I'd like to see if somebody has been trying to log-in by brute-force into my Ubuntu 12.04 server over SSH. How can I see if such activities have been taking place?
All login attempts are logged to /var/log/auth.log
.
Open a terminal, and type the below; if it's longer than 1 page you will be able to scroll up and down; type q
to exit:
grep sshd.\*Failed /var/log/auth.log | less
Here's a real example from one of my VPSs:
Aug 18 11:00:57 izxvps sshd[5657]: Failed password for root from 95.58.255.62 port 38980 ssh2 Aug 18 23:08:26 izxvps sshd[5768]: Failed password for root from 91.205.189.15 port 38156 ssh2 Aug 18 23:08:30 izxvps sshd[5770]: Failed password for nobody from 91.205.189.15 port 38556 ssh2 Aug 18 23:08:34 izxvps sshd[5772]: Failed password for invalid user asterisk from 91.205.189.15 port 38864 ssh2 Aug 18 23:08:38 izxvps sshd[5774]: Failed password for invalid user sjobeck from 91.205.189.15 port 39157 ssh2 Aug 18 23:08:42 izxvps sshd[5776]: Failed password for root from 91.205.189.15 port 39467 ssh2
Use this command:
grep sshd.*Did /var/log/auth.log | less
Example:
Aug 5 22:19:10 izxvps sshd[7748]: Did not receive identification string from 70.91.222.121 Aug 10 19:39:49 izxvps sshd[1919]: Did not receive identification string from 50.57.168.154 Aug 13 23:08:04 izxvps sshd[3562]: Did not receive identification string from 87.216.241.19 Aug 17 15:49:07 izxvps sshd[5350]: Did not receive identification string from 211.22.67.238 Aug 19 06:28:43 izxvps sshd[5838]: Did not receive identification string from 59.151.37.10
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments