SSH (Secure Shell) is utilized for communicating between two computers to transmit data over the Internet. In Linux, all the records for SSH login attempts are saved in a special file named “auth.log” in Ubuntu/Debian Linux. Or named as “secure” in Fedora/CentOS/RHEL Linux. Checking the record of the SSH login attempts is helpful for the user to monitor any unwanted and illegal activity.
This article will cover the various ways to find all access SSH login attempts in Linux.
- Find All Access SSH Login Attempts in Linux
- Using grep Command
- Successful Attempts
- Unsuccessful Attempts
- Using journalctl Command
- Successful Attempts
- Unsuccessful Attempts
- Using cat & egrep Commands
- Successful Attempts
- Unsuccessful Attempts
How to Find All Access SSH Login Attempts in Linux?
When the user is successfully connected to another computer via SSH connection, the log of the particular session is stored in the “auth.log” or “secure” file located under the directory “/var/log”. The user can print these logs by filtering out the successful and unsuccessful login attempts as implemented in the following examples:
Method 1: SSH Access Login Attempts Using grep Command
All the successful/unsuccessful login attempts sessions are saved with the word “opened” or “Failed” in the log files. The user can use the grep command to search for the particular record in the file:
Successful Login Attempts
To display all opened/successful login attempts, use the “grep” command with the “E” option as follows:
$ grep -E "opened" /var/log/auth.log #For Debian/Ubuntu
$ grep -E "opened" /var/log/secure #For Fedora/CentOS/RHEL
All opened/successful SSH login attempts are filtered out.
Unsuccessful Login Attempts
To display all failed login attempts, use the grep command with “Failed” to match it in the “auth.log” file:
$ grep -E "Failed" /var/log/auth.log #For Debian/Ubuntu
$ grep -E "Failed" /var/log/secure #For Fedora/CentOS/RHEL
All failed/unsuccessful login attempts have been displayed.
Method 2: SSH Access Login Attempts Using journalctl Command
The user can also use the journalctl command to view logs (successful and unsuccessful) for a particular SSH service.
Successful Login Attempts
To print all successful/opened journalctl logs for SSH connection, use the following command. Here “u” flag is used for the particular unit, and the “g” flag is for the grep pattern to match:
$ journalctl -u ssh.service -g opened
The logs for successful/opened SSH connections are displayed.
Unsuccessful Login Attempts
Likewise, to display unsuccessful/failed journalctl logs for SSH connection, use the below command:
$ journalctl -u ssh.service -g failed
Journalctl Logs for SSH failed login attempts are displayed.
Method 3: SSH Access Login Attempts Using cat & egrep Commands
The user can also print all SSH successful/unsuccessful login attempts using the cat command and the “egrep” command.
Successful Login Attempts
To display successful SSH login attempts using the cat and egrep commands, run the below-given command for different Linux distributions:
$ cat /var/log/auth.log | grep -E "opened" #For Debian/Ubuntu
$ cat /var/log/secure | grep -E "opened" #For Fedora/CentOS/RHEL
All opened/successful SSH connections are retrieved.
Unsuccessful Login Attempts
Correspondingly, to display all unsuccessful/failed SSH login attempts, execute the below commands:
$ cat /var/log/auth.log | grep -E "Failed" #For Debian/Ubuntu
$ cat /var/log/secure | grep -E "Failed" #For Fedora/CentOS/RHEL
All failed/unsuccessful SSH login attempts are retrieved.
Conclusion
To find all SSH login attempts, use the “grep,” “journalctl,” or the combination of “cat” and “egrep” commands with the “/var/log/auth.log” file. Also, users can display all SSH login attempts via the “/var/log/secure” file in other Linux distributions.
This blog has illuminated the various methods to find all SSH login attempts in Linux.
