Failed SSH Logins


I was just browsing through the Ubuntu Forums, and found this post with a little line of bash, which apparently shows the number of failed logins per day.

cat /var/log/auth.log* | grep 'Failed password' | grep sshd | awk '{print $1,$2}' | sort | uniq -c

It’s a tad frightening. If it’s to be believed, 6 days ago, my little server had over 1800 failed logins >.<

If anyone could shed some light on this, I’d be more than grateful.


5 Responses to “Failed SSH Logins”

  1. What you’re seeing is evidence of brute force login attempts. I noticed that your next post is about allowing SSH from anywhere. This is probably contributing to your situation. I’d recommend locking down SSH. Start by removing password authentication, then move on to source IP restrictions.

  2. 2 David

    Meh, my server had 1200 failed logins A DAY a couple months ago. Your IP got scanned and had its port 22 listening, and now its getting bruteforced.

    Try this out for added security, it syncs to a global db of attacking IPs to block:

  3. 3 David

    Oh, right, misread your post as “since 6 days ive had 1600 login attempts”.

  4. Why not using fail2ban ? At least it’ll prevent brute-force attack from the same IP address.

    • 5 evidex

      I’ve actually implemented that since!


%d bloggers like this: