How can defenders detect 'notty' SSH connections and other stealthy SSH activity?

Defenders can detect notty connections by reviewing `/var/log/auth.log` for authentication records and using `netstat -vatn` to check TCP connections. Failed login attempts are still logged in `/var/log/btmp` (accessible via `lastb`). Additionally, enhancing the SSH daemon configuration (following guides like the one from putorius.net) and monitoring for unusual connection patterns helps. For Windows-specific log evasion, refer to Penetration Techniques - Stealth Execution of Windows Remote Assistance.