Where to find failed ssh attempts in your Linux machine

Share this article

Failed ssh attempts in Ubuntu

As a system administrator some times it is important to keep track or look for who is trying to access your machine for security purposes. Every attempt of login into the ssh server running on our ubuntu is recorded into /var/log/auth.log file.

Here is the snapshot of my /var/log/auth.log file which shows the failed attempt of ssh entry. Here we can see that someone with IP 195.9.109.190 is trying to enter in my ubuntu-exp machine (obviously unwanted access).

Commands

You can also use commands journalctl. See the following example it will list all the lines with the invalid users.

ubuntu@ubuntu-exp:~$ journalctl _SYSTEMD_UNIT=ssh.service | grep "invalid user"

Failed ssh attempts in CentOS

Every login or attempt of login into the ssh server running on our CentOS is recorded into /var/log/secure file.


Below I have attached a snapshot of /var/log/secure from my CentOS machine. you can see that the same IP address is again trying to access my centos machine also.

Commands

You can also use commands journalctl. See the following example it will list all the lines with the invalid users.

[root@test centos]# journalctl _SYSTEMD_UNIT=sshd.service | grep "invalid user"

Summary

From the failed ssh login we can see that one of the IP addresses is trying to access both machines. Now realizing this as a threat we can take precautions like blocking this IP address etc.

Leave a Comment

Your email address will not be published. Required fields are marked *