SSH services record login attempts, both successful and unsuccessful, through the system's logging mechanisms. These logs are essential for monitoring security and are stored in specific files based on the system's configuration. On systems using systemd, the journalctl tool provides a way to view these logs directly. Understanding where these logs are stored and how to access them is key to identifying and responding to unauthorized access attempts.
On Linux systems, the logging facilities used by SSH include syslog and rsyslog, which typically store logs in the /var/log directory. The location of these logs can vary depending on the distribution, with Ubuntu using /var/log/auth.log and Red Hat using /var/log/secure. By examining these logs, administrators can identify patterns of failed login attempts that may signal security threats.
Accessing these logs requires knowing which logging facility your system uses. On systemd systems, you can use the journalctl command to filter SSH logs directly. In other cases, you may need to access specific log files manually. Once located, these logs can be searched for relevant information, such as failed login attempts, user names, and IP addresses.
Steps to analyze SSH logs for failed login attempts:
- Open the terminal.
- Review the systemd log using the journalctl tool.
$ journalctl _SYSTEMD_UNIT=ssh.service | egrep "fail|invalid|did" Mar 09 21:29:44 hostname sshd[159262]: Connection closed by invalid user elijah 45.9.20.25 port 19890 [preauth] Mar 09 21:37:57 hostname sshd[159313]: Disconnected from invalid user user 92.255.85.237 port 36150 [preauth] Mar 09 21:49:54 hostname sshd[159416]: Disconnected from invalid user srvadmin 212.156.17.218 port 2066 [preauth] Mar 09 21:54:13 hostname sshd[159449]: Disconnected from invalid user admin 92.255.85.237 port 40370 [preauth] Mar 09 22:12:38 hostname sshd[159624]: Disconnected from invalid user ftpuser 92.255.85.237 port 46496 [preauth] Mar 09 22:26:57 hostname sshd[159710]: Disconnected from invalid user ashok 129.28.166.144 port 57222 [preauth] Mar 09 22:27:01 hostname sshd[159714]: Disconnected from invalid user devops 106.12.176.246 port 34244 [preauth] Mar 09 22:27:19 hostname sshd[159718]: Disconnected from invalid user test3 43.153.6.100 port 43992 [preauth] Mar 09 22:29:41 hostname sshd[159733]: Disconnected from invalid user sabine 143.244.174.143 port 46854 [preauth] Mar 09 22:30:31 hostname sshd[159740]: Disconnected from invalid user user 203.95.212.41 port 34548 [preauth] Mar 09 22:30:32 hostname sshd[159742]: Disconnected from invalid user upgrade 31.220.55.239 port 57506 [preauth] Mar 09 22:31:40 hostname sshd[159749]: Disconnected from invalid user ftp 92.255.85.135 port 53048 [preauth] Mar 09 22:32:06 hostname sshd[159753]: Connection closed by invalid user aaa 176.111.173.44 port 40974 [preauth] Mar 09 22:41:42 hostname sshd[159849]: Connection closed by invalid user email 45.9.20.25 port 24870 [preauth] Mar 09 23:08:05 hostname sshd[160009]: Disconnected from invalid user reboot 61.155.2.142 port 35393 [preauth] Mar 09 23:21:17 hostname sshd[160124]: Disconnected from invalid user haha 134.209.118.137 port 43918 [preauth] Mar 09 23:22:18 hostname sshd[160132]: Connection closed by invalid user admin 176.111.173.242 port 58432 [preauth]
- Determine the logging facility type used by your SSH server.
$ sudo sshd -T | grep syslogfacility syslogfacility AUTH
Distribution Logging facility Ubuntu AUTH Red Hat AUTHPRIV - Locate the log file based on the logging facility type.
$ sudo grep -nir auth /etc/[r]syslog* /etc/rsyslog.d/50-default.conf:8:auth,authpriv.* /var/log/auth.log /etc/rsyslog.d/50-default.conf:9:*.*;auth,authpriv.none -/var/log/syslog /etc/rsyslog.d/50-default.conf:29:# auth,authpriv.none;\ /etc/rsyslog.d/50-default.conf:32:# auth,authpriv.none;\
Distribution SSH log file Ubuntu /var/log/auth.log Red Hat /var/log/secure Generic /var/log/messages, /var/log/syslog - Extract the list of failed SSH login attempts from the log file.
$ sudo grep -E "sshd.*Failed|Invalid|Did" /var/log/auth.log | grep -v COMMAND Feb 27 00:24:27 hostname sshd[48111]: Invalid user backups from 91.255.85.231 port 56900 Feb 27 00:38:59 hostname sshd[48132]: Invalid user admin from 179.43.141.166 port 37774 Feb 27 00:40:35 hostname sshd[48168]: Invalid user array from 91.255.85.134 port 46940 Feb 27 00:47:06 hostname sshd[48178]: Invalid user austin from 193.169.255.199 port 23966 Feb 27 00:47:13 hostname sshd[48183]: Invalid user from 64.61.197.182 port 48306 Feb 27 00:47:14 hostname sshd[48180]: Invalid user auto from 193.169.255.199 port 38018 Feb 27 00:47:21 hostname sshd[48185]: Invalid user avangard19 from 193.169.255.199 port 57448
Searched keywords Reason Failed password for … Incorrect password is used to log in Invalid user … Unknown user is used to log in Did not receive identification … (optional) Log in not actually attempted, might be caused by port scanners - Retrieve the IP addresses associated with failed SSH login attempts.
$ sudo grep -E "sshd.*Failed|Invalid|Did" /var/log/auth.log | grep -v COMMAND | awk -F 'from ' '{ print $2 }' | awk '{ print $1 }' 91.255.85.231 179.43.141.166 91.255.85.134 193.169.255.199 64.61.197.182 193.169.255.199 193.169.255.199 - Identify unique IP addresses linked to unsuccessful login attempts.
$ sudo grep -E "sshd.*Failed|Invalid|Did" /var/log/auth.log | grep -v COMMAND | awk -F 'from ' '{ print $2 }' | awk '{ print $1 }' | sort | uniq 179.43.141.166 193.169.255.199 64.61.197.182 91.255.85.134 91.255.85.231 - Count the number of failed SSH logins for each IP address.
$ sudo grep -E "sshd.*Failed|Invalid|Did" /var/log/auth.log | grep -v COMMAND | awk -F 'from ' '{ print $2 }' | awk '{ print $1 }' | sort | uniq -c 1 179.43.141.166 3 193.169.255.199 1 64.61.197.182 1 91.255.85.134 1 91.255.85.231
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
Comment anonymously. Login not required.