essential tools and techniques to effectively monitor user activity on your Linux systems.
Understanding Linux Authentication Logs
Linux systems record login attempts and user sessions in various log files. The primary authentication log is typically found at /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/CentOS).
To view recent authentication activity:
sudo tail -f /var/log/auth.log
This shows login attempts, successful authentications, and privileged command executions in real-time.
Key Commands for User Activity Monitoring
The who and w Commands
The who command displays currently logged-in users:
who
For more detailed information including what users are doing, use w:
w
This shows login times, idle times, and the current processes users are running.
Last Login Information
To see recent login history:
last
For failed login attempts:
lastb
Process Monitoring
Monitor user processes with:
ps aux
Or for a real-time view:
top
Advanced Monitoring Techniques
Configuring auditd
The Linux Audit system provides more granular monitoring of user actions. Install and configure it:
# Install auditd sudo apt install auditd # Debian/Ubuntu sudo yum install audit # RHEL/CentOS # Start and enable the service sudo systemctl enable auditd sudo systemctl start auditd
Create audit rules to track specific commands or file access:
# Track all commands run by root sudo auditctl -a exit,always -F arch=b64 -F euid=0 -S execve # Monitor access to sensitive files sudo auditctl -w /etc/passwd -p rwxa
View audit logs:
sudo ausearch -ua username
Setting Up Process Accounting
Process accounting records every command executed:
# Install accounting sudo apt install acct # Debian/Ubuntu sudo yum install psacct # RHEL/CentOS # Enable the service sudo systemctl enable acct sudo systemctl start acct
View command history:
# View commands by user sudo lastcomm username # View all command executions sudo sa
Real-time Alerting Solutions
For immediate alerts on suspicious activity, consider:
-
Fail2ban: Detects and blocks suspicious login attempts
sudo apt install fail2ban
-
OSSEC: Host-based intrusion detection with alerting capabilities
# Install dependencies sudo apt install build-essential # Get OSSEC and install wget https://github.com/ossec/ossec-hids/archive/3.7.0.tar.gz tar -xzf 3.7.0.tar.gz cd ossec-hids-3.7.0 sudo ./install.sh
-
Configure email alerts for important log events using tools like logwatch
Best Practices for User Activity Monitoring
- Centralized logging: Forward logs to a dedicated logging server using rsyslog or a SIEM solution
- Regular log rotation: Ensure logs don't consume all disk space
- Least privilege principle: Limit user permissions to only what's necessary
- SSH key authentication: Use SSH keys instead of passwords
- Bastion hosts: Implement jump servers for accessing critical systems
- Document baseline activity: Know what normal looks like to identify anomalies
Conclusion
Effective user monitoring on Linux servers requires a multi-layered approach combining built-in tools, additional software, and sound security practices. By implementing the techniques covered in this guide, you'll have significantly improved visibility into user activity, allowing you to better protect your systems and respond quickly to suspicious events.
Remember that monitoring should always be balanced with privacy considerations and comply with applicable regulations in your jurisdiction.