{ 6 comments… read them below or add one }

1 Asim December 27, 2006 at 1:27 am

command does not work i’ve tried it in FC5


2 Ash December 28, 2006 at 6:18 pm

I got this among valid addresses:

1 ev/tty2
1 y2

Because sometimes log includes “1 more authentication failure” or “2 more authentication failures” instead of “authentication failure”.

I recommend not to rely on field # 13 and use some more sophisticated command with pattern matching like:

grep “authentication failure” /var/log/messages | sed -n -e “s/.*rhost=\([^ ]*\).*/\1/p” | sort | uniq -c

or similar. A.


3 Ash December 29, 2006 at 8:52 am

sed -n -e “/sshd/s/.*Invalid user \(.*\) from \([^ ]*\).*/\2/p” /var/log/messages | sort | uniq -c

gives interesting results too. Thanks for nice “sort + uniq -c” hint.

Nice site, handy and useful articles… great. Ctrl+D.


4 DM July 6, 2008 at 10:28 pm

Is it good if there is no authentication failure message?


Just secured my server and it all stopped. I use to get a few per hour.


see google secure centos server.


5 kashyap January 7, 2010 at 2:42 pm

guys how abt in ubuntu 9.10 i dont see any thing in /var/log/messages nor in syslog
in the sshd_config it just says under logging
SyslogFacility AUTH
LogLevel INFO


6 Rony January 31, 2010 at 12:06 am

Can I get some basic commands to work on Domino server using Linux.


Leave a Comment

Previous post:

Next post: