How to Check All Failed SSH Login Attempts in Linux

In this tutorial, we will show you how we can check all failed logins on our Linux box. In this case, we will use a Redhat-based system. This can be achieved using multiple ways and we will go through each method one by one.

Method 1: Via /var/log/secure

This file, /var/log/secure, is where all login attempts are logged, including successful and failed attemtps. We can just open this file using any file reader and grep (search) for the word "failure". This will display all failure logins on the server from all users.

Example:

[root@phsrv001 ~]# cat /var/log/secure |grep failure
Aug 28 08:46:38 phsrv001 sshd[15352]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vpn01.pinoysysadmin.com  user=magellanf
Aug 29 00:39:20 phsrv001 sshd[18826]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vpn02.pinoysysadmin.com  user=rizalj
Aug 29 17:27:06 phsrv001 sshd[7558]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vpn03.pinoysysadmin.com  user=quezonm
Aug 29 17:27:58 phsrv001 sshd[7587]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vpn01.pinoysysadmin.com  user=magellanf

Take note that Linux is very strict when it comes to letter case. Searching for "failure" and "Failure" will display different results. We can also search for "Failed" on /var/log/secure.

It is also possible to search for login failures from a specific user.

Example:

[root@phsrv001 ~]# cat /var/log/secure |grep quezonm |grep failure
Aug 29 00:39:20 phsrv001 sshd[18826]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vpn03.pinoysysadmin.com  user=quezonm
Aug 30 09:01:38 phsrv001 sshd[21214]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vpn03.pinoysysadmin.com  user=quezonm
Aug 30 09:03:24 phsrv001 sshd[21877]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vpn02.pinoysysadmin.com  user=quezonm
Aug 30 09:05:40 phsrv001 sshd[22631]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vpn03.pinoysysadmin.com  user=quezonm

If we want to view all failed logins on a specific date,

[root@phsrv001 ~]# cat /var/log/secure |grep 'Aug 29' |grep failure
Aug 29 00:39:20 phsrv001 sshd[18826]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vpn01.pinoysysadmin.com  user=rizalj
Aug 29 17:27:06 phsrv001 sshd[7558]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vpn01.pinoysysadmin.com  user=quezonm
Aug 29 17:27:58 phsrv001 sshd[7587]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vpn01.pinoysysadmin.com  user=quezonm

Method 2: Via lastb command

The command lastb lists the contents of /var/log/btmp (the log file which records only the failed logins on a Linux server). Using cat instead of lastb to open /var/log/btmp will show the contents in an unfriendly format.

To display all the failed/bad logins of a user,

[root@phsrv001 ~]# lastb rizalj
rizalj ssh:notty    vpn02.pinoysysadmin.com Tue Aug 30 14:42 - 14:42  (00:00)  
rizalj ssh:notty    vpn02.pinoysysadmin.com Fri Aug 26 09:41 - 09:41  (00:00)  
rizalj ssh:notty    vpn02.pinoysysadmin.com Fri Aug 26 09:40 - 09:40  (00:00)  
rizalj ssh:notty    vpn02.pinoysysadmin.com Fri Aug 26 09:40 - 09:40  (00:00)

Method 3: Via Authentication Report

This can be done using aureport command.

Below command will display both successful and failed logins on your Linux server. This will display a long list so we might want to add |more in order to navigate through the results page by page.

[root@phsrv001 ~]# aureport -au -i
[root@phsrv001 ~]# aureport -au -i |more

If we want to display all failed logins, just add --failed at the end

[root@phsrv001 ~]# aureport -au -i --failed

Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 08/26/2016 09:05:06 quezonm vpn03.pinoysysadmin.com ssh /usr/sbin/sshd no 9073014
2. 08/26/2016 09:15:13 rizalj vpn03.pinoysysadmin.com ssh /usr/sbin/sshd no 9073106
3. 08/26/2016 09:15:24 rizalj  vpn03.pinoysysadmin.com ssh /usr/sbin/sshd no 9073108
4. 08/26/2016 09:23:11 rizalj  vpn03.pinoysysadmin.com ssh /usr/sbin/sshd no 9073168
5. 08/26/2016 09:27:20 quezonm vpn03.pinoysysadmin.com ssh /usr/sbin/sshd no 9073197

In Linux, there are multiple ways to filter the results of your query. Do you have other ways to check failed SSH logins on Linux? Let us discuss them below.