Event short description: ssh_login

This event is notified everytime a ssh connection is detected to the server. This allows to track ssh logins.

Background

This event is especially useful to know when a correct ssh login was received on the server, indicating the user that connected and from which IP it was done.

Resolution

In general, all ssh logins should be controlled by a firewall and strong passwords. The ssh_login event shouldn’t be used as a feature to protect against unauthorized ssh logins. However, these events serves also as additional information to know who and from where ssh logins are received.

In the case you think this connection shouldn’t happen, you can block that account by:

1. Blocking the source IP. See next article to know how.
2. Disable the user that logged in through ssh. See next.

Disable ssh user

To disable ssh user, use the following:

1. Select the machine, for example by clicking on the event and then click on the “Show machine”.
2. Inside the machine, select the application “System users”
3. Now click on the left side options tree to list all users.
4. Now click on the user you want to disable and a new panel will appear.
5. Then you remove the user directly from there by clicking on the Remove user button or disable it by unchecking the “Is active” check and then click on “Edit user”.