How To Track Successful And Failed Login Attempts In Linux

One of the routine task for administrators to track Successful And Failed Login Attempts, to make sure there is no unwanted/illegal attempts on environment. In other hand administrator can review the logs to determine possible security breaches in servers.

These attempts are genuine or user having trouble to access the system or the attempts are happening through spyware, etc,.

We have wrote an article since ages to get mail alert about the login attempts. If you are looking that one go ahead.

Suggested Read : How To Setup/Enable SSH Login Email Alerts For All User In Linux

We can use more or less command to get the login attempts from log file but it looks clumsy. Alternatively we can try with grep command which will give better report compare with previous one but still it’s not enough, then what is the other option to get the report?

Suggested Read : How To Setup/Enable SSH Login Email Alerts For Root User In Linux

We have an utility called aureport its part of audit tool which will give you more detailed information about user login attempts.

aureport is a tool that produces summary reports of the audit system logs. The aureport utility offering many option to get vast of reports like, success, failed, authentication attempts, summary, etc.,. The reports have a column label at the top to help user to understand the each column values.

How to Install Audit

Most of the major Linux distributions included the Audit package on distribution official repository, so simple use the Package Manager to install it.

For Debian users, use APT Package Manager or Apt-Get Package Manager to install Audit package.

$ sudo apt-get install auditd

For openSUSE users, use Zypper Package Manager to install Audit package.

$ sudo zypper install audit

For Fedora users, use dnf Package Manager to install Audit package.

$ sudo dnf install audit

For Arch Linux users, use pacman Package Manager to install Audit package.

$ sudo pacman -S audit

For CentOS/RHEL user, use yum Package Manager to install Audit package.

$ sudo yum install audit

By default the audit daemon will start, if not use the following commands to kikstart.

For Debian based systems

$ sudo systemctl start auditd

For RPM based systems

$ sudo systemctl start audit

User authentication logs are located @ /var/log/secure for RHEL based systems & /var/log/auth.log for Debian based systems.

Manually we can see the login attempts by navigating to log file location /var/log/secure but it looks mess up.

# more /var/log/secure
May 21 04:40:25 centos.2daygeek.com sshd[1282]: Accepted password for root from 202.91.66.210 port 51566 ssh2
May 21 04:40:25 centos.2daygeek.com sshd[1282]: pam_unix(sshd:session): session opened for user root by (uid=0)
May 21 07:05:31 centos.2daygeek.com sshd[19383]: pam_unix(sshd:session): session closed for user nagios
May 21 07:09:14 centos.2daygeek.com sshd[4632]: Accepted password for root from 202.91.66.210 port 34457 ssh2
May 21 07:09:14 centos.2daygeek.com sshd[4632]: pam_unix(sshd:session): session opened for user root by (uid=0)
May 21 11:21:03 centos.2daygeek.com sshd[11179]: Accepted password for nagios from 202.91.66.210 port 58244 ssh2
May 21 11:21:03 centos.2daygeek.com sshd[11179]: pam_unix(sshd:session): session opened for user nagios by (uid=0)
May 21 11:21:07 centos.2daygeek.com sshd[11179]: pam_unix(sshd:session): session closed for user nagios
May 21 11:22:11 centos.2daygeek.com sshd[4632]: pam_unix(sshd:session): session closed for user nagios
May 21 11:24:14 centos.2daygeek.com sshd[13543]: Accepted password for daygeek from 103.5.134.167 port 58540 ssh2
May 21 11:24:14 centos.2daygeek.com sshd[13543]: pam_unix(sshd:session): session opened for user daygeek by (uid=0)
May 21 13:05:01 centos.2daygeek.com sshd[13543]: pam_unix(sshd:session): session closed for user daygeek
May 21 13:09:14 centos.2daygeek.com sshd[18959]: Accepted password for nagios from 103.5.134.167 port 39901 ssh2
May 21 13:09:14 centos.2daygeek.com sshd[18959]: pam_unix(sshd:session): session opened for user nagios by (uid=0)
May 21 19:04:50 centos.2daygeek.com sshd[18959]: pam_unix(sshd:session): session closed for user nagios
May 21 19:09:14 centos.2daygeek.com sshd[2763]: Accepted password for magi from 103.5.134.167 port 45199 ssh2
May 21 19:09:14 centos.2daygeek.com sshd[2763]: pam_unix(sshd:session): session opened for user magi by (uid=0)

Alternatively we can use the grep command to print the required information, this looks much better compare with previous output.

