How to Check Failed SSH Login Attempts in Linux
Setting up the server with SSH protocol is one of the security measures of server and network administrators to encrypt the communication between the server and the client in an insecure network. Controlling and monitoring failed SSH login attempts in Linux is one of the most important tasks of Linux VPS administrators, The importance of this issue is that administrators check failed SSH login attempts to protect the server from illegal remote intrusion.
In the past, users used insecure ways to communicate with the server, such as the Telnet service, which caused serious problems and the theft of user information during the exchange of information with the destination server.
This caused Linux developers to look for a safer and more reliable way to communicate with the server, so the ssh service was unveiled. In Linux, the rsyslog daemon identifies every attempt to log in to the system through SSH and saves it in the log file. The details of the login attempt, such as the user account, IP address, and the date and time stamp of the login request, are available to the server administrators in the form of a report.
Therefore, administrators can improve the security of the server against brute-forcing attacks and unwanted access by accessing the reports prepared from successful and unsuccessful attempts to the SSH system and listing the log files through a combination, filter, and display approach.
In Linux, there are various commands such as a combination ofcat
andgrep
commands to obtain a list of information about failed SSH login attempts to optimize the security and management of your Linux VPS. Read this article to the end to learn useful Linux commands to investigate failed SSH login attempts, you will surely be satisfied with the helpful commands.
Checking failed SSH login attempts
Unsuccessful attempts to log in to the system have various reasons and are usually due to mistakes in typing the password, forgetting or guessing the wrong password, or brute-force attacks through Dictionary and other methods. In the following, we will provide the commands to obtain useful information about failed SSH login attempts.
Before getting familiar with the commands, you should consider the prerequisites for running Linux commands to check for failed SSH login attempts.
prerequisites
- Availability of Linux VPS or Linux system
- Installing Open SSH
- A user account with Root/Sudo privileges
- Access to the Linux command line (press the “CTRL + ALT + T” buttons on the keyboard to access the command line.)
Steps to enable SSH
The prerequisite for executing the commands that we will introduce you to in the following is that SSH is enabled on a Linux system with any Linux distribution. To enable SSH in Linux, you must be sure to install open SSH, for this purpose we teach how to install open SSH on Linux. (How to install open SSH in different Linux distributions is similar to each other, but in this tutorial, we have considered Ubuntu.)
1. Installing OpenSSH
To install Open SSH on Linux, enter the following command:
sudo apt install openssh-server
After running the Open SSH installation command, you need to enter the password of the user account with Root permission, and then type Y to complete the Open SSH installation process.
2. Enabling SSH
Now that OpenSSH is installed on your Linux system, you can enable it by running the following command:
sudo systemctl enable ssh
Out Put:
Synchronizing state of ssh.service with SysV service script with /lib/system/system-sysv-install.
Executing: /lib/systemd/system-sysv-install enable ssh
3. Launching SSH
After completing the previous steps, it was time to start SSH. Run the following command to start the SSH service:
sudo systemctl start ssh
4. Checking the SSH service
To make sure the SSH service is running on Linux, type the following command:
sudo systemctl status ssh
Showing Active: active (running) in the output indicates that the SSH service is active and running correctly in your desired Linux operating system.
Access to failed SSH login attempts
The easiest way to access a log of failed SSh login attempts is to use thegrep
andcat
commands as follows:
grep "Failed password" /var/log/auth.log
cat /var/log/auth.log | grep "Failed password"
Display more information about failed SSh login attempts
You can also use the following commands to get more information about failed SSH login attempts:
egrep "Failed|Failure" /var/log/auth.log
Note: Since in CentOS and RHEL derivatives, the /var/log/secure file contains failed login attempts, you should use the following command to view information about failed attempts:
egrep "Failed|Failure" /var/log/secure
To detect failed login attempts on a Linux system running CentOS and RHEL derivatives, other commands can also be executed:
grep "Failed" /var/log/secure
grep "authentication failure" /var/log/secure
Preparing a report of failed logins with IP filtering
If you want to access the IPs that tried to log in to the SSH system and failed, you can make a list of the IP addresses and the number of times a report of the IP address for the failed attempt was created by running the following command:
grep "Failed password" /var/log/auth.log | awk '{print $11}' | uniq -c | sort -nr
Reporting failed authentications
To view information about failed authentications, run the following command:
grep "authentication failure" /var/log/auth.log | awk '{ print $13 }' | cut -b7- | sort | uniq –c
query the runtime log file
To access logs of failed SSH login attempts using the Systemd daemon, use the following command:
journalctl _SYSTEMD_UNIT=ssh.service | egrep "Failed|Failure"
journalctl _SYSTEMD_UNIT=sshd.service | egrep "Failed|Failure" #In RHEL, CentOS
Checking settings failed login attempts
With the commands we provided, you were able to get a report of failed attempts to log in to the Linux server. Another way to control and manage illegal and unwanted login attempts is to check failed login attempts settings. For this purpose, you should check /etc/pam.d/common-auth file using Linux PAM (Pluggable Authentication Modules). Therefore, enter the following command:
cat /etc/pam.d/password-auth
In this file, you can apply useful settings to prevent malicious intrusions into your system. You can apply a limit for unsuccessful attempts and if an account has more than a specified number of unsuccessful attempts, its account will be temporarily blocked for a specified period and the person will not be able to try to log into your system during this period.
For example, you can set a limit as in our example, if a user account has more than 4 unsuccessful attempts, his account will be blocked for 5 minutes; To set such a limit, you must run the following command:
auth required pam_tally2.so deny=4 unlock_time=300
FAQ
In Linux, which file contains a list of failed login attempts?
The content of the file /var/log/faillog contains a list of failed attempts to log into the system, which you should run the faillog command to view and check its content.
Conclusion
Obtaining a report of unsuccessful SSH login attempts with more detailed information makes it possible to identify the IPs that are trying to penetrate your system, and in this way, you can block suspicious IPs and invalid user accounts in your system’s firewall. Also, you can improve the security of your Linux server against brute force attacks and unwanted logins by monitoring failed SSH login attempts.
In this article, we have provided commands to view complete information about failed Linux login attempts via SSH. If we want to provide a summary of the commands you can use in this context, it will be as follows:
- grep “Failed password”: This command is used along with /var/log/secure or /var/log/auth.log files to list failed login attempts.
- awk and cut: executed to access the IP address or hostname.
- sort: formats the data.
- uniq: provides the total number of unsuccessful attempts to log in to the system.
We hope you found this article efficient in accessing failed SSH login attempts.
Thank you for choosing our article to read.