How to Find All Access SSH Login Attempts in Linux?

SSH (Secure Shell) is utilized for communicating between two computers to transmit data over the Internet. In Linux, all the records for SSH login attempts are saved in a special file named “auth.log” in Ubuntu/Debian Linux. Or named as “secure” in Fedora/CentOS/RHEL Linux. Checking the record of the SSH login attempts is helpful for the user to monitor any unwanted and illegal activity.

This article will cover the various ways to find all access SSH login attempts in Linux.

  • Find All Access SSH Login Attempts in Linux
  • Using grep Command
    • Successful Attempts
    • Unsuccessful Attempts
  • Using journalctl Command
    • Successful Attempts
    • Unsuccessful Attempts
  • Using cat & egrep Commands
    • Successful Attempts
    • Unsuccessful Attempts

How to Find All Access SSH Login Attempts in Linux?

When the user is successfully connected to another computer via SSH connection, the log of the particular session is stored in the “auth.log” or “secure” file located under the directory “/var/log”. The user can print these logs by filtering out the successful and unsuccessful login attempts as implemented in the following examples:

Method 1: SSH Access Login Attempts Using grep Command

All the successful/unsuccessful login attempts sessions are saved with the word “opened” or “Failed” in the log files. The user can use the grep command to search for the particular record in the file:

Successful Login Attempts

To display all opened/successful login attempts, use the “grep” command with the “E” option as follows:

$ grep -E "opened" /var/log/auth.log          #For Debian/Ubuntu
$ grep -E "opened" /var/log/secure            #For Fedora/CentOS/RHEL

All opened/successful SSH login attempts are filtered out.

Unsuccessful Login Attempts

To display all failed login attempts, use the grep command with “Failed” to match it in the “auth.log” file:

$ grep -E "Failed" /var/log/auth.log           #For Debian/Ubuntu
$ grep -E "Failed" /var/log/secure             #For Fedora/CentOS/RHEL

All failed/unsuccessful login attempts have been displayed.

Method 2: SSH Access Login Attempts Using journalctl Command

The user can also use the journalctl command to view logs (successful and unsuccessful) for a particular SSH service.

Successful Login Attempts

To print all successful/opened journalctl logs for SSH connection, use the following command. Here “u” flag is used for the particular unit, and the “g” flag is for the grep pattern to match:

$ journalctl -u ssh.service -g opened

The logs for successful/opened SSH connections are displayed. 

Unsuccessful Login Attempts

Likewise, to display unsuccessful/failed journalctl logs for SSH connection, use the below command:

$ journalctl -u ssh.service -g failed

Journalctl Logs for SSH failed login attempts are displayed.

Method 3: SSH Access Login Attempts Using cat & egrep Commands

The user can also print all SSH successful/unsuccessful login attempts using the cat command and the “egrep” command.

Successful Login Attempts

To display successful SSH login attempts using the cat and egrep commands, run the below-given command for different Linux distributions:

$ cat /var/log/auth.log | grep -E "opened"           #For Debian/Ubuntu
$ cat /var/log/secure | grep -E "opened"             #For Fedora/CentOS/RHEL

All opened/successful SSH connections are retrieved.

Unsuccessful Login Attempts

Correspondingly, to display all unsuccessful/failed SSH login attempts, execute the below commands:

$ cat /var/log/auth.log | grep -E "Failed"         #For Debian/Ubuntu
$ cat /var/log/secure | grep -E "Failed"           #For Fedora/CentOS/RHEL

All failed/unsuccessful SSH login attempts are retrieved.

Conclusion

To find all SSH login attempts, use the “grep,” “journalctl,” or the combination of “cat” and “egrep” commands with the “/var/log/auth.log” file. Also, users can display all SSH login attempts via the “/var/log/secure” file in other Linux distributions. 

This blog has illuminated the various methods to find all SSH login attempts in Linux.