Sshd (OpenSSH Server) which replace older rlogin and rsh / telnet, and provide secure encrypted communications between two untrusted hosts over an insecure network.However, OpenSSH is open to various password guessing attacks. Use the following commands to find out all failed login attempts:
a) Use the grep command to find out authentication failure message from /var/log/secure file.
b) Use the awk and cut command to print IPs/hostname.
c) Use the sort command to sort data.
d) Use the uniq command to print total failed login attempts.
Procedure
1) Login as the root user
2) Type the following command at shell prompt:
grep "authentication failure" /var/log/secure | awk '{ print $13 }' | cut -b7- | sort | uniq -c
Output:
1 216.12.193.35 2 DEVssh 2 hack.baddomain.net ... ..
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 6 comments… read them below or add one }
command does not work i’ve tried it in FC5
I got this among valid addresses:
1 ev/tty2
1 y2
Because sometimes log includes “1 more authentication failure” or “2 more authentication failures” instead of “authentication failure”.
I recommend not to rely on field # 13 and use some more sophisticated command with pattern matching like:
grep “authentication failure” /var/log/messages | sed -n -e “s/.*rhost=\([^ ]*\).*/\1/p” | sort | uniq -c
or similar. A.
sed -n -e “/sshd/s/.*Invalid user \(.*\) from \([^ ]*\).*/\2/p” /var/log/messages | sort | uniq -c
gives interesting results too. Thanks for nice “sort + uniq -c” hint.
Nice site, handy and useful articles… great. Ctrl+D.
Is it good if there is no authentication failure message?
hehehehe
Just secured my server and it all stopped. I use to get a few per hour.
nice!
see google secure centos server.
guys how abt in ubuntu 9.10 i dont see any thing in /var/log/messages nor in syslog
in the sshd_config it just says under logging
SyslogFacility AUTH
LogLevel INFO
Can I get some basic commands to work on Domino server using Linux.