How to Find All Failed SSH login Attempts in Linux?

As a Linux system administrator, monitoring failed SSH login attempts is crucial for maintaining system security. SSH (Secure Shell) is the primary method for remote access to Linux systems, making it a common target for attackers. Every SSH login attempt, whether successful or failed, is recorded in system logs, providing valuable security intelligence.

Failed SSH login attempts often indicate brute-force attacks, where attackers use automated scripts to guess passwords, or compromised user accounts. By analyzing these logs regularly, you can identify unauthorized access attempts and implement protective measures before a breach occurs.

Understanding SSH Login Logs

SSH login attempts are recorded in system log files located in the /var/log directory. The specific log file varies by Linux distribution:

• Ubuntu/Debian ? /var/log/auth.log

• CentOS/RHEL/Fedora ? /var/log/secure

• SUSE ? /var/log/messages

Finding Failed SSH Login Attempts

Using grep to Filter SSH Logs

The most direct method is using the grep command to search for SSH-related entries. For Ubuntu/Debian systems:

grep "sshd" /var/log/auth.log | grep "Failed password"

For CentOS/RHEL systems:

grep "sshd" /var/log/secure | grep "Failed password"

More Specific Searches

To find failed login attempts for a specific user:

grep "Failed password for username" /var/log/auth.log

To find failed login attempts from a specific IP address:

grep "Failed password" /var/log/auth.log | grep "192.168.1.100"

To count failed attempts by IP address:

grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -nr

Using journalctl for Systemd Systems

On modern Linux distributions using systemd, you can use journalctl to query SSH logs:

journalctl -u ssh -f --grep="Failed password"

To view SSH logs from the last 24 hours:

journalctl -u ssh --since="1 day ago" | grep "Failed password"

Automated Monitoring with Fail2ban

Fail2ban is a powerful intrusion prevention system that automatically monitors log files and blocks IP addresses after a specified number of failed attempts.

Installation

Install fail2ban using your package manager:

# Ubuntu/Debian
sudo apt install fail2ban

# CentOS/RHEL
sudo yum install fail2ban

Basic SSH Configuration

Create a local jail configuration file /etc/fail2ban/jail.local:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600

This configuration blocks IP addresses for 1 hour after 3 failed attempts within 10 minutes.

Creating Custom Monitoring Scripts

For more advanced monitoring, create a custom bash script to track and alert on failed SSH attempts:

#!/bin/bash
LOGFILE="/var/log/auth.log"
THRESHOLD=5
EMAIL="admin@example.com"

# Count failed attempts from each IP
grep "Failed password" $LOGFILE | grep "$(date '+%b %d')" | \
awk '{print $(NF-3)}' | sort | uniq -c | sort -nr | \
while read count ip; do
    if [ $count -gt $THRESHOLD ]; then
        echo "WARNING: $count failed SSH attempts from $ip" | \
        mail -s "SSH Alert: Multiple Failed Attempts" $EMAIL
    fi
done

Setting Up Automated Alerts

To automate monitoring, add the script to cron for regular execution:

# Run every 15 minutes
*/15 * * * * /path/to/ssh-monitor.sh

# Add to crontab
crontab -e

Log Analysis Best Practices

Conclusion

Monitoring failed SSH login attempts is essential for Linux system security. Using tools like grep, journalctl, and fail2ban, combined with custom scripts and automated alerts, provides comprehensive protection against unauthorized access attempts. Regular log analysis helps identify attack patterns and enables proactive security measures to protect your systems from compromise.