How to View Failed SSH Login Attempts on Linux

When someone attempts to login to a server via SSH, it’s recorded in a log file. You can see the date, time, user account, and IP address that attempted to login. In this guide, we’ll show you how.

You might be surprised at what you see when first peering into your authentication log files. There are tons of bots (probably some humans, too) constantly scouring the internet for vulnerable servers. When they find yours, they perform brute force attacks to try and gain SSH access.

On Ubuntu and other Debian-based systems, you’ll find these attempts recorded in /var/log/auth.log. Let’s take a look.

grep "Failed password" /var/log/auth.log

Log of failed SSH login attempts

To see how many attacks were issued by each IP address, try this command.

grep "Failed password" /var/log/auth.log | awk '{print $11}' | uniq -c | sort -nr

List of IP addresses with failed SSH attempts

On CentOS, Fedora, and other RHEL-based systems, the failed attempts are located in /var/log/secure. Use this command to see all of them.

egrep "Failed|Failure" /var/log/secure

As long as you have secure passwords on all user accounts, you’re probably fine. Still, these attacks chew up bandwidth and system resources, so most administrators will choose to harden their server in some way. One such method is to use iptables to prevent SSH brute force attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *