Linux > how do I find out all failed login attempts via ssh/telnet?
If you use ssh as remote login service, use following command to find out all failed login attempts via ssh or telnet (don't use telnet):
Use grep command to find out authentication failure message from /var/log/messages file
Use awk and cut command to print IPs/hostname
Use sort command to sort them
Use uniq command to print total failed login attempts
Procedure
1) Login as root user
2) Type following command at shell prompt:
# grep "authentication failure" /var/log/messages|awk '{ print $13 }' | cut -b7- | sort | uniq -c
Output:
1 216.12.193.35 2 DEVssh 2 hack.baddomain.net ... ..
You may also be interested in other helpful articles:
- Linux How do I display failed login attempt?
- How to Analyzing malicious SSH login attempts and secure the system
- How to: Configure Linux to track and log failed login attempt recoreds
- Linux Failed Login Control: Lock and Unlock User Accounts Using PAM
- Redhat Dovecot error while loading shared libraries: libsepol.so.1: failed to map segment from shared object: Cannot allocate memory
Discussion on This Article:
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!


command does not work i’ve tried it in FC5
I got this among valid addresses:
1 ev/tty2
1 y2
Because sometimes log includes “1 more authentication failure” or “2 more authentication failures” instead of “authentication failure”.
I recommend not to rely on field # 13 and use some more sophisticated command with pattern matching like:
grep “authentication failure” /var/log/messages | sed -n -e “s/.*rhost=\([^ ]*\).*/\1/p” | sort | uniq -c
or similar. A.
sed -n -e “/sshd/s/.*Invalid user \(.*\) from \([^ ]*\).*/\2/p” /var/log/messages | sort | uniq -c
gives interesting results too. Thanks for nice “sort + uniq -c” hint.
Nice site, handy and useful articles… great. Ctrl+D.
Is it good if there is no authentication failure message?
hehehehe
Just secured my server and it all stopped. I use to get a few per hour.
nice!
see google secure centos server.