SSH services keep a history of login attempts, successful or not, by utilizing the system's default logging mechanisms. These mechanisms store logs in various files and locations depending on the specific facility being used. For systems that employ systemd, you can also view recent failed login attempts with the journalctl tool.

On Linux systems, logging is typically managed by either syslog or rsyslog. Both of these facilities usually store log files in the /var/log directory. You can examine failed SSH login attempts in these logs and perform basic searches and analyses using standard Linux/Unix tools.

Steps to view failed SSH login attempts:

  1. Open the terminal.
  2. Review the systemd log using the journalctl tool.
    $ journalctl _SYSTEMD_UNIT=ssh.service | egrep  "fail|invalid|did"
    Mar 09 21:29:44 hostname sshd[159262]: Connection closed by invalid user elijah port 19890 [preauth]
    Mar 09 21:37:57 hostname sshd[159313]: Disconnected from invalid user user port 36150 [preauth]
    Mar 09 21:49:54 hostname sshd[159416]: Disconnected from invalid user srvadmin port 2066 [preauth]
    Mar 09 21:54:13 hostname sshd[159449]: Disconnected from invalid user admin port 40370 [preauth]
    Mar 09 22:12:38 hostname sshd[159624]: Disconnected from invalid user ftpuser port 46496 [preauth]
    Mar 09 22:26:57 hostname sshd[159710]: Disconnected from invalid user ashok port 57222 [preauth]
    Mar 09 22:27:01 hostname sshd[159714]: Disconnected from invalid user devops port 34244 [preauth]
    Mar 09 22:27:19 hostname sshd[159718]: Disconnected from invalid user test3 port 43992 [preauth]
    Mar 09 22:29:41 hostname sshd[159733]: Disconnected from invalid user sabine port 46854 [preauth]
    Mar 09 22:30:31 hostname sshd[159740]: Disconnected from invalid user user port 34548 [preauth]
    Mar 09 22:30:32 hostname sshd[159742]: Disconnected from invalid user upgrade port 57506 [preauth]
    Mar 09 22:31:40 hostname sshd[159749]: Disconnected from invalid user ftp port 53048 [preauth]
    Mar 09 22:32:06 hostname sshd[159753]: Connection closed by invalid user aaa port 40974 [preauth]
    Mar 09 22:41:42 hostname sshd[159849]: Connection closed by invalid user email port 24870 [preauth]
    Mar 09 23:08:05 hostname sshd[160009]: Disconnected from invalid user reboot port 35393 [preauth]
    Mar 09 23:21:17 hostname sshd[160124]: Disconnected from invalid user haha port 43918 [preauth]
    Mar 09 23:22:18 hostname sshd[160132]: Connection closed by invalid user admin port 58432 [preauth]
  3. Determine the logging facility type used by your SSH server.
    $ sudo sshd -T | grep syslogfacility
    syslogfacility AUTH
    DistributionLogging facility
  4. Locate the log file based on the logging facility type.
    $ sudo grep -nir auth /etc/[r]syslog*
    /etc/rsyslog.d/50-default.conf:8:auth,authpriv.*			/var/log/auth.log
    /etc/rsyslog.d/50-default.conf:9:*.*;auth,authpriv.none		-/var/log/syslog
    /etc/rsyslog.d/50-default.conf:29:#	auth,authpriv.none;\
    /etc/rsyslog.d/50-default.conf:32:#	auth,authpriv.none;\
    DistributionSSH log file
    Red Hat/var/log/secure
    Generic/var/log/messages, /var/log/syslog
  5. Extract the list of failed SSH login attempts from the log file.
    $ sudo grep -E "sshd.*Failed|Invalid|Did" /var/log/auth.log | grep -v COMMAND
    Feb 27 00:24:27 hostname sshd[48111]: Invalid user backups from port 56900
    Feb 27 00:38:59 hostname sshd[48132]: Invalid user admin from port 37774
    Feb 27 00:40:35 hostname sshd[48168]: Invalid user array from port 46940
    Feb 27 00:47:06 hostname sshd[48178]: Invalid user austin from port 23966
    Feb 27 00:47:13 hostname sshd[48183]: Invalid user  from port 48306
    Feb 27 00:47:14 hostname sshd[48180]: Invalid user auto from port 38018
    Feb 27 00:47:21 hostname sshd[48185]: Invalid user avangard19 from port 57448
    Searched keywordsReason
    Failed password for …Incorrect password is used to log in
    Invalid user …Unknown user is used to log in
    Did not receive identification … (optional)Log in not actually attempted, might be caused by port scanners
  6. Retrieve the IP addresses associated with failed SSH login attempts.
    $ sudo grep -E "sshd.*Failed|Invalid|Did" /var/log/auth.log | grep -v COMMAND | awk -F 'from ' '{ print $2 }' | awk '{ print $1 }'
  7. Identify unique IP addresses linked to unsuccessful login attempts.
    $ sudo grep -E "sshd.*Failed|Invalid|Did" /var/log/auth.log | grep -v COMMAND | awk -F 'from ' '{ print $2 }' | awk '{ print $1 }' | sort | uniq
  8. Count the number of failed SSH logins for each IP address.
    $ sudo grep -E "sshd.*Failed|Invalid|Did" /var/log/auth.log | grep -v COMMAND | awk -F 'from ' '{ print $2 }' | awk '{ print $1 }' | sort | uniq -c
Discuss the article:

Comment anonymously. Login not required.