Support Get Quote

How to analyze Linux login failures

3 min read

User authentication is an important part of network security and auditing of user's login attempts is essential to identify suspicious user behaviors.

Login failures occur:

  1. When the user provides incorrect credentials
  2. When the user doesn't have permission to log in to a specific resource.

Login failure events occurring when a user attempts to connect remotely to a system using SSH or runs su command as a different user needs to be monitored as they are critical and could indicate an intrusion attempt.

This article elaborates the methods to view the SSH login failures.

Steps to viewing SSH login failures

A pluggable authentication module (PAM) logs these type of authentication events and helps to identify malicious and unusual logins.

Here's an example of a failed logon attempt.

pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
Failed password for invalid user robert from port 4791 ssh2
pam_unix(sshd:auth): check pass; user unknown
PAM service(sshd) ignoring max retries; 6 > 3

For effective troubleshooting, it is necessary to identify all such critical logins quickly and take steps accordingly.

Below are the steps to find all SSH failed login attempts.

  1. The basic command to list all SSH failed login attempts is # grep "Failed password" /var/log/auth.log. The same can be achieved by executing the cat command # cat /var/log/auth.log | grep "Failed password".
  2. In order to display extra information about the failed SSH logins, use the following command. # egrep "Failed|Failure" /var/log/auth.log
  3. To display the list of all IP addresses that attempted a login and failed to log in to the SSH server, use the following command. # grep "Failed password" /var/log/auth.log | awk ‘{print $11}’ | uniq -c | sort -nr

Tips: Even though analyzing the above event might look easy, manually performing all the operation is a time-consuming and tedious process. A log management solution can help you to analyze the failed SSH login attempts easily.

EventLog Analyzer, a comprehensive log management solution, collects Syslogs from Linux devices, analyzes them automatically, and provides you with necessary insights such as failed SSH login attempts, SU logons, user logon trends, and more in the form of intuitive reports. Check out more about EventLog Analyzer's Linux log monitoring capability here.


You may also like


Interested in a
log management

Try EventLog Analyzer

Manage logs, comply with IT regulations, and mitigate security threats.

Seamlessly collect, monitor, and analyze
logs with EventLog Analyzer

Your request for a demo has been submitted successfully

Our support technicians will get back to you at the earliest.

By clicking 'Submit', you agree to processing of personal data according to the Privacy Policy.

  Zoho Corporation Pvt. Ltd. All rights reserved.

Link copied, now you can start sharing