How to track successful and failed login attempts in Linux

One of the routine task of administrators is to track Successful and Failed login attempts, to make sure there is no unwanted/illegal attempts on the environment. Administrators can also review the logs to identify possible security breaches on the servers.

Basically to identify whether these attempts were genuine or the user had trouble to access the system or if the attempts are happening through spyware, etc.

We have written several articles in the past to receive email alerts upon user login attempts. To learn more about this, please visit the following links:

User login information can be viewed manually using the ‘more’ or ‘less’ command since the login information is stored in a text file, but you may face difficulty while reading them because it contains a lot of information.

Alternatively, it can be done with the ‘grep’ command which will give you better visibility compared to above commands. But, unfortunately these are not proved to be sufficient and you won’t get a clean picture ultimately. If so, what is a better way to achieve this?

You can achieve this using aureport. It is part of audit tool which will give you more detailed information about user login attempts.

What’s aureport?

aureport is a tool that produces summary reports of the audit system logs. The aureport utility offers many option to get several reports such as, success, failed, authentication attempts, summary, etc. The reports have a column label at the top to help the user understand each column values.

Installing audit tool

Most of the major Linux distributions include the audit package on their distribution official repository, so simply use the Package Manager to install it. Commands are given below:

For Debian system:

$ sudo apt-get install auditd

For openSUSE system:

$ sudo zypper install audit

For Fedora & RHEL/CentOS 8 system:

$ sudo dnf install audit

For Arch Linux system:

$ sudo pacman -S audit

For CentOS/RHEL 6/7 system:

$ sudo yum install audit

By default, the audit daemon should start. If not, use the following commands to kikstart it:

For Debian based systems:

$ sudo systemctl start audit

For RPM based systems:

$ sudo systemctl start auditd   [for systemd system]
$ sudo service auditd start     [for sysvinit system]

User authentication logs are located @ /var/log/secure for RHEL based systems & /var/log/auth.log for Debian based systems.

1) Checking successful and failed login attempts using less command

As usual, you can manually check any log files in Linux using the less command. In this case, we will look at the contents of the ‘/var/log/secure’ file to check the user login attempts, but it looks awkward because it has a lot of lines:

# less /var/log/secure

May 21 04:40:25 centos.2daygeek.com sshd[1282]: Accepted password for root from 202.91.66.210 port 51566 ssh2
May 21 04:40:25 centos.2daygeek.com sshd[1282]: pam_unix(sshd:session): session opened for user root by (uid=0)
May 21 07:05:31 centos.2daygeek.com sshd[19383]: pam_unix(sshd:session): session closed for user nagios
May 21 07:09:14 centos.2daygeek.com sshd[4632]: Accepted password for root from 202.91.66.210 port 34457 ssh2
May 21 07:09:14 centos.2daygeek.com sshd[4632]: pam_unix(sshd:session): session opened for user root by (uid=0)
May 21 11:21:03 centos.2daygeek.com sshd[11179]: Accepted password for nagios from 202.91.66.210 port 58244 ssh2
May 21 11:21:03 centos.2daygeek.com sshd[11179]: pam_unix(sshd:session): session opened for user nagios by (uid=0)
May 21 11:21:07 centos.2daygeek.com sshd[11179]: pam_unix(sshd:session): session closed for user nagios
May 21 11:22:11 centos.2daygeek.com sshd[4632]: pam_unix(sshd:session): session closed for user nagios
May 21 11:24:14 centos.2daygeek.com sshd[13543]: Accepted password for daygeek from 103.5.134.167 port 58540 ssh2
May 21 11:24:14 centos.2daygeek.com sshd[13543]: pam_unix(sshd:session): session opened for user daygeek by (uid=0)
May 21 13:05:01 centos.2daygeek.com sshd[13543]: pam_unix(sshd:session): session closed for user daygeek
May 21 13:09:14 centos.2daygeek.com sshd[18959]: Accepted password for nagios from 103.5.134.167 port 39901 ssh2
May 21 13:09:14 centos.2daygeek.com sshd[18959]: pam_unix(sshd:session): session opened for user nagios by (uid=0)
May 21 19:04:50 centos.2daygeek.com sshd[18959]: pam_unix(sshd:session): session closed for user nagios
May 21 19:09:14 centos.2daygeek.com sshd[2763]: Accepted password for magi from 103.5.134.167 port 45199 ssh2
May 21 19:09:14 centos.2daygeek.com sshd[2763]: pam_unix(sshd:session): session opened for user magi by (uid=0)

2) Checking successful and failed login attempts using grep command

Alternatively, you can use the grep command, which is used to print matching strings from a file. This allows you to see only the required lines instead of everything, which is better than the previous command output.