# grep "Accepted password" /var/log/secure | more
May 21 04:40:25 centos.2daygeek.com sshd[1282]: Accepted password for daygeek from 49.206.124.143 port 51566 ssh2
May 21 07:09:14 centos.2daygeek.com sshd[4632]: Accepted password for nagios from 49.206.124.143 port 34457 ssh2
May 21 11:21:03 centos.2daygeek.com sshd[11179]: Accepted password for root from 49.206.124.143 port 58244 ssh2
May 21 11:24:14 centos.2daygeek.com sshd[13543]: Accepted password for root from 202.91.66.210 port 58540 ssh2
May 21 13:09:14 centos.2daygeek.com sshd[18959]: Accepted password for magi from 202.91.66.210 port 39901 ssh2
May 21 19:09:14 centos.2daygeek.com sshd[2763]: Accepted password for nagios from 103.5.134.167 port 45199 ssh2
May 21 20:59:54 centos.2daygeek.com sshd[13400]: Accepted password for magi from 202.91.66.210 port 52182 ssh2
May 21 23:21:23 centos.2daygeek.com sshd[13173]: Accepted password for nagios from 103.5.134.167 port 40548 ssh2
May 21 23:24:14 centos.2daygeek.com sshd[15211]: Accepted password for magi from 103.5.134.167 port 40836 ssh2
May 22 01:09:14 centos.2daygeek.com sshd[21991]: Accepted password for nagios from 103.5.134.167 port 50001 ssh2
May 22 07:09:14 centos.2daygeek.com sshd[8409]: Accepted password for nagios from 103.5.134.167 port 55039 ssh2
May 22 07:22:36 centos.2daygeek.com sshd[17449]: Accepted password for daygeek from 192.168.47.205 port 55041 ssh2
May 22 07:25:03 centos.2daygeek.com sshd[19215]: Accepted password for daygeek from 192.168.47.205 port 55044 ssh2
May 22 07:27:34 centos.2daygeek.com sshd[21729]: Accepted password for daygeek from 192.168.47.205 port 55045 ssh2
May 22 08:20:36 centos.2daygeek.com sshd[17353]: Accepted password for daygeek from 61.3.195.202 port 50232 ssh2

Same as above with failed attempts.

# grep "Failed password" /var/log/secure | more
May 21 20:59:51 centos.2daygeek.com sshd[13400]: Failed password for daygeek from 10.10.21.133 port 52182 ssh2
May 22 07:22:31 centos.2daygeek.com sshd[17449]: Failed password for daygeek from 192.168.47.205 port 55041 ssh2
May 22 13:29:23 centos.2daygeek.com sshd[25311]: Failed password for invalid user mageshm from 27.62.198.62 port 57841 ssh2
May 22 13:29:42 centos.2daygeek.com sshd[25709]: Failed password for magi from 27.62.198.62 port 57863 ssh2
May 22 13:29:47 centos.2daygeek.com sshd[25709]: Failed password for magi from 27.62.198.62 port 57863 ssh2
May 22 13:30:09 centos.2daygeek.com sshd[25709]: Failed password for root from 27.62.198.62 port 57863 ssh2
May 22 13:55:54 centos.2daygeek.com sshd[24770]: Failed password for daygeek from 27.62.198.62 port 54027 ssh2
May 22 14:33:06 centos.2daygeek.com sshd[17271]: Failed password for root from 27.62.198.62 port 59753 ssh2
May 22 16:16:08 centos.2daygeek.com sshd[15646]: Failed password for invalid user 2daygeek from 202.91.66.210 port 60493 ssh2
May 22 16:16:24 centos.2daygeek.com sshd[15646]: Failed password for invalid user magesh from 202.91.66.210 port 60493 ssh2
May 23 09:23:39 centos.2daygeek.com sshd[2730]: Failed password for root from 192.168.47.213 port 62746 ssh2
May 24 08:17:59 centos.2daygeek.com sshd[2271]: Failed password for daygeek from 192.168.47.216 port 57381 ssh2
May 24 11:27:08 centos.2daygeek.com sshd[28860]: Failed password for invalid user mageshm from 202.91.66.210 port 52607 ssh2
May 25 09:42:33 centos.2daygeek.com sshd[4357]: Failed password for root from 27.62.198.62 port 65350 ssh2

As we mentioned in the beginning of the article, aureports giving more detailed output. To get authentication report for all the attempts which was made.

