Categories
28°C, New York
Home Linux How to Find All Failed SSH login Attempts in Linux?

How to Find All Failed SSH login Attempts in Linux?

How to Disable SSH Root Login in Linux?

SSH Server provides us with a secure encrypted communications channel between two untrusted hosts over an insecure network. Still, we can not say for sure that it is secured. It is generally very susceptible to many kinds of password guessing and brute-forcing attacks.

To enable and start the SSH server, the commands could be executed in the following ways:

sudo systemctl enable ssh
sudo systemctl start ssh

To check the running status of the server execute the following command.

sudo systemctl status ssh

Each plan to log in into an SSH server is tracked and recorded into a log file by the rsyslog daemon in Linux. We can easily view this file using cat and grep commands.

There could be various reasons due to which the failed login attempt could be generated. Below are the listed, three most common reasons:

  • Typo: Tying error with wrong passwords
  • Wrong Password: Trying to enter with the wrong password
  • Brute-force Attack: Using Dictionary to attack with a combination of common userid and passwords

With either of the two commands given below we can view all failed login attempts:

grep "Failed password" /var/log/auth.log

cat /var/log/auth.log | grep "Failed password"

To view additional information use the below command:

egrep "Failed|Failure" /var/log/auth.log
# It works the same way as grep -E does

To filter out only the IP address from these logs using the below command. This will display a list of IP addresses along with the number of times the log was generated from the IP address.

grep "Failed password" /var/log/auth.log | awk '{print $11}' | uniq -c | sort -nr

The command functions in the following way:   

  1. List out the “Failed password” using grep command with /var/log/secure or /var/log/auth.log files
  2. Print IP/ hostname with awk and cut command
  3. Format the data with the sort command (Optional)
  4. Print total failed attempts to SSH login with uniq commands

Similarly, you can also print authentication failure logs to the terminal:

grep "authentication failure" /var/log/auth.log | awk '{ print $13 }' | cut -b7-  | sort | uniq -c

Alternatively, we can also view the logs using the Systemd daemon using the journalctl command.

journalctl _SYSTEMD_UNIT=ssh.service | egrep "Failed|Failure"

Checking the Settings

It’s best practice to check the settings for the failed login attempts to the server. You could check out /etc/pam.d/common-auth file, which is used with the Linux Pluggable Authentication Modules (PAM) within the system.

cat /etc/pam.d/password-auth

Settings within this file control the threshold for the failed login attempts before the account is temporarily locked. You could even adjust the timing for this temporary lock.

The following code segment will have PAM locking an account temporarily after three failed login attempts. The lockout will last for 300 seconds which is 5 minutes.

auth required pam_tally2.so deny=3 unlock_time=300

Occasionally failed logins are to be expected but still, it is crucial to identify the failed login attempts to your server. The IP that frequently hits your server should be identified immediately and should be blocked within the firewall so any potential attacks to your server could be prevented. 


Tags:
#Technical Scripter 2020 #How To #Linux-Unix #Technical Scripter

How to Disable SSH Root Login in Linux?