Check the SSH commands executed by users

If you are giving Shell access to your web hosting users you might want to check what commands they are using. In cPanel, there is a file in the user’s home directory that keeps the SSH history.

The file is /home/username/.bash_history
The dot in from of the filename means the file is hidden. You can use the cat command to see the file content:

# cat /home/username/.bash_history
root@web [/home/test]# cat .bash_history
#1521029684
exit
#1584542216
ls
#1584542218
w
#1584542219
top
#1584542230
free -m
#1584542234
uptime
#1584542238
cd /
#1584542240
ls
#1584542251
du -sh /home
#1584542267
du -sh /home/test
#1584542281
exit
root@web [/home/test]#

Notice that the .bash_history file is owned by the user, so the user can modify it anytime.

epoch time ssh
Epoch Time converter

The lines starting with # contain the time (in Unix/Epoch Time format) when the command was run. Below we put a link to a site where you can convert the Unix Time to human-readable time. Or more easily you can use the date command:

root@web [/home/test]# date -d @1584543556
Wed Mar 18 09:59:16 CDT 2020
root@web [/home/test]#

To automatically convert the dates, you can use a command like:

# paste -sd '#\n' .bash_history | awk -F"#" '{d=$2 ; $2="";print NR" "strftime("%m/%d/%y %T",d)" "$0}'

This will concatenate the date and command rows and will change the date format. Our file example will be:

# /home/plothost$ paste -sd '#\n' .bash_history | awk -F"#" '{d=$2 ; $2="";print NR" "strftime("%m/%d/%y %T",d)" "$0}'
03/14/18 08:14:44   exit
03/18/20 10:36:56   ls
03/18/20 10:36:58   w
03/18/20 10:36:59   top
03/18/20 10:37:10   free -m
03/18/20 10:37:14   uptime
03/18/20 10:37:18   cd /
03/18/20 10:37:20   ls
03/18/20 10:37:31   du -sh /home
03/18/20 10:37:47   du -sh /home/test
03/18/20 10:38:01   exit

Resources:
Wikipedia Unix Time/Epoch Time
Epoch Time Converter

Leave a Reply