Find Out All Failed SSHD Login Attempts on Linux / Unix

See all GNU/Linux related FAQ
Sshd (OpenSSH Server) replaces older rlogin and rsh /telnet, providing secure encrypted communications between two untrusted hosts over an insecure network. However, OpenSSH is open to many password-guessing and cracking attacks. Use the following commands to find all failed SSHD login attempts in Linux or Unix-like systems.

All failed ssh login attempts are logged and saved on the server. One can use a combination of the cat command or awk command or grep command to display the IP address and other information associated with such failed ssh login attempts.
Advertisement

How to find all failed SSHD login Attempts in Linux

  1. Use the grep command to find out authentication failure message from /var/log/secure or /var/log/auth.log file
  2. Run the awk and cut command to print IPs/hostname
  3. One can execute the sort command to sort data
  4. Use the uniq command to print total failed sshd login attempts in Linux or Unix
  5. You need to search for multiple keywords in your log file: Failed|Invalid|Did|failure
Tutorial details
Difficulty level Intermediate
Root privileges Yes
Requirements Linux or Unix terminal
Category Terminal/ssh
OS compatibility AIX AlmaLinux Alpine Arch CentOS Debian Fedora FreeBSD HP-UX Linux macOS Mint NetBSD OpenBSD openSUSE Pop!_OS RHEL Rocky Stream SUSE Ubuntu Unix WSL
Est. reading time 4 minutes

Procedure for finding out all failed ssh login attempts

First, login as the root user. Then type the following command at shell prompt. The following commands are tested on RHEL, CentOS, Fedora and co:

grep "authentication failure" /var/log/secure | awk '{ print $13 }' | cut -b7-  | sort | uniq -c

Here is updated commands for Debian or Ubuntu Linux

grep "authentication failure" /var/log/auth.log | awk '{ print $14 }' | cut -b7-  | sort | uniq -c

Outputs:

 1 216.12.193.35
 2 DEVssh
 2 hack.baddomain-net
 ...
 ..

Make sure you adjust the awk '{ print $14 }' as per your Linux distro. One way to verify this is simply first run the grep:
# grep "authentication failure" /var/log/secure
# grep -E -i 'authentication failure|Invalid user' /var/log/secure | grep sshd
##############################
# THE BEST COMMAND TO MATCH ##
# ALL KEYWORDS ##
##############################

# grep -E 'sshd.*Failed|Invalid|Did|failure' /var/log/secure
# grep -E 'sshd.*Failed|Invalid|Did|failure' /var/log/auth.log

How To Find All Failed SSH Login Attempts in Linux and Unix

Keeping track of failed SSH log-in attempts

In this example, list failed password log in:
# grep sshd.\*Failed /var/log/auth.log
# grep sshd.\*Failed /var/log/secure

You can use the pager to see one screen at a time. For example, use the less command or more command as a Unix pager:
# grep sshd.\*Failed /var/log/auth.log | less
# grep sshd.\*Failed /var/log/secure | more

How to find all failed SSH login attempts

In this example, find invalid user’s who are trying to get into your Linux or Unix server. For example:
# grep 'sshd.*Invalid user' /var/log/secure
# grep 'sshd.*Invalid user' /var/log/auth.log

Here is what I see on RHEL 9 server:

Oct 29 04:53:15 del-rhel9 sshd[98001]: Invalid user ramu from 139.xxx.yyy.zzz port 34976

How to Find failed SSH login attempts when using systemd under Linux

Use the journalctl command as follows:
# journalctl -u sshd.service | more
Filter out results using the -g (grep option) for invalid users:
# journalctl -u sshd.service -g invalid
And:
# journalctl -u ssh.service -g failure
Where,

  • -u ssh.service or -u ssh.service – OpenSSH service name
  • -g failure or -g invalid – Filter result out using the grep command

Of course, using the egrep command is possible too with the journalctl command:
# journalctl -u ssh.service | grep -E "sshd.*Failed|Invalid|Did"
# journalctl -u sshd.service | grep -E "sshd.*Failed|Invalid|Did|failure"

Conclusion

Based upon above discussion it is clear that you need to search for at least multiple keywords when using the grep command. For example:
# grep -E 'sshd.*Failed|Invalid|Did|failure' /var/log/auth.log
Linux users with systemd:
# journalctl -u sshd.service | grep -E "sshd.*Failed|Invalid|Did|failure"

