Kicking out unwanted SSH Sessions the right way! | SSH Security

Table of Contents

Have you ever ran a process on a server that just took forever, so you left it to run? Perhaps you forgot to plug in your laptop and your terminal’s processes were just left out to dry. Only to log in and see those very same session looming around. You think, “Well, I could just reboot.”  only to remember that your services would just be offline. Maybe you didn’t know a shell was still logged in. Perhaps it startled you that someone else could be logged in as you. We will help you learn how to find out. This will take a combination of commands that will help you first identify the process then terminate them as needed. There are some commands that can really help this situation out from the start. Screen and Tmux are both great tools that can help facilitate attaching and detaching from a session with two very different philosophies. 

Today we will go over some best practices to help you avoid having to worry about ghost terminals.  We will help you learn how to identify the process that needs to be terminated. Finally, we will show you how to kill said process that is hanging. Now let’s get to know a little more about SSH sessions.

Best Practices

The first thing to remember when doing a task that can take some time in session is that you want your workstation to be stable. You don’t want random sleep modes, or battery issues in the case of a laptop. So plug in and adjust your power settings that way they don’t interfere with your workflow.

Next you can use a few good session practices. Make sure to always exit properly in the first place. There are a few shortcuts when closing programs. Most times you’re going to want to type exit or if you would like to type three fewer characters just make an alias, so you can just type E. Making it more convenient. Otherwise, you may end up having ghost sessions left hanging that you just don’t want.

					alias E=exit
This is how you can add an alias to your bashrc file.

Another thing to consider is your web connection. If your web connection is not as reliable as you would like, then you may have a harder time. Nothing like a broken pipe to make you have to start over.

Session Identification

The first thing we need to do to identify the session or sshd process is to log back into our server. We will then need to work out which process is which. So, we will go over a few commands that can help you look at the data in a way that you appreciate the most.

					who -u
This is a "who -u" printout to show you what you will see after executing the command.

Now you can see that all logged-in sessions. You will find your current session will be indicated by a dot on the same row you will find your active PID or process identification number. We can look at this in a few different ways.

					ss | grep -i ssh

As you can see here, we have a way to see both the incoming and destination IP listed here. This is more useful if you think it is not you who is logged in, and you want to find out. If it is an intruder, then you may want to check out my blog on Top 5 settings to harden your Linux SSH Server. You can also block this IP in several ways depending on your setup. Moving on we can see what is still running like so.

					last -a | grep -i still
This is the "last -a | grep -i still" printout to show you what you will see after executing the command.

This can really help you understand what is still running. Now we have time for one last command to help us go fishing for this data. Here we have one of the longer commands using pipe to connect not just two but three commands.

					ps auxwww | grep sshd: | grep -v grep
this is the "ps auxwww | grep sshd: | grep -v grep" printout to show you what you will see after executing the command.

You can see here that you get the data related to the user logged in. These are all great ways to get information to help get your PID and session names. This will be significant to what we will do next.

Session Termination

You will notice that you can really see your session and maybe one other. You might want to know what the other session is doing before you terminate it. Furthermore, you can see that like this.


This will show a much more detailed set of information, from uptime, to running processes. Including everything that like logged in IP. Not bad for a single letter command. In order for us to terminate the session we need to look at the prior information that we got from the who -u printout. We will need to take note of the PID. That way we can go ahead and kill it like so.

					sudo kill -HUP PID_here

We used the SIGHUP signal here. If for any reason this does not do the job you can go ahead and kill it out right.

					sudo kill -9  PID_here

You can see here that we used the SIGKILL signal. This will most oftentimes take care of the job. We can also go about this another way to help scope it down to a user. All you have to do is add the -u option and the username of the session to terminate.

					sudo pkill -HUP -u linux

This just specifies the user to kick off named linux here. And we are using a combination of PKILL and the SIGHUP signal. It is worth taking note that you should talk to this person to give them a warning. As they could be a co-worker or a business partner. You can even give them a time limit.

					echo "Your login session is going to be terminated in 120 seconds, save your work now!" | write linux pts/0 && sleep 120
This is what the goodbye message to the session user you are about to disconnect.

This gives them a warning about saving their work before we terminate their session. This is not always needed if this person should not be there, or it was just one of your ghosts. Remember to check out all of our blogs on SSH, as we are building up good practices every step of the way. Helping you build a  stronger network connection than if you just go out there with default sshd settings. Just remember to look out for blogs about Screen and Tmux respectively. Thanks for reading.

Meet the Author

Leave a Reply

Your email address will not be published. Required fields are marked *