How to show failed SSH attempts

Failed SSH access attempts show whether remote logins are being rejected because of wrong passwords, stale automation, or probes against usernames that do not exist on the server. Seeing the exact failure lines quickly separates routine mistakes from hostile scanning and shows which account names and source addresses are involved.

On Ubuntu and Debian systems using the packaged OpenSSH server, the sshd daemon writes authentication failures through the system logging stack. Common entries include Failed password for rejected credentials, Invalid user for unknown account names, and Connection closed by invalid user when pre-authentication is terminated for a nonexistent account.

The commands below use /var/log/auth.log because that remains the clearest default log file on Ubuntu and Debian systems with rsyslog enabled. Reading the file requires sudo or equivalent log access, rotated logs limit how far back the search can go, and some hosts keep the same events only in the systemd journal or in /var/log/secure on RHEL-style systems.

Related: How to manage failed login attempts in SSH
Related: How to automatically block failed SSH login attempts

Steps to show failed SSH attempts:

  1. Open a terminal on the server with privileges to read authentication logs. 
    $ whoami
user
  2. Show recent failed SSH access entries from the authentication log. 
    $ sudo grep -E "Failed password|Invalid user|Connection closed by invalid user" /var/log/auth.log | tail --lines 4
2026-04-14T04:13:25+00:00 server sshd[4319]: Failed password for demo from 198.51.100.24 port 43746 ssh2
2026-04-14T04:13:26+00:00 server sshd[4323]: Invalid user nosuchuser from 198.51.100.24 port 47284
2026-04-14T04:13:28+00:00 server sshd[4323]: Failed password for invalid user nosuchuser from 198.51.100.24 port 47284 ssh2
2026-04-14T04:13:29+00:00 server sshd[4323]: Connection closed by invalid user nosuchuser 198.51.100.24 port 47284 [preauth]

    These sshd messages already show the attempted account name, remote address, and failure type. If /var/log/auth.log is absent, the same events may be available through sudo journalctl --unit=ssh --since today --grep='Failed password|Invalid user|Connection closed by invalid user' --no-pager on Ubuntu, or in /var/log/secure on many RHEL-style systems.

  3. Follow new failed SSH access attempts live while testing or monitoring the server. 
    $ sudo tail -Fn0 /var/log/auth.log | grep --line-buffered -E "Failed password|Invalid user|Connection closed by invalid user"
2026-04-14T04:18:12+00:00 server sshd[4388]: Invalid user admin from 198.51.100.77 port 60312
2026-04-14T04:18:14+00:00 server sshd[4388]: Failed password for invalid user admin from 198.51.100.77 port 60312 ssh2

    Press Ctrl+C to stop following the log. On journal-only hosts, use sudo journalctl --unit=ssh --follow --grep='Failed password|Invalid user|Connection closed by invalid user' instead.