# grep "Accepted password" /var/log/secure | more

May 21 04:40:25 centos.2daygeek.com sshd[1282]: Accepted password for daygeek from 49.206.124.143 port 51566 ssh2
May 21 07:09:14 centos.2daygeek.com sshd[4632]: Accepted password for nagios from 49.206.124.143 port 34457 ssh2
May 21 11:21:03 centos.2daygeek.com sshd[11179]: Accepted password for root from 49.206.124.143 port 58244 ssh2
May 21 11:24:14 centos.2daygeek.com sshd[13543]: Accepted password for root from 202.91.66.210 port 58540 ssh2
May 21 13:09:14 centos.2daygeek.com sshd[18959]: Accepted password for magi from 202.91.66.210 port 39901 ssh2
May 21 19:09:14 centos.2daygeek.com sshd[2763]: Accepted password for nagios from 103.5.134.167 port 45199 ssh2
May 21 20:59:54 centos.2daygeek.com sshd[13400]: Accepted password for magi from 202.91.66.210 port 52182 ssh2
May 21 23:21:23 centos.2daygeek.com sshd[13173]: Accepted password for nagios from 103.5.134.167 port 40548 ssh2
May 21 23:24:14 centos.2daygeek.com sshd[15211]: Accepted password for magi from 103.5.134.167 port 40836 ssh2
May 22 01:09:14 centos.2daygeek.com sshd[21991]: Accepted password for nagios from 103.5.134.167 port 50001 ssh2
May 22 07:09:14 centos.2daygeek.com sshd[8409]: Accepted password for nagios from 103.5.134.167 port 55039 ssh2
May 22 07:22:36 centos.2daygeek.com sshd[17449]: Accepted password for daygeek from 192.168.47.205 port 55041 ssh2
May 22 07:25:03 centos.2daygeek.com sshd[19215]: Accepted password for daygeek from 192.168.47.205 port 55044 ssh2
May 22 07:27:34 centos.2daygeek.com sshd[21729]: Accepted password for daygeek from 192.168.47.205 port 55045 ssh2
May 22 08:20:36 centos.2daygeek.com sshd[17353]: Accepted password for daygeek from 61.3.195.202 port 50232 ssh2

Use the following format to print only Failed attempts:

# grep "Failed password" /var/log/secure | more

May 21 20:59:51 centos.2daygeek.com sshd[13400]: Failed password for daygeek from 10.10.21.133 port 52182 ssh2
May 22 07:22:31 centos.2daygeek.com sshd[17449]: Failed password for daygeek from 192.168.47.205 port 55041 ssh2
May 22 13:29:23 centos.2daygeek.com sshd[25311]: Failed password for invalid user mageshm from 27.62.198.62 port 57841 ssh2
May 22 13:29:42 centos.2daygeek.com sshd[25709]: Failed password for magi from 27.62.198.62 port 57863 ssh2
May 22 13:29:47 centos.2daygeek.com sshd[25709]: Failed password for magi from 27.62.198.62 port 57863 ssh2
May 22 13:30:09 centos.2daygeek.com sshd[25709]: Failed password for root from 27.62.198.62 port 57863 ssh2
May 22 13:55:54 centos.2daygeek.com sshd[24770]: Failed password for daygeek from 27.62.198.62 port 54027 ssh2
May 22 14:33:06 centos.2daygeek.com sshd[17271]: Failed password for root from 27.62.198.62 port 59753 ssh2
May 22 16:16:08 centos.2daygeek.com sshd[15646]: Failed password for invalid user 2daygeek from 202.91.66.210 port 60493 ssh2
May 22 16:16:24 centos.2daygeek.com sshd[15646]: Failed password for invalid user magesh from 202.91.66.210 port 60493 ssh2
May 23 09:23:39 centos.2daygeek.com sshd[2730]: Failed password for root from 192.168.47.213 port 62746 ssh2
May 24 08:17:59 centos.2daygeek.com sshd[2271]: Failed password for daygeek from 192.168.47.216 port 57381 ssh2
May 24 11:27:08 centos.2daygeek.com sshd[28860]: Failed password for invalid user mageshm from 202.91.66.210 port 52607 ssh2
May 25 09:42:33 centos.2daygeek.com sshd[4357]: Failed password for root from 27.62.198.62 port 65350 ssh2

