7 comment

  1. I got this among valid addresses:

    1 ev/tty2
    1 y2

    Because sometimes log includes “1 more authentication failure” or “2 more authentication failures” instead of “authentication failure”.

    I recommend not to rely on field # 13 and use some more sophisticated command with pattern matching like:

    grep “authentication failure” /var/log/messages | sed -n -e “s/.*rhost=([^ ]*).*/1/p” | sort | uniq -c

    or similar. A.

  2. sed -n -e “/sshd/s/.*Invalid user (.*) from ([^ ]*).*/2/p” /var/log/messages | sort | uniq -c

    gives interesting results too. Thanks for nice “sort + uniq -c” hint.

    Nice site, handy and useful articles… great. Ctrl+D.

  3. Is it good if there is no authentication failure message?


    Just secured my server and it all stopped. I use to get a few per hour.


    see google secure centos server.

  4. guys how abt in ubuntu 9.10 i dont see any thing in /var/log/messages nor in syslog
    in the sshd_config it just says under logging
    SyslogFacility AUTH
    LogLevel INFO

    Have a question? Post it on our forum!