Each attempt to login to SSH server is tracked and recorded into a log file by the rsyslog daemon in Linux. The most basic mechanism to list all failed SSH logins attempts in Linux is a combination of displaying and filtering the log files.
The most simple command to list all failed SSH logins is the one shown below.
#grep “Failed password” /var/log/auth.log
Sample output.
grep “Failed password” /var/log/auth.log
Sep 26 09:49:11 linuxforfreshers.com sshd[32138]: Failed password for ravi from 192.168.101.26 port 33325 ssh2
Oct 2 23:04:25 linuxforfreshers.com sshd[25028]: Failed password for root from 192.168.101.211 port 55800 ssh2
In order to display extra information about the failed SSH logins, issue the command as shown in the below example.
#egrep “Failed|Failure” /var/log/auth.log
In CentOS or RHEL, the failed SSH sessions are recorded in /var/log/secure file. Issue the above command against this log file to identify failed SSH logins.
#egrep “Failed|Failure” /var/log/secure
Sample output
Dec 29 16:11:01 localhost sshd[32526]: Failed password for root from 192.168.101.111 port 31729 ssh2
Dec 29 16:11:04 localhost sshd[32526]: Failed password for root from 58.218.198.264 port 31729 ssh2