How to Check User’s Failed Login Attempts on Linux
Security is a critical aspect of Linux system administration. Monitoring failed login attempts is an essential practice to detect unauthorized access attempts, brute-force attacks, or user login issues. Linux provides multiple ways to track failed login attempts using system logs, command-line tools, and built-in utilities.
In this article, we will cover different methods for checking failed login attempts on a Linux system. We will also discuss best practices for improving security, setting up alerts for suspicious activity, and analyzing login failures effectively.
Why Monitor Failed Login Attempts?
Failed login attempts can indicate various security threats, such as:
- Brute-force attacks: Automated scripts attempting to guess user passwords.
- Unauthorized access: Someone trying to log in with incorrect credentials.
- User errors: Legitimate users mistyping passwords or entering incorrect usernames.
- System misconfiguration: Authentication issues due to permission errors.
By monitoring and analyzing these failed attempts, administrators can:
✅ Detect hacking attempts early.
✅ Identify legitimate users struggling to log in.
✅ Secure accounts by blocking repeated failures.
✅ Improve system security by taking preventive measures.
Locating Failed Login Attempts in System Logs
Most Linux distributions store authentication logs in system log files. The location depends on the init system (SysV, Upstart, or systemd).
2.1. Checking Logs in /var/log/auth.log (Debian/Ubuntu)
On Debian-based distributions like Ubuntu, authentication logs are stored in /var/log/auth.log. Use the following command to filter failed login attempts:
sudo grep "Failed password" /var/log/auth.log
Example Output:
Mar 17 12:15:42 server sshd[2453]: Failed password for root from 192.168.1.50 port 45678 ssh2
Mar 17 12:16:10 server sshd[2461]: Failed password for user1 from 192.168.1.55 port 47321 ssh2
Here, we can see failed login attempts for root and user1 from different IP addresses.
To check for a specific user:
sudo grep "Failed password for user1" /var/log/auth.log
To check attempts from a specific IP:
sudo grep "192.168.1.50" /var/log/auth.log
Checking Logs in /var/log/secure (RHEL, CentOS, Fedora, Rocky Linux, AlmaLinux)
For RHEL-based distributions, failed login attempts are logged in /var/log/secure. Run:
sudo grep "Failed password" /var/log/secure
Example Output:
Mar 17 14:20:33 server sshd[3200]: Failed password for root from 203.0.113.12 port 59201 ssh2
To monitor failed login attempts in real time, use:
sudo tail -f /var/log/secure
Using journalctl to View Failed Logins (Systemd-Based Systems)
On modern Linux distributions using systemd, you can use journalctl to check failed authentication attempts.
sudo journalctl -xe | grep "Failed password"
To check failed logins from SSH, use:
sudo journalctl -u sshd | grep "Failed password"
For a specific user, use:
sudo journalctl -u sshd | grep "user1"
Checking Failed Login Attempts with lastb
The lastb command displays unsuccessful login attempts recorded in /var/log/btmp.
sudo lastb
Example Output:
root ssh:notty 192.168.1.50 Mon Mar 17 12:34 - 12:35 (00:01)
user1 ssh:notty 203.0.113.10 Mon Mar 17 13:12 - 13:13 (00:01)
This output shows:
- The username of failed logins.
- The originating IP address.
- The date and time of the attempt.
To check failed attempts for a specific user, use:
sudo lastb | grep "user1"
Using faillog to View Failed Login Attempts
The faillog command displays failed login attempts stored in /var/log/faillog.
To view all failed logins, run:
sudo faillog
Example Output:
Login Failures Maximum Latest
root 5 3 03/17/25 12:20:12
user1 2 3 03/17/25 13:15:05
To check failed login attempts for a specific user, use:
sudo faillog -u user1
To reset failed login attempts, run:
sudo faillog -r -u user1
Using pam_tally2 for Failed Login Attempts
The pam_tally2 module can also display failed login attempts.
To view all failed attempts:
sudo pam_tally2
Example Output:
Username Failures From IP
root 6 192.168.1.50
user1 2 203.0.113.10
To reset a user’s failed attempts:
sudo pam_tally2 -r -u user1
Setting Up Alerts for Failed Login Attempts
To improve security, set up automatic alerts when failed login attempts exceed a limit.
Using fail2ban to Block Brute-Force Attacks
Fail2ban automatically blocks IPs after repeated failed logins.
Installing fail2ban:
sudo apt install fail2ban # Debian/Ubuntu
sudo dnf install fail2ban # RHEL/Fedora
Enable fail2ban and start the service:
sudo systemctl enable fail2ban --now
To view banned IPs:
sudo fail2ban-client status sshd
Best Practices for Preventing Unauthorized Logins
✅ Disable Root Login in SSH
Edit the SSH configuration file:
sudo nano /etc/ssh/sshd_config
Set:
PermitRootLogin no
Restart SSH:
sudo systemctl restart sshd
✅ Use SSH Key Authentication
Instead of passwords, use SSH keys:
ssh-keygen -t rsa
ssh-copy-id user@server
✅ Set Account Lockout Policies
Limit failed login attempts in /etc/security/faillock.conf:
deny=5
unlock_time=600
✅ Use a Firewall to Block Malicious IPs
sudo ufw enable
sudo ufw deny from 203.0.113.10
Troubleshooting Common Issues
🔹 No logs are showing?
Ensure logging is enabled in /etc/rsyslog.conf.
🔹 Wrong timestamps in logs?
Check system time with:
timedatectl
Sync time with:
sudo systemctl restart systemd-timesyncd
Conclusion
Checking failed login attempts in Linux is crucial for detecting unauthorized access and securing your system. By analyzing logs (auth.log, secure, journalctl), using tools (lastb, faillog, pam_tally2), and setting up alerts (fail2ban), administrators can prevent attacks and strengthen security. Implementing best practices like SSH key authentication, firewall rules, and account lockouts further enhances protection.
Subscribe
Login
0 Comments
Oldest
