How to Find All Failed SSH login Attempts in Linux?


As a Linux system administrator, one of your most important tasks is to ensure the security of your system. One way to do this is by monitoring failed SSH login attempts. Every time a user attempts to log in via SSH, whether successful or not, it is recorded in the system logs.

By analyzing these logs, you can identify any unauthorized access attempts and take action to prevent them. Failed login attempts can be an indicator of several security issues such as brute-force attacks by hackers attempting to guess passwords or compromised user accounts.

Monitoring failed SSH login attempts is an essential element in the overall security strategy for any Linux system. It provides insight into potential threats and helps you take proactive measures to protect your system from unauthorized access.

Explanation of SSH Login Attempts

Secure Shell (SSH) is a widely used protocol for securely accessing remote systems over an unsecured network. When logging into a remote machine using SSH, authentication usually occurs using a username and password combination or public key authentication method.

Each time users attempt to log in via SSH, it generates entries in the log files that record all related activities such as successful or failed login attempts. A successful SSH login attempt records valid user credentials and grants access to the remote machine.

The System Log File: Your Window into SSH Login Attempts

The system log file is a crucial tool for monitoring and analyzing activity on your Linux system, including SSH login attempts. The location of the system log file varies depending on the Linux distribution you are using, but it is typically found in the /var/log directory. Commonly used log files include auth.log, secure.log, and messages.log.

Once you have located the appropriate log file for your distribution, you can use the grep command to filter out SSH login attempts from the rest of the data in the file. For example, if you are using Ubuntu or another Debian-based distribution, you can use −

grep sshd /var/log/auth.log

This will display all lines in auth.log that contain "sshd", which is the name of the daemon that handles SSH connections on most Linux systems.

You can further refine this search to show only failed login attempts by adding "Failed" as an additional filter −

grep sshd /var/log/auth.log | grep "Failed password"

This will display only lines that contain both "sshd" and "Failed password".

Filtering with grep

The grep command is a powerful tool for filtering text data based on patterns and regular expressions. In this case, we used it to filter out lines from a large system log file that contained specific keywords related to SSH login attempts. However, there are many other ways you can use grep to manipulate text data.

For example, let's say you want to search through a large document or codebase for instances of a particular function call. You could simply run −

grep functionName filename.txt

This would display all lines in filename.txt that contain "functionName".

Using Fail2ban to Monitor and Block Failed SSH Login Attempts

Introduction to Fail2ban and its Features

Fail2ban is a free, open-source software that can be used to monitor login attempts on a Linux system. It is designed to detect and block brute-force attacks by adding and removing IP addresses from the firewall automatically.

The software works by analyzing various log files for failed login attempts and then taking action based on pre-configured rules. Fail2ban offers several features that make it an effective tool for monitoring and blocking failed SSH login attempts.

Installation and Configuration of Fail2ban on Linux Systems

Installing fail2ban on Linux systems is relatively simple with most package managers like apt or yum available in many distributions. Once installed, the configuration file needs to be customized to monitor the relevant log files related to SSH login attempts. The default configuration file is located at `/etc/fail2ban/jail.conf`.

Configuring Fail2ban To Monitor SSH Login Attempts And Block IP Addresses With Too Many Failures

After installation configure fail2ban settings with specific filters/rules in place for sshd service monitoring as follows −

enabled = true 
port = ssh filter = sshd 
logpath = /var/log/auth.log maxretry = 5 
bantime = 300 

Here `maxretry` is the maximum number of failed login attempts allowed before an IP address is blocked and `bantime` specifies the amount of time for which an IP address will be blocked.

Fail2ban blocks IPs automatically by adding them to the firewall rules through iptables or firewalld on your system. You can also customize the way fail2ban works with custom actions added in the configuration file.

Monitoring and Alerting on SSH Login Attempts

Writing a Script to Periodically Check for Failed SSH Login Attempts

While checking the system log file manually for failed SSH login attempts can be effective, it can also be time-consuming and unreliable if done infrequently. Instead, consider writing a script that will check the system log file periodically and alert you of any new failed login attempts.

Here’s how to do it −

  • Choose your scripting language −Bash, Python, or Perl are popular choices for Linux systems.

  • Using your chosen language, write a script that opens the system log file and filters out only the lines containing failed SSH login attempts.

  • The script should then compare these filtered lines with previous entries to ensure no duplicates are being flagged.

  • If any new failed login attempts are identified, the script should notify you immediately via email or other method. With this custom script in place, you’ll always have up-to-date information on potential security threats to your Linux server.

Setting Up Email Alerts for New Failed SSH Login Attempt Notifications

Once you’ve written a custom script to monitor the system log file for new failed SSH login attempts, you’ll want to set up email alerts so that you’re notified as soon as possible when an attempt is made. Here’s how −

  • Determine which email client or service you want to use (e.g., Gmail).

  • Configure your Linux server to send emails using this client or service by setting up SMTP credentials.

  • Modify your existing custom script (or write a new one) that sends an email notification when a new failed SSH login attempt is detected.

  • Ensure that emails are sent securely by enabling SSL/TLS encryption. By following these steps, you’ll receive immediate alerts when a potential security threat is detected on your Linux server.

Automating Custom Scripts with Cron

While running custom scripts manually can be effective, it can be even more powerful when automated using cron jobs. Here’s how to automate your custom script for monitoring SSH login attempts −

  • Determine how frequently you want the script to run (e.g., every 5 minutes).

  • Use the cron command in Linux to set up a new job that runs the custom script at your desired frequency.

  • Test the cron job to ensure that it’s running correctly.

By automating your custom script, you’ll never have to worry about remembering to run it again – it will run automatically at the frequency you’ve specified.


In this article, we discussed several methods for finding failed SSH login attempts, including checking the system log file, using fail2ban to automatically block IP addresses with too many failures, and implementing custom scripts for monitoring and alerting. We also emphasized the importance of regularly monitoring failed SSH login attempts to maintain the security of your system.

Hackers continuously attempt to breach servers by brute-forcing passwords through automated scripts. Without taking necessary precautions like monitoring these events closely, a server administrator is at risk of facing significant security threats that could be detrimental to their business operations.

Updated on: 09-Jun-2023


Kickstart Your Career

Get certified by completing the course

Get Started