How do I SSH and remove all previous SSH activity history?

Solution 1

The answer to this lies in sshd.conf and sshd_config (server) and ssh_config (client). Depending on the log level it logs to /var/log/syslog (default) and/or /var/log/auth.log (loglevel 'verbose' contains ssh login attempts).

If present /var/log/secure also contains an access log.

You will need root/sudo access to edit any of these files: they will be word-readable but not world-editable.

Next to that. Besides the login from the ssh daemon the command last also shows (failed) logins from ssh. The information for this command comes from /var/log/wtmp (There will be several more I bet).

And there is also the probability the sysadmin installed auditd or logwatch making it practically impossible to hide activity since they could get a notice based on activity undoing the registration of the ssh activity impossible.

Example of /var/log/auth.log:

Aug 10 10:10:10 rinzwind sshd[3653]: Invalid user text from {ipadress}
Aug 10 10:10:10 rinzwind sshd[3653]: Excess permission or bad ownership on file /var/log/btmp
Aug 10 10:10:10 rinzwind sshd[3653]: error: Could not get shadow information for NOUSER
Aug 10 10:10:10 rinzwind sshd[3653]: Failed password for invalid user test from {ipadress} port {port} ssh2
Aug 10 10:10:10 rinzwind sshd[3653]: Excess permission or bad ownership on file /var/log/btmp

Solution 2

You would want to look at /var/log/messages and/or /var/log/syslog.

Related videos on Youtube

06 : 04

Learn SSH In 6 Minutes - Beginners Guide to SSH Tutorial

codebubb

291

14 : 16

SSH Session Management & Activity Logging via AWS SSM

SkildOps

230

03 : 45

[🔴LIVE] Basic SSH Commands you should learn about| PuTTy

Red Server Host

19

14 : 41

Delete SSH Authorized Keys from Linux server

LinuxHowTo

5

02 : 03

Ubuntu: How do I SSH and remove all previous SSH activity history? (2 Solutions!!)

Roel Van de Paar

3

Author by

Oxwivi

Updated on September 18, 2022