Find Out All Failed SSHD Login Attempts on Linux / Unix

Sshd (OpenSSH Server) which replace older rlogin and rsh /telnet, and provide secure encrypted communications between two untrusted hosts over an insecure network. However, OpenSSH is open to many password guessing and cracking attacks. Use the following commands to find out all failed SSHD login attempts in Linux or Unix-like systems.

All failed ssh login attempts logged and saved in the server. One can use cat command or awk command or grep command to display IP address and other information associated such attempts.

How to find all failed SSHD login Attempts in Linux

  1. Use the grep command to find out authentication failure message from /var/log/secure or /var/log/auth.log file
  2. Run the awk and cut command to print IPs/hostname
  3. One can execute the sort command to sort data
  4. Use the uniq command to print total failed sshd login attempts in Linux or Unix

Procedure

1) Login as the root user

2) Type the following command at shell prompt:

 grep "authentication failure" /var/log/secure | awk '{ print $13 }' | cut -b7-  | sort | uniq -c

Output:

 1 216.12.193.35
 2 DEVssh
 2 hack.baddomain.net
 ...
 ..

Conclusion


🐧 Please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on Linux, Open Source & DevOps via:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
7 comments… add one
  • kalyanachakravarthy Jan 25, 2017 @ 10:02

    RHEL 7 :

    grep "authentication failure" /var/log/secure | cut -d'=' -f8 | sort |uniq -c

  • Rony Jan 31, 2010 @ 0:06

    Can I get some basic commands to work on Domino server using Linux.

  • kashyap Jan 7, 2010 @ 14:42

    guys how abt in ubuntu 9.10 i dont see any thing in /var/log/messages nor in syslog
    in the sshd_config it just says under logging
    SyslogFacility AUTH
    LogLevel INFO

  • DM Jul 6, 2008 @ 22:28

    Is it good if there is no authentication failure message?

    hehehehe

    Just secured my server and it all stopped. I use to get a few per hour.

    nice!

    see google secure centos server.

  • Ash Dec 29, 2006 @ 8:52

    sed -n -e “/sshd/s/.*Invalid user (.*) from ([^ ]*).*/2/p” /var/log/messages | sort | uniq -c

    gives interesting results too. Thanks for nice “sort + uniq -c” hint.

    Nice site, handy and useful articles… great. Ctrl+D.

  • Ash Dec 28, 2006 @ 18:18

    I got this among valid addresses:

    1 ev/tty2
    1 y2

    Because sometimes log includes “1 more authentication failure” or “2 more authentication failures” instead of “authentication failure”.

    I recommend not to rely on field # 13 and use some more sophisticated command with pattern matching like:

    grep “authentication failure” /var/log/messages | sed -n -e “s/.*rhost=([^ ]*).*/1/p” | sort | uniq -c

    or similar. A.

  • Asim Dec 27, 2006 @ 1:27

    command does not work i’ve tried it in FC5

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Problem posting comment? Email me @ webmaster@cyberciti.biz