Discover all unsuccessful SSH login Activities in Linux

Each attempt to login to SSH server is tracked and recorded into a log file by the rsyslog daemon in Linux. The most basic mechanism to Discover all unsuccessful SSH login Activities in Linux is a combination of displaying and filtering the log files with the help of cat command or grep command.

In order to display a list of the failed SSH logins in Linux, issue some of the commands presented in this guide. Make sure that these commands are executed with root privileges.

The most simple command to list all failed SSH logins is the one shown below.

These attempts are genuine or user having trouble to access the system or the attempts are happening through spyware, etc,.

User authentication logs are located @ /var/log/secure for RHEL based systems.

Manually we can see the login attempts by navigating to log file location /var/log/secure but it looks mess up.

Alternatively we can use the grep command to print the required information, this looks much better compare with previous output.

Use grep command


Same as above with failed attempts.

As we mentioned in the beginning of the article, aureports giving more detailed output. To get authentication report for all the attempts which was made.

To get authentication report for all the failed attempts which was made.

# aureport -au -i --failed | more

To get success login summary report for all the success attempts which was made.

Now we know how to Discover all unsuccessful SSH login Activities in Linux.

Related posts

Leave a Comment