How to Find All Failed SSH login Attempts in Linux

Each attempt to login to SSH server is tracked and recorded into a log file by the rsyslog daemon in Linux. The most basic mechanism to list all failed SSH logins attempts in Linux is a combination of displaying and filtering the log files with the help of cat command or grep command.

In order to display a list of the failed SSH logins in Linux, issue some of the commands presented in this guide. Make sure that these commands are executed with root privileges.

The most simple command to list all failed SSH logins is the one shown below.

# grep "Failed password" /var/log/auth.log
List All Failed SSH Login Attempts

List All Failed SSH Login Attempts

The same result can also be achieved by issuing the cat command.

# cat /var/log/auth.log | grep "Failed password"

In order to display extra information about the failed SSH logins, issue the command as shown in the below example.

# egrep "Failed|Failure" /var/log/auth.log
Find Failed SSH Logins

Find Failed SSH Logins

In CentOS or RHEL, the failed SSH sessions are recorded in /var/log/secure file. Issue the above command against this log file to identify failed SSH logins.

# egrep "Failed|Failure" /var/log/secure
Find Failed SSH Logins in CentOS

Find Failed SSH Logins in CentOS

A slightly modified version of the above command to display failed SSH logins in CentOS or RHEL is as follows.

# grep "Failed" /var/log/secure
# grep "authentication failure" /var/log/secure
Find SSH Authentication Failure Logins

Find SSH Authentication Failure Logins

To display a list of all IP addresses that tried and failed to log in to the SSH server alongside the number of failed attempts of each IP address, issue the below command.

# grep "Failed password" /var/log/auth.log | awk ‘{print $11}’ | uniq -c | sort -nr
Find IP Addresses of SSH Failed Logins

Find IP Addresses of SSH Failed Logins

On newer Linux distributions you can query the runtime log file maintained by Systemd daemon via journalctl command. In order to display all failed SSH login attempts you should pipe the result via grep filter, as illustrated in the below command examples.

# journalctl _SYSTEMD_UNIT=ssh.service | egrep "Failed|Failure"
# journalctl _SYSTEMD_UNIT=sshd.service | egrep "Failed|Failure"  #In RHEL, CentOS 
Find Real Time Failed SSH Logins

Find Real Time Failed SSH Logins

In CentOS or RHEL, replace the SSH daemon unit with sshd.service, as shown in the below command examples.

# journalctl _SYSTEMD_UNIT=sshd.service | grep "failure"
# journalctl _SYSTEMD_UNIT=sshd.service | grep "Failed"

After you’ve identified the IP addresses that frequently hit your SSH server in order to log in to the system with suspicious user accounts or invalid user accounts, you should update your system firewall rules to block the failed SSH attempts IP addresses or use a specialized software, such as fail2ban to manage these attacks.

Best Affordable Linux and WordPress Services For Your Business
Outsource Your Linux and WordPress Project and Get it Promptly Completed Remotely and Delivered Online.

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.45/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Matei Cezar

I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

3 Responses

  1. Jose Tapia says:

    Very informative article, thanks for share so helpful information

  2. Puneet says:

    good article

  3. xABBAAA says:

    This looks very good stuff. Happy New Year and great job… have very nice day…

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.