# aureport -au -i | more

Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 05/09/2017 19:09:18 nagios 203.99.204.108 ssh /usr/sbin/sshd yes 98872
2. 05/09/2017 19:09:18 nagios 103.5.134.167 ssh /usr/sbin/sshd yes 98875
3. 05/09/2017 23:20:33 nagios 203.99.204.108 ssh /usr/sbin/sshd yes 100145
4. 05/09/2017 23:20:33 daygeek 103.5.134.167 ssh /usr/sbin/sshd yes 100148
5. 05/09/2017 23:24:18 root 203.99.204.108 ssh /usr/sbin/sshd yes 100196
6. 05/09/2017 23:24:18 daygeek 103.5.134.167 ssh /usr/sbin/sshd yes 100199
7. 05/10/2017 01:09:18 daygeek 203.99.204.108 ssh /usr/sbin/sshd yes 100834
8. 05/10/2017 01:09:18 nagios 103.5.134.167 ssh /usr/sbin/sshd yes 100837
9. 05/10/2017 03:53:27 magi 27.62.198.62 ssh /usr/sbin/sshd yes 101649
10. 05/10/2017 03:53:27 magi 192.168.47.220 ssh /usr/sbin/sshd yes 101652
11. 05/10/2017 03:54:17 magi 27.62.198.62 ssh /usr/sbin/sshd yes 101666
12. 05/10/2017 03:54:17 root 192.168.47.220 ssh /usr/sbin/sshd yes 101669
13. 05/10/2017 03:54:25 magi 27.62.198.62 ssh /usr/sbin/sshd yes 101699
14. 05/10/2017 03:54:25 magi 192.168.47.220 ssh /usr/sbin/sshd yes 101702
15. 05/10/2017 07:09:18 nagios 203.99.204.108 ssh /usr/sbin/sshd yes 102675

To get authentication report for all the success attempts which was made.

# aureport -au -i --success | more

Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 05/09/2017 19:09:18 nagios 203.99.204.108 ssh /usr/sbin/sshd yes 98872
2. 05/09/2017 19:09:18 nagios 103.5.134.167 ssh /usr/sbin/sshd yes 98875
3. 05/09/2017 23:20:33 root 203.99.204.108 ssh /usr/sbin/sshd yes 100145
4. 05/09/2017 23:20:33 root 103.5.134.167 ssh /usr/sbin/sshd yes 100148
5. 05/09/2017 23:24:18 root 203.99.204.108 ssh /usr/sbin/sshd yes 100196
6. 05/09/2017 23:24:18 root 103.5.134.167 ssh /usr/sbin/sshd yes 100199
7. 05/10/2017 01:09:18 nagios 203.99.204.108 ssh /usr/sbin/sshd yes 100834
8. 05/10/2017 01:09:18 nagios 103.5.134.167 ssh /usr/sbin/sshd yes 100837
9. 05/10/2017 03:53:27 daygeek 27.62.198.62 ssh /usr/sbin/sshd yes 101649
10. 05/10/2017 03:53:27 daygeek 192.168.47.220 ssh /usr/sbin/sshd yes 101652
11. 05/10/2017 03:54:17 daygeek 27.62.198.62 ssh /usr/sbin/sshd yes 101666
12. 05/10/2017 03:54:17 daygeek 192.168.47.220 ssh /usr/sbin/sshd yes 101669
13. 05/10/2017 03:54:25 magi 27.62.198.62 ssh /usr/sbin/sshd yes 101699
14. 05/10/2017 03:54:25 magi 192.168.47.220 ssh /usr/sbin/sshd yes 101702
15. 05/10/2017 07:09:18 magi 203.99.204.108 ssh /usr/sbin/sshd yes 102675

To get authentication report for all the failed attempts which was made.

