Una gran herramienta para tener logs es auditd y utilizar para ver los accesos por ssh.

Obs:

•  Utilizo Debian Stretch de 64 bits.

Entramos a la terminal y tecleamos lo siguiente:

sudo apt update
sudo apt install auditd
sudo apt clean && sudo apt autoclean
sudo systemctl start auditd

Usos:

sudo aureport -au -i | more

Sale por pantalla:

Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 06/11/2018 19:13:17 root 192.168.1.21 ssh /usr/sbin/sshd no 25
2. 06/11/2018 20:29:53 root ? /dev/pts/0 /bin/su yes 193
3. 06/11/2018 20:30:32 proyectosbeta 192.168.1.16 ssh /usr/sbin/sshd yes 205
4. 06/11/2018 20:31:55 proyectosbeta ? /dev/pts/0 /usr/bin/sudo yes 218
5. 06/11/2018 20:49:21 proyectosbeta ? /dev/pts/0 /usr/bin/sudo yes 261

Volvemos a teclear en la terminal:

sudo aureport -au -i --success | more

Sale por pantalla:

Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 06/11/2018 20:29:53 root ? /dev/pts/0 /bin/su yes 193
2. 06/11/2018 20:30:32 proyectosbeta 192.168.1.16 ssh /usr/sbin/sshd yes 205
3. 06/11/2018 20:31:55 proyectosbeta ? /dev/pts/0 /usr/bin/sudo yes 218
4. 06/11/2018 20:49:21 proyectosbeta ? /dev/pts/0 /usr/bin/sudo yes 261

Volvemos a teclear en la terminal:

sudo aureport -au -i --failed | more

Sale por pantalla:

Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 06/11/2018 19:13:17 root 192.168.1.21 ssh /usr/sbin/sshd no 25

Volvemos a teclear en la terminal:

sudo aureport -l --success --summary -i | more

Sale por pantalla:

Success Login Summary Report
============================
total auid
============================
1 proyectosbeta