Check the SSH commands executed by users

If you are giving Shell access to your web hosting users you might want to check what commands they are using. In cPanel, there is a file in the user’s home directory that keeps the SSH history.

The file is /home/username/.bash_history
The dot in from of the filename means the file is hidden. You can use the cat command to see the file content:

# cat /home/username/.bash_history
root@web [/home/test]# cat .bash_history
free -m
cd /
du -sh /home
du -sh /home/test
root@web [/home/test]#

Notice that the .bash_history file is owned by the user, so the user can modify it anytime.

epoch time ssh
Epoch Time converter

The lines starting with # contain the time (in Unix/Epoch Time format) when the command was run. Below we put a link to a site where you can convert the Unix Time to human-readable time. Or more easily you can use the date command:

root@web [/home/test]# date -d @1584543556
Wed Mar 18 09:59:16 CDT 2020
root@web [/home/test]#

To automatically convert the dates, you can use a command like:

# paste -sd '#\n' .bash_history | awk -F"#" '{d=$2 ; $2="";print NR" "strftime("%m/%d/%y %T",d)" "$0}'

This will concatenate the date and command rows and will change the date format. Our file example will be:

# /home/plothost$ paste -sd '#\n' .bash_history | awk -F"#" '{d=$2 ; $2="";print NR" "strftime("%m/%d/%y %T",d)" "$0}'
03/14/18 08:14:44   exit
03/18/20 10:36:56   ls
03/18/20 10:36:58   w
03/18/20 10:36:59   top
03/18/20 10:37:10   free -m
03/18/20 10:37:14   uptime
03/18/20 10:37:18   cd /
03/18/20 10:37:20   ls
03/18/20 10:37:31   du -sh /home
03/18/20 10:37:47   du -sh /home/test
03/18/20 10:38:01   exit

Wikipedia Unix Time/Epoch Time
Epoch Time Converter

Leave a Reply