Check Active SSH Connections on Linux with Netstat

Posted: Sep 27, 2015 by Bryan Tong

This is great if you are ever in a situation where seeing active SSH connections would benefit. Maybe for security auditing or dealing with intrusions, even firewall testing. I have found this command to be effective at filtering it out.


netstat -aln | grep ":22  " | grep -v STREAM | grep -v


You should see some output similar to

tcp        0      0    *               LISTEN
tcp        0      0      ESTABLISHED
tcp6       0      0 :::22                   :::*                    LISTEN

I have doctored the IP addresses here. The left most IP address in this case on port 22 (which is your server), has a connection established with on port 49351.

If you see any IP addresses in the right or left column that should not be there, it is cause for action.

Please check my other blogs for tips on securing Linux servers on the internet.