Monitoring failed login attempts on LinuxFailed logins can be legitimate human error or attempts to hack your Linux system, but either way they might flag something that warrants attention.

Repeated failed login attempts on a Linux server can indicate that someone is trying to break into an account or might only mean that someone forgot their password or is mistyping it. In this post, we look at how you can check for failed login attempts and check your system’s settings to see when accounts will be locked to deal with the problem.

One of the first things you need to know is how to check if logins are failing. The command below looks for indications of failed logins in the /var/log/auth.log file used on Ubuntu and related systems. When someone tries logging in with a wrong or misspelled password, failed logins will show up as in the lines below:

$ sudo grep “Failed password” /var/log/auth.log | head -3
Nov 17 15:08:39 localhost sshd[621893]: Failed password for nemo from port 8132 ssh2
Nov 17 15:09:13 localhost sshd[621893]: Failed password for nemo from port 8132 ssh2

You could summarize instances of failed logins by account with a command like this:

$ sudo grep “Failed password” /var/log/auth.log | grep -v COMMAND | awk ‘{print $9}’ | sort | uniq -c
22 nemo
1 shs
2 times:

That command summarizes failed logins by username (ninth column in the grep output). It avoids looking at lines containing the word “COMMAND” to skip over inquiries that contain the “Failed passwords” phrase (e.g., someone running the command that was run above). The “times:” string suggests that there were more repeated attempts than the number reported. These come from lines containing “message repeated 5 times:” that may be added to the log file when a password is entered incorrectly a number of times in quick succession.

Another thing you might want to check is where the failed login attempts are coming from. For that, change the field that you’re focusing on from the ninth to the eleventh as in this example:

$ sudo grep “Failed password” /var/log/auth.log | grep -v COMMAND | awk ‘{print $11}’ | sort | uniq -c

It might be especially suspicious, for example, if you’re seeing failed logins for multiple users from a single system.In RHEL, Centos and related systems, you’ll find the messages related to failed logins in the /var/log/secure file. You can use basically the same query as shown above to get a count. Just change the file name as shown here:

$ sudo grep “Failed password” /var/log/secure | awk ‘{print $9}’ | sort | uniq -c
6 nemo

Check settings in the /etc/pam.d/password-auth and /etc/pam.d/system-auth files. Adding lines like these will enforce your settings.

  • Checking faillog

    You might check out the faillog command, but this command looks at the /var/log/faillog file which does not seem to be used on many systems these days. If you use the faillog -a command and get output like that shown below listing 12/31/69 as in the time columns, it’s clear this file is not in use.


Leave a Reply

how can we help you?

Contact us at the Techno|Boss office nearest to you or submit a business inquiry online.

see our gallery

Looking for a First-Class IT partner to power your business?