When someone attempts to login to a server via SSH, it’s recorded in a log file. You can see the date, time, user account, and IP address that attempted to login. In this guide, we’ll show you how.
You might be surprised at what you see when first peering into your authentication log files. There are tons of bots (probably some humans, too) constantly scouring the internet for vulnerable servers. When they find yours, they perform brute force attacks to try and gain SSH access.
On Ubuntu and other Debian-based systems, you’ll find these attempts recorded in /var/log/auth.log. Let’s take a look.
grep "Failed password" /var/log/auth.log
To see how many attacks were issued by each IP address, try this command.
grep "Failed password" /var/log/auth.log | awk '{print $11}' | uniq -c | sort -nr
On CentOS, Fedora, and other RHEL-based systems, the failed attempts are located in /var/log/secure. Use this command to see all of them.
egrep "Failed|Failure" /var/log/secure
As long as you have secure passwords on all user accounts, you’re probably fine. Still, these attacks chew up bandwidth and system resources, so most administrators will choose to harden their server in some way. One such method is to use iptables to prevent SSH brute force attacks.