# aureport -au -i --failed | more

Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 05/10/2017 08:57:12 nagios 27.62.198.62 ssh /usr/sbin/sshd no 103306
2. 05/10/2017 08:57:12 daygeek 27.62.198.62 ssh /usr/sbin/sshd no 103307
3. 05/10/2017 18:24:09 daygeek 202.91.66.210 ssh /usr/sbin/sshd no 106449
4. 05/10/2017 18:24:09 daygeek 202.91.66.210 ssh /usr/sbin/sshd no 106450
5. 05/11/2017 10:33:24 daygeek ? pts/1 /bin/su no 111616
6. 05/15/2017 04:23:01 magi 192.168.47.216 ssh /usr/sbin/sshd no 138696
7. 05/15/2017 04:23:01 magi 192.168.47.216 ssh /usr/sbin/sshd no 138697
8. 05/15/2017 07:57:08 daygeek 202.91.66.210 ssh /usr/sbin/sshd no 139694
9. 05/15/2017 07:57:08 daygeek 192.168.47.205 ssh /usr/sbin/sshd no 139695
10. 05/15/2017 09:00:12 root 202.91.66.210 ssh /usr/sbin/sshd no 140086
11. 05/15/2017 09:00:12 root 202.91.66.210 ssh /usr/sbin/sshd no 140087
12. 05/15/2017 09:00:16 root 202.91.66.210 ssh /usr/sbin/sshd no 140088
13. 05/15/2017 09:00:16 root 202.91.66.210 ssh /usr/sbin/sshd no 140089
14. 05/15/2017 09:15:27 root 202.91.66.210 ssh /usr/sbin/sshd no 140191
15. 05/15/2017 09:15:27 root 202.91.66.210 ssh /usr/sbin/sshd no 140192

To get success login information.

# aureport -l --success | more

Login Report
============================================
# date time auid host term exe success event
============================================
1. 05/09/2017 18:04:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98561
2. 05/09/2017 18:09:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98577
3. 05/09/2017 18:14:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98599
4. 05/09/2017 18:19:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98619
5. 05/09/2017 18:24:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98645
6. 05/09/2017 18:29:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98661
7. 05/09/2017 18:34:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98683
8. 05/09/2017 18:39:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98711
9. 05/09/2017 18:44:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98749
10. 05/09/2017 18:49:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98773
11. 05/09/2017 18:54:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98799
12. 05/09/2017 18:59:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98819
13. 05/09/2017 19:04:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98847
14. 05/09/2017 19:09:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98883
15. 05/09/2017 19:14:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98905

To get failed login information.

# aureport -l --failed | more

Login Report
============================================
# date time auid host term exe success event
============================================
1. 05/16/2017 04:31:17 (unknown) 192.168.47.223 ssh /usr/sbin/sshd no 146741
2. 05/16/2017 04:31:24 (unknown) 192.168.47.223 ssh /usr/sbin/sshd no 146751
3. 05/16/2017 04:32:34 (unknown) 192.168.47.223 ssh /usr/sbin/sshd no 146761
4. 05/16/2017 04:33:22 (unknown) 192.168.47.223 ssh /usr/sbin/sshd no 146771
5. 05/16/2017 04:33:50 (unknown) 192.168.47.223 ssh /usr/sbin/sshd no 146785
6. 05/16/2017 04:56:41 magi 192.168.47.183 ssh /usr/sbin/sshd no 146897
7. 05/16/2017 14:25:25 (unknown) 192.168.47.205 ssh /usr/sbin/sshd no 149996
8. 05/17/2017 06:56:10 daygeek 192.168.47.216 ssh /usr/sbin/sshd no 154833
9. 05/17/2017 13:54:31 (unknown) 10.60.20.91 ssh /usr/sbin/sshd no 157344
10. 05/22/2017 16:03:10 (unknown) 202.91.66.210 ssh /usr/sbin/sshd no 198466
11. 05/22/2017 16:16:28 (unknown) 202.91.66.210 ssh /usr/sbin/sshd no 198569
12. 05/24/2017 11:27:19 (unknown) 202.91.66.210 ssh /usr/sbin/sshd no 215432
13. 05/25/2017 10:46:16 (unknown) 202.91.66.210 ssh /usr/sbin/sshd no 225206

To get success login summary report for all the success attempts which was made.

# aureport -l --success --summary -i | more

Success Login Summary Report
============================
total  auid
============================
471  root
374  daygeek
53  magi
44  nagios

You may also like...

Close
Please support the site
By clicking any of these buttons you help our site to get better