+5 votes
1k views
How to view failed connection attempts login SSH on Linux

in Linux / Unix by (550k points)
reopened | 1k views

1 Answer

+3 votes
Best answer

1. Install SSH on Linux
2. Use the grep command to see failed logins in Linux

Today we find different ways to connect to our servers safely to perform maintenance and support tasks or to check the status of it. Because we cannot always be directly in the physical location of this the most practical and common way to access the server, it is remotely possible through the SSH protocol..

SSH (Secure SHell) has been developed as a protocol that allows establishing connections between two systems based on the client / server architecture facilitating that as administrators or users we can connect remotely to the server or computer, one of the most notable advantages of SSH is that it responsible for encrypting the connection session to increase security by preventing attackers from accessing unencrypted passwords.

Now, each login or attempt to access the server using SSH is registered and stored in a log file by the rsyslog daemon in Linux so that it will be possible to access it and validate in detail who, when and the status of the start of session allowing a much more complete audit and control task..

TechnoWikis will explain in this tutorial the way to view this file and determine who has tried or logged in to the computer.


1. Install SSH on Linux


For this example we have used Ubuntu 19 and CentOS 8, remember that by accessing through SSH we can work integrally on the computer: image
Install SSH on CentOS 8
If you want to install SSH on CentOS 8 you must run the following:
 yum -y install openssh-server openssh-clients 
image
Install SSH in Ubuntu
If you want to do it in Ubuntu 19 you must run the following:
 sudo apt install openssh-server 

image


2. Use the grep command to see failed logins in Linux

Step 1

The simplest way to determine and visualize login attempts is to execute the following:
 grep "Failed password" /var/log/auth.log 

image

Step 2

We can see details like:
  • User who tried to login
  • IP adress
  • Port used for the login attempt
Step 3

This same result is found with the cat command:
 cat /var/log/auth.log | grep "Failed password" 

image

Step 4

If you wish to obtain additional information about failed SSH logins in Linux, we must execute the following. As we see the details are much more complete.
 egrep "Failed | Failure" /var/log/auth.log 

image

View records in RHEL or CentOS 8
In the case of RHEL or CentOS 8, all records are stored in the file / var / log / secure, for display we will execute the following:
 egrep "Failed | Failure" / var / log / secure 
image

We see that records are saved with full details including registered session names (correct or not). Another option to view failed SSH logins in CentOS is using one of the following lines:

 grep "Failed" / var / log / secure grep "authentication failure" / var / log / secure 
image
Step 5

To display the list of IP addresses that tried to access, but were failed attempts, we must use the following command:
 grep "Failed password" /var/log/auth.log | awk '{print $ 11}' | uniq -c | sort -nr 
Step 6

In the most current Linux distributions (such as Ubuntu 19), it is possible to access the runtime log file which is managed by Systemd with the journalctl command, if we want to see the failed SSH login logs, we will use the grep command to filter the results like this:
 journalctl _SYSTEMD_UNIT = ssh.service | egrep "Failed | Failure" (Ubuntu) journalctl _SYSTEMD_UNIT = sshd.service | egrep "Failed | Failure" (RHEL, CentOS) 

image

In CentOS
In CentOS we can also use the following:
 journalctl _SYSTEMD_UNIT = sshd.service | grep "failure" journalctl _SYSTEMD_UNIT = sshd.service | grep "Failed" 

We can see the way to visualize each failed SSH login attempt and based on this take the appropriate security measures to preserve the availability of services..


by (3.5m points)
edited

Related questions

+3 votes
1 answer
asked May 14, 2019 in Linux / Unix by backtothefuture (550k points) | 242 views
+3 votes
1 answer
asked Nov 17, 2019 in Linux / Unix by backtothefuture (550k points) | 280 views
+4 votes
1 answer
asked Jul 10, 2020 in Linux / Unix by backtothefuture (550k points) | 303 views
+4 votes
1 answer
asked Sep 29, 2019 in Linux / Unix by backtothefuture (550k points) | 267 views
+4 votes
1 answer
asked Dec 20, 2021 in Apps / software by backtothefuture (550k points) | 71 views
Sponsored articles cost $40 per post. You can contact us via Feedback
10,627 questions
10,759 answers
510 comments
3 users