3) Checking successful and failed login attempts using aureport command

As we mentioned in the beginning of the article, aureports gives more detailed output. To get authentication report for all the attempts made so far, use the below command:

# aureport -au -i | more

Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 05/09/2017 19:09:18 nagios 203.99.204.108 ssh /usr/sbin/sshd yes 98872
2. 05/09/2017 19:09:18 nagios 103.5.134.167 ssh /usr/sbin/sshd yes 98875
3. 05/09/2017 23:20:33 nagios 203.99.204.108 ssh /usr/sbin/sshd yes 100145
4. 05/09/2017 23:20:33 daygeek 103.5.134.167 ssh /usr/sbin/sshd yes 100148
5. 05/09/2017 23:24:18 root 203.99.204.108 ssh /usr/sbin/sshd yes 100196
6. 05/09/2017 23:24:18 daygeek 103.5.134.167 ssh /usr/sbin/sshd yes 100199
7. 05/10/2017 01:09:18 daygeek 203.99.204.108 ssh /usr/sbin/sshd yes 100834
8. 05/10/2017 01:09:18 nagios 103.5.134.167 ssh /usr/sbin/sshd yes 100837
9. 05/10/2017 03:53:27 magi 27.62.198.62 ssh /usr/sbin/sshd yes 101649
10. 05/10/2017 03:53:27 magi 192.168.47.220 ssh /usr/sbin/sshd yes 101652
11. 05/10/2017 03:54:17 magi 27.62.198.62 ssh /usr/sbin/sshd yes 101666
12. 05/10/2017 03:54:17 root 192.168.47.220 ssh /usr/sbin/sshd yes 101669
13. 05/10/2017 03:54:25 magi 27.62.198.62 ssh /usr/sbin/sshd yes 101699
14. 05/10/2017 03:54:25 magi 192.168.47.220 ssh /usr/sbin/sshd yes 101702
15. 05/10/2017 07:09:18 nagios 203.99.204.108 ssh /usr/sbin/sshd yes 102675

To get authentication report of all the success attempts which were made so far, run below command:

# aureport -au -i --success | more

Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 05/09/2017 19:09:18 nagios 203.99.204.108 ssh /usr/sbin/sshd yes 98872
2. 05/09/2017 19:09:18 nagios 103.5.134.167 ssh /usr/sbin/sshd yes 98875
3. 05/09/2017 23:20:33 root 203.99.204.108 ssh /usr/sbin/sshd yes 100145
4. 05/09/2017 23:20:33 root 103.5.134.167 ssh /usr/sbin/sshd yes 100148
5. 05/09/2017 23:24:18 root 203.99.204.108 ssh /usr/sbin/sshd yes 100196
6. 05/09/2017 23:24:18 root 103.5.134.167 ssh /usr/sbin/sshd yes 100199
7. 05/10/2017 01:09:18 nagios 203.99.204.108 ssh /usr/sbin/sshd yes 100834
8. 05/10/2017 01:09:18 nagios 103.5.134.167 ssh /usr/sbin/sshd yes 100837
9. 05/10/2017 03:53:27 daygeek 27.62.198.62 ssh /usr/sbin/sshd yes 101649
10. 05/10/2017 03:53:27 daygeek 192.168.47.220 ssh /usr/sbin/sshd yes 101652
11. 05/10/2017 03:54:17 daygeek 27.62.198.62 ssh /usr/sbin/sshd yes 101666
12. 05/10/2017 03:54:17 daygeek 192.168.47.220 ssh /usr/sbin/sshd yes 101669
13. 05/10/2017 03:54:25 magi 27.62.198.62 ssh /usr/sbin/sshd yes 101699
14. 05/10/2017 03:54:25 magi 192.168.47.220 ssh /usr/sbin/sshd yes 101702
15. 05/10/2017 07:09:18 magi 203.99.204.108 ssh /usr/sbin/sshd yes 102675

To get authentication report of all the failed attempts so far, run the below command:

