Many times users fail to login properly to their SSH server. This might be due to incorrect user credentials. Did you know that each failed SSH login attempt is logged by rsyslog daemon in Linux? You may want to keep track of failed SSH login attempts or reset failed login attempts because if your SSH server is getting too many failed login attempts from unknown IP addresses then it might mean that bots, scripts and hackers are trying to gain access to your system. In such cases it be a good idea to secure your SSH server. In this article, we will look at how to find failed SSH login attempts in Linux. You can use these steps in almost every Linux distribution.
How to Find Failed SSH Login Attempts in Linux
Here are the steps to find failed SSH login attempts in Linux. We will basically parse SSH server log using cat and grep commands to identify failed login attempts. We will be listing various commands for this purpose. But you need to have root or sudo privileges to be able to execute them.
Here is the simplest command to list all failed login attempts.
# sudo grep "Failed password" /var/log/auth.log OR # sudo cat /var/log/auth.log | grep "Failed password"
In the above command we basically search for the string “Failed password” in /var/log/auth.log file which records all login attempts.
If you want to view more detailed information about failed SSH logins, use egrep command instead as shown.
# sudo egrep "Failed|Failure" /var/log/auth.log
In RHEL/CentOS systems, the login log file is located at /var/log/secure. So you need to run the above commands for this file.
# sudo grep "Failed password" /var/log/secure OR # sudo cat /var/log/secure | grep "Failed password"
You may also search for “authentication failure” string in the above file to search for failed logins.
# sudo grep "Failed" /var/log/secure OR # sudo grep "authentication failure" /var/log/secure
All the above commands will display the entire line of log file that matches your search string. However, if you only want to view the IP addresses causing failed logins, then you need to pass the output of above commands to awk command to filter it further and retrieve only IP addresses from them.
# sudo grep "Failed password" /var/log/auth.log | awk ‘{print $11}’ | uniq -c | sort -nr
In the above command, grep will filter all lines that match your search string. Awk command will extract IP addresses from these lines and give you a list of IP addresses. Uniq command will remove duplicate IP addresses and sort command will sort the IP addresses.
This will help you identify and blacklist / block suspicious IP addresses.
Newer Linux systems also provide journalctl command to query runtime logs maintained by Systemd daemon. You will need to pipe the result through grep command as shown below.
# journalctl _SYSTEMD_UNIT=ssh.service | egrep "Failed|Failure" # journalctl _SYSTEMD_UNIT=sshd.service | egrep "Failed|Failure" #In RHEL, CentOS
In case of RHEL/CentOS systems, replace ssh.service above with sshd.service as shown.
# journalctl _SYSTEMD_UNIT=sshd.service | grep "failure" # journalctl _SYSTEMD_UNIT=sshd.service | grep "Failed"
Once you have identified the suspicious IP addresses, you may block them by installing fail2ban or updating firewall rules. Here is how to :
In this article, we have learnt how to keep track of failed SSH login attempts, and also identify the IP addresses which cause them.
Also read:
How to Schedule Shutdown in Linux
How to Create Shared Folders in Linux
How to Save Command Output to File in Linux
XARGS Command to Find & Delete Files
How to Reset Root Password in RHEL/CentOS/Fedora