Header Ads

Breaking News

Monitoring failed login attempts on Linux

Repeated failed login attempts on a Linux server can indicate that someone is trying to break into an account or might only mean that someone forgot their password or is mistyping it. In this post, we look at how you can check for failed login attempts and check your system’s settings to see when accounts will be locked to deal with the problem.

One of the first things you need to know is how to check if logins are failing. The command below looks for indications of failed logins in the /var/log/auth.log file used on Ubuntu and related systems. When someone tries logging in with a wrong or misspelled password, failed logins will show up as in the lines below:

$ sudo grep "Failed password" /var/log/auth.log | head -3
Nov 17 15:08:39 localhost sshd[621893]: Failed password for nemo from port 8132 ssh2
Nov 17 15:09:13 localhost sshd[621893]: Failed password for nemo from port 8132 ssh2

You could summarize instances of failed logins by account with a command like this:

$ sudo grep "Failed password" /var/log/auth.log | grep -v COMMAND | awk '{print $9}' | sort | uniq -c
     22 nemo
      1 shs
      2 times:

That command summarizes failed logins by username (ninth column in the grep output). It avoids looking at lines containing the word “COMMAND” to skip over inquiries that contain the “Failed passwords” phrase (e.g., someone running the command that was run above). The “times:” string suggests that there were more repeated attempts than the number reported. These come from lines containing “message repeated 5 times:”  that may be added to the log file when a password is entered incorrectly a number of times in quick succession.

Another thing you might want to check is where the failed login attempts are coming from. For that, change the field that you’re focusing on from  the ninth to the eleventh as in this example:

$ sudo grep "Failed password" /var/log/auth.log | grep -v COMMAND | awk '{print $11}' | sort | uniq -c

It might be especially suspicious, for example, if you’re seeing failed logins for multiple users from a single system.

Copyright © 2020 IDG Communications, Inc.

Source Link

No comments