Today I see from logwatch report 28 sshd logins from one user at an IP address in a different continent than usually seen here.
When I look up this user with last command to see if this is part of a travel pattern or perhaps their account is compromised, I don't get any matches. I've used last and last -f /var/log/wtmp.1 with the user name and there are no matches. Yet finger shows a login from Apr 24, which jives with their last .bash_history update One way this could happen is by use of sftp/scp. Is there a way to get last to record these sessions as well? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CA+AKB6F4YCTv8wkDWRzoTK5pRR-cTxvEq5Uxu=6ho4-spaz...@mail.gmail.com