# aureport -au -i --failed | more

Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 05/10/2017 08:57:12 nagios 27.62.198.62 ssh /usr/sbin/sshd no 103306
2. 05/10/2017 08:57:12 daygeek 27.62.198.62 ssh /usr/sbin/sshd no 103307
3. 05/10/2017 18:24:09 daygeek 202.91.66.210 ssh /usr/sbin/sshd no 106449
4. 05/10/2017 18:24:09 daygeek 202.91.66.210 ssh /usr/sbin/sshd no 106450
5. 05/11/2017 10:33:24 daygeek ? pts/1 /bin/su no 111616
6. 05/15/2017 04:23:01 magi 192.168.47.216 ssh /usr/sbin/sshd no 138696
7. 05/15/2017 04:23:01 magi 192.168.47.216 ssh /usr/sbin/sshd no 138697
8. 05/15/2017 07:57:08 daygeek 202.91.66.210 ssh /usr/sbin/sshd no 139694
9. 05/15/2017 07:57:08 daygeek 192.168.47.205 ssh /usr/sbin/sshd no 139695
10. 05/15/2017 09:00:12 root 202.91.66.210 ssh /usr/sbin/sshd no 140086
11. 05/15/2017 09:00:12 root 202.91.66.210 ssh /usr/sbin/sshd no 140087
12. 05/15/2017 09:00:16 root 202.91.66.210 ssh /usr/sbin/sshd no 140088
13. 05/15/2017 09:00:16 root 202.91.66.210 ssh /usr/sbin/sshd no 140089
14. 05/15/2017 09:15:27 root 202.91.66.210 ssh /usr/sbin/sshd no 140191
15. 05/15/2017 09:15:27 root 202.91.66.210 ssh /usr/sbin/sshd no 140192

To print only the success login information, run the below command:

# aureport -l --success | more

Login Report
============================================
# date time auid host term exe success event
============================================
1. 05/09/2017 18:04:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98561
2. 05/09/2017 18:09:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98577
3. 05/09/2017 18:14:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98599
4. 05/09/2017 18:19:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98619
5. 05/09/2017 18:24:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98645
6. 05/09/2017 18:29:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98661
7. 05/09/2017 18:34:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98683
8. 05/09/2017 18:39:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98711
9. 05/09/2017 18:44:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98749
10. 05/09/2017 18:49:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98773
11. 05/09/2017 18:54:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98799
12. 05/09/2017 18:59:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98819
13. 05/09/2017 19:04:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98847
14. 05/09/2017 19:09:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98883
15. 05/09/2017 19:14:18 -1 203.99.204.108 ssh /usr/sbin/sshd yes 98905

To print only failed login information, run the below command:

# aureport -l --failed | more

Login Report
============================================
# date time auid host term exe success event
============================================
1. 05/16/2017 04:31:17 (unknown) 192.168.47.223 ssh /usr/sbin/sshd no 146741
2. 05/16/2017 04:31:24 (unknown) 192.168.47.223 ssh /usr/sbin/sshd no 146751
3. 05/16/2017 04:32:34 (unknown) 192.168.47.223 ssh /usr/sbin/sshd no 146761
4. 05/16/2017 04:33:22 (unknown) 192.168.47.223 ssh /usr/sbin/sshd no 146771
5. 05/16/2017 04:33:50 (unknown) 192.168.47.223 ssh /usr/sbin/sshd no 146785
6. 05/16/2017 04:56:41 magi 192.168.47.183 ssh /usr/sbin/sshd no 146897
7. 05/16/2017 14:25:25 (unknown) 192.168.47.205 ssh /usr/sbin/sshd no 149996
8. 05/17/2017 06:56:10 daygeek 192.168.47.216 ssh /usr/sbin/sshd no 154833
9. 05/17/2017 13:54:31 (unknown) 10.60.20.91 ssh /usr/sbin/sshd no 157344
10. 05/22/2017 16:03:10 (unknown) 202.91.66.210 ssh /usr/sbin/sshd no 198466
11. 05/22/2017 16:16:28 (unknown) 202.91.66.210 ssh /usr/sbin/sshd no 198569
12. 05/24/2017 11:27:19 (unknown) 202.91.66.210 ssh /usr/sbin/sshd no 215432
13. 05/25/2017 10:46:16 (unknown) 202.91.66.210 ssh /usr/sbin/sshd no 225206

To view success login summary report for all the success attempts made so far, use the below command:

# aureport -l --success --summary -i | more

Success Login Summary Report
============================
total  auid
============================
471  root
374  daygeek
53  magi
44  nagios

Over to You

In this guide, we have explained how to track successful and failed login attempts in Linux.

If you have any questions or feedback, feel free to comment below. Happy learning!

Leave a Reply

Your email address will not be published. Required fields are marked *