Guess I’m not the only one who have a lot of unauthorized login attempts via SSH on my Linux servers.
With a simple command, you can watch failed or successful login attempts in /var/log/auth.log.
#As root or via sudo, type this to see all failed login attempts
cat /var/log/auth.log | grep 'sshd.*Invalid'
#If you want to see successful logins, type this
cat /var/log/auth.log | grep 'sshd.*opened'
Anyways, the first thing you should do on a new server is to disable password logins, only allowing logins using private keys.
You can read about it here.
grep is your friend.
grep sshd.*Invalid /var/log/auth
even better! nice contribution
I think this is a better idea.
sudo cat /var/log/auth.log | grep “Accepted password”
then you will see from where the connection came.
The 2nd line came in handy – thanks.
The above greps only – invalid users – logins, it doesn’t include failed logins on existing users :
grep sshd.\*Failed /var/log/auth.log | less
is the proper command to see all failed logins.