Find Out All Failed SSHD Login Attempts on Linux / Unix

last updated December 30, 2019 in FreeBSD, Gentoo Linux, Linux, Linux login control, Monitoring, RedHat/Fedora Linux, Security, Ubuntu Linux, UNIX

Sshd (OpenSSH Server) which replace older rlogin and rsh /telnet, and provide secure encrypted communications between two untrusted hosts over an insecure network. However, OpenSSH is open to many password guessing and cracking attacks. Use the following commands to find out all failed SSHD login attempts in Linux or Unix-like systems.

All failed ssh login attempts logged and saved in the server. One can use cat command or awk command or grep command to display IP address and other information associated such attempts.

How to find all failed SSHD login Attempts in Linux

Use the grep command to find out authentication failure message from /var/log/secure or /var/log/auth.log file
Run the awk and cut command to print IPs/hostname
One can execute the sort command to sort data
Use the uniq command to print total failed sshd login attempts in Linux or Unix

Procedure

1) Login as the root user

2) Type the following command at shell prompt:

 grep "authentication failure" /var/log/secure | awk '{ print $13 }' | cut -b7-  | sort | uniq -c

Output:

 1 216.12.193.35
 2 DEVssh
 2 hack.baddomain.net
 ...
 ..

Conclusion

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

7 comment

Asim says:

December 27, 2006 at 1:27 am

command does not work i’ve tried it in FC5
Ash says:

December 28, 2006 at 6:18 pm

I got this among valid addresses:

1 ev/tty2
1 y2

Because sometimes log includes “1 more authentication failure” or “2 more authentication failures” instead of “authentication failure”.

I recommend not to rely on field # 13 and use some more sophisticated command with pattern matching like:

grep “authentication failure” /var/log/messages | sed -n -e “s/.*rhost=([^ ]*).*/1/p” | sort | uniq -c

or similar. A.
Ash says:

December 29, 2006 at 8:52 am

sed -n -e “/sshd/s/.*Invalid user (.*) from ([^ ]*).*/2/p” /var/log/messages | sort | uniq -c

gives interesting results too. Thanks for nice “sort + uniq -c” hint.

Nice site, handy and useful articles… great. Ctrl+D.
DM says:

July 6, 2008 at 10:28 pm

Is it good if there is no authentication failure message?

hehehehe

Just secured my server and it all stopped. I use to get a few per hour.

nice!

see google secure centos server.
kashyap says:

January 7, 2010 at 2:42 pm

guys how abt in ubuntu 9.10 i dont see any thing in /var/log/messages nor in syslog
in the sshd_config it just says under logging
SyslogFacility AUTH
LogLevel INFO
Rony says:

January 31, 2010 at 12:06 am

Can I get some basic commands to work on Domino server using Linux.
kalyanachakravarthy says:

January 25, 2017 at 10:02 am

RHEL 7 :

grep "authentication failure" /var/log/secure | cut -d'=' -f8 | sort |uniq -c

Have a question? Post it on our forum!

Adblock detected 😱

How to find all failed SSHD login Attempts in Linux

Procedure

Conclusion

Posted by: Vivek Gite

7 comment