SSH service stores failed login details using the system's default logging facility, and each logging facility stores the log in a different file or location. Systems that use systemd can also display recent failed login attempts using journalctl.

The logging facility in Linux is normally provided by syslog or rsyslog. Both typically store the log files in the /var/log folder. You can check failed SSH login details in the corresponding log files and perform basic search and analysis using standard Linux / Unix tools.

Steps to check failed SSH login attempts:

  1. Launch terminal.
  2. Check systemd log using journalctl.
    $ journalctl _SYSTEMD_UNIT=ssh.service | egrep  "fail|invalid|did"
    Mar 09 21:29:44 hostname sshd[159262]: Connection closed by invalid user elijah 45.9.20.25 port 19890 [preauth]
    Mar 09 21:37:57 hostname sshd[159313]: Disconnected from invalid user user 92.255.85.237 port 36150 [preauth]
    Mar 09 21:49:54 hostname sshd[159416]: Disconnected from invalid user srvadmin 212.156.17.218 port 2066 [preauth]
    Mar 09 21:54:13 hostname sshd[159449]: Disconnected from invalid user admin 92.255.85.237 port 40370 [preauth]
    Mar 09 22:12:38 hostname sshd[159624]: Disconnected from invalid user ftpuser 92.255.85.237 port 46496 [preauth]
    Mar 09 22:26:57 hostname sshd[159710]: Disconnected from invalid user ashok 129.28.166.144 port 57222 [preauth]
    Mar 09 22:27:01 hostname sshd[159714]: Disconnected from invalid user devops 106.12.176.246 port 34244 [preauth]
    Mar 09 22:27:19 hostname sshd[159718]: Disconnected from invalid user test3 43.153.6.100 port 43992 [preauth]
    Mar 09 22:29:41 hostname sshd[159733]: Disconnected from invalid user sabine 143.244.174.143 port 46854 [preauth]
    Mar 09 22:30:31 hostname sshd[159740]: Disconnected from invalid user user 203.95.212.41 port 34548 [preauth]
    Mar 09 22:30:32 hostname sshd[159742]: Disconnected from invalid user upgrade 31.220.55.239 port 57506 [preauth]
    Mar 09 22:31:40 hostname sshd[159749]: Disconnected from invalid user ftp 92.255.85.135 port 53048 [preauth]
    Mar 09 22:32:06 hostname sshd[159753]: Connection closed by invalid user aaa 176.111.173.44 port 40974 [preauth]
    Mar 09 22:41:42 hostname sshd[159849]: Connection closed by invalid user email 45.9.20.25 port 24870 [preauth]
    Mar 09 23:08:05 hostname sshd[160009]: Disconnected from invalid user reboot 61.155.2.142 port 35393 [preauth]
    Mar 09 23:21:17 hostname sshd[160124]: Disconnected from invalid user haha 134.209.118.137 port 43918 [preauth]
    Mar 09 23:22:18 hostname sshd[160132]: Connection closed by invalid user admin 176.111.173.242 port 58432 [preauth]
  3. Check the type of logging facility used by the SSH server.
    $ sudo sshd -T | grep syslogfacility
    syslogfacility AUTH
    DistributionLogging facility
    UbuntuAUTH
    Red HatAUTHPRIV
  4. Check log location of the log file based on the logging facility type.
    $ sudo grep -nir auth /etc/[r]syslog*
    /etc/rsyslog.d/50-default.conf:8:auth,authpriv.*			/var/log/auth.log
    /etc/rsyslog.d/50-default.conf:9:*.*;auth,authpriv.none		-/var/log/syslog
    /etc/rsyslog.d/50-default.conf:29:#	auth,authpriv.none;\
    /etc/rsyslog.d/50-default.conf:32:#	auth,authpriv.none;\
    DistributionSSH log file
    Ubuntu/var/log/auth.log
    Red Hat/var/log/secure
    Generic/var/log/messages, /var/log/syslog
  5. List failed SSH login attempts from the log file.
    $ sudo grep -E "sshd.*Failed|Invalid|Did" /var/log/auth.log | grep -v COMMAND
    Feb 27 00:24:27 hostname sshd[48111]: Invalid user backups from 91.255.85.231 port 56900
    Feb 27 00:38:59 hostname sshd[48132]: Invalid user admin from 179.43.141.166 port 37774
    Feb 27 00:40:35 hostname sshd[48168]: Invalid user array from 91.255.85.134 port 46940
    Feb 27 00:47:06 hostname sshd[48178]: Invalid user austin from 193.169.255.199 port 23966
    Feb 27 00:47:13 hostname sshd[48183]: Invalid user  from 64.61.197.182 port 48306
    Feb 27 00:47:14 hostname sshd[48180]: Invalid user auto from 193.169.255.199 port 38018
    Feb 27 00:47:21 hostname sshd[48185]: Invalid user avangard19 from 193.169.255.199 port 57448
    Searched keywordsReason
    Failed password for …Incorrect password is used to log in
    Invalid user …Unknown user is used to log in
    Did not receive identification … (optional)Log in not actually attempted, might be caused by port scanners
  6. Get IP addresses of failed SSH login attempts.
    $ sudo grep -E "sshd.*Failed|Invalid|Did" /var/log/auth.log | grep -v COMMAND | awk -F 'from ' '{ print $2 }' | awk '{ print $1 }'
    91.255.85.231
    179.43.141.166
    91.255.85.134
    193.169.255.199
    64.61.197.182
    193.169.255.199
    193.169.255.199
  7. Get unique IP addresses of failed SSH login attempts.
    $ sudo grep -E "sshd.*Failed|Invalid|Did" /var/log/auth.log | grep -v COMMAND | awk -F 'from ' '{ print $2 }' | awk '{ print $1 }' | sort | uniq
    179.43.141.166
    193.169.255.199
    64.61.197.182
    91.255.85.134
    91.255.85.231
  8. Get number of failed SSH login for every IP addresses.
    $ sudo grep -E "sshd.*Failed|Invalid|Did" /var/log/auth.log | grep -v COMMAND | awk -F 'from ' '{ print $2 }' | awk '{ print $1 }' | sort | uniq -c
          1 179.43.141.166
          3 193.169.255.199
          1 64.61.197.182
          1 91.255.85.134
          1 91.255.85.231
Discuss the article:

Comment anonymously. Login not required.

Share!