Table 1: Keywords to search for failed SSH login attempts in Linux and Unix
Keyword Description
Failed Incorrect password or ssh key.
Invalid No user account exists.
Did Port scanning and no attempt was made to log into the server.
failure Ubuntu/Debian specific message on an older systems

Finding SSHD log file name

First, find the type of logging facility used by the OpenSSH server using the following syntax:
# sshd -T | grep -i syslogfacility
Here is what I got:

syslogfacility AUTH

Then search for the AUTH in /etc/syslog or /etc/rsyslog or /etc/rsyslog.d/ directories as follows:
# grep -i -r -n -H auth /etc/[r]syslog*

/etc/rsyslog.d/50-default.conf:8:auth,authpriv.*			/var/log/auth.log
/etc/rsyslog.d/50-default.conf:9:*.*;auth,authpriv.none		-/var/log/syslog
/etc/rsyslog.d/50-default.conf:29:#	auth,authpriv.none;\
/etc/rsyslog.d/50-default.conf:32:#	auth,authpriv.none;\

Above outputs indicate that file named /var/log/auth.log or /var/log/syslog contains my sshd failed login attempts data. Again, you have to modifiy commands as per your Linux, Unix or BSD variant. Here is how it looks on FreeBSD version 13:
{vivek@nixcraft-f13-nuc}$ sudo sshd -T | grep syslogfacility
{vivek@nixcraft-f13-nuc}$ sudo grep -i -r -n -H auth /etc/syslog*

Reducing failed or brute-force ssh login attempts

See my OpenSSH best security practices and protecting SSHD server with fail2ban for more info.

See also

Read the following manual pages using the man command:
$ man sshd
$ man sshd_config
$ man grep
$ man rsyslogd
$ man rsyslog.conf
## FreeBSD ##
$ man syslogd
$ man syslog.conf

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

12 comments… add one
  • Asim Dec 27, 2006 @ 1:27

    command does not work i’ve tried it in FC5

  • Ash Dec 28, 2006 @ 18:18

    I got this among valid addresses:

    1 ev/tty2
    1 y2

    Because sometimes log includes “1 more authentication failure” or “2 more authentication failures” instead of “authentication failure”.

    I recommend not to rely on field # 13 and use some more sophisticated command with pattern matching like:

    grep "authentication failure" /var/log/messages | sed -n -e "s/.*rhost=([^ ]*).*/1/p" | sort | uniq -c

    or similar. A.

  • Ash Dec 29, 2006 @ 8:52

    sed -n -e "/sshd/s/.*Invalid user (.*) from ([^ ]*).*/2/p" /var/log/messages | sort | uniq -c

    gives interesting results too. Thanks for nice “sort + uniq -c” hint.

    Nice site, handy and useful articles… great. Ctrl+D.

  • DM Jul 6, 2008 @ 22:28

    Is it good if there is no authentication failure message?

    hehehehe

    Just secured my server and it all stopped. I use to get a few per hour.

    nice!

    see google secure centos server.

  • kashyap Jan 7, 2010 @ 14:42

    guys how abt in ubuntu 9.10 i dont see any thing in /var/log/messages nor in syslog
    in the sshd_config it just says under logging
    SyslogFacility AUTH
    LogLevel INFO

  • Rony Jan 31, 2010 @ 0:06

    Can I get some basic commands to work on Domino server using Linux.

  • kalyanachakravarthy Jan 25, 2017 @ 10:02

    RHEL 7 :

    grep "authentication failure" /var/log/secure | cut -d'=' -f8 | sort |uniq -c

  • Searge Oct 30, 2022 @ 8:22

    Fedora hasn’t such file: `/var/log/lastlog`
    More wise way is redirect response from journalctl. This is a universal method for many OSs.

    `journalctl -xe| grep “authentication”`

    • Searge Oct 30, 2022 @ 8:25

      *I mean

      /var/log/secure
  • Anonymous Dec 8, 2022 @ 9:21

    RHEL9:
    grep "authentication failure" /var/log/secure | awk '{ print $14 }' | cut -b7- | sort | uniq -c

  • Amr Dec 8, 2022 @ 15:22

    Well, I just tried it and found no attempts!
    Is this good news or bad news?
    More context, I set my SSH port to a non common number, something above 40000, I can’t remember xD

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.