+3 votes
264 views
Linux: List failed connection attempts from a server

in Linux / Unix by (552k points)
recategorized by | 264 views

1 Answer

+4 votes
Best answer

I. Presentation
II. View successful attempts from a server
III. View unsuccessful connection attempts from a server
IV. Conclusion

I. Presentation

We will have the opportunity to write a tutorial on the management of accounts and passwords of a server, in terms of complexity and validity. When one wants to list the attempts of failed connections, at a server, one can of course implement a real security policy. But, in a more basic way, you can also use the lastb command .

In this tutorial, we will see how to use this command to detect all unsuccessful attempts at a Linux server .

II. View successful attempts from a server

On a Linux server (more generally, on any Unix server), it is possible to display the history of the last attempts to connect to the server with the last command  :

# last

We then retrieve the list of the last successful local connections on the server concerned:

NOTE  : we note that we also recover the restart phases of the server in question. This can be useful also to scrutinize the differentrebootsexecuted.

But, one wonders how to recover the same kind of list for unsuccessful login attempts?

III. View unsuccessful connection attempts from a server

The answer to the above question is very simple (if you use the basic Linux commands): you can use the lastb command Indeed, the latter makes it possible to list the various unsuccessful connection attempts for a given server.

Thus, for our server, we should receive the following result, stating that several connection attempts have been made on the server srv001  :

root ssh: notty srv001 Sat Sep 1 16:57 - 16:57 (00:00)
root ssh: notty srv001 Sat Sep 1 16:57 - 16:57 (00:00)
root ssh: notty srv001 Sat Sep 1 16:57 - 16:57 (00:00)
root ssh: notty srv001 Sat Sep 1 16:57 - 16:57 (00:00)
administ ssh: notty srv001 Sat Sep 1 16:57 - 16:57 (00:00)
administ ssh: notty srv001 Sat Sep 1 16:57 - 16:57 (00:00)

ATTENTION  : this command does nothing but display the list of unsuccessful attempts. If one wishes to go further in security, it will then be necessary to set up a PAM (Pluggable Authentication Modules) policy and / or utilities such as:

  • fail2ban
  • portsentry

IV. Conclusion

Already, with the activation of this command, we can easily determine the different types of failed attempts and then initialize the necessary countermeasures:

  • attempts with account or password errors
  • attempts via a robot (or bot in English)
  • denial of service attempts

Most of the time, it will be indeed attempts belonging to the first category: one or more users are mistaken in the account to use or the password associated. But in other cases, it will really be necessary to configure PAM and the tools mentioned above.


by (3.5m points)
selected by

Related questions

+5 votes
1 answer
+4 votes
1 answer
+4 votes
1 answer
asked Jun 24, 2019 in Linux / Unix by backtothefuture (552k points) | 223 views
+4 votes
1 answer
+5 votes
1 answer
Sponsored articles cost $40 per post. You can contact us via Feedback

Most popular questions within the last 30 days

10,659 questions
10,791 answers
510 comments
3 users