{"id":3611,"date":"2025-03-18T10:00:54","date_gmt":"2025-03-18T10:00:54","guid":{"rendered":"https:\/\/draculaservers.com\/tutorials\/?p=3611"},"modified":"2025-03-18T12:39:51","modified_gmt":"2025-03-18T12:39:51","slug":"check-users-failed-login-attempts","status":"publish","type":"post","link":"https:\/\/draculaservers.com\/tutorials\/check-users-failed-login-attempts\/","title":{"rendered":"How to Check User\u2019s Failed Login Attempts on Linux"},"content":{"rendered":"<div class=\"cl-preview-section\"><\/div>\n<div class=\"cl-preview-section\">\n<p id=\"introduction\"><span style=\"font-size: 16px;\">Security is a critical aspect of Linux system administration. Monitoring failed login attempts is an essential practice to detect unauthorized access attempts, brute-force attacks, or user login issues. Linux provides multiple ways to track failed login attempts using system logs, command-line tools, and built-in utilities.<\/span><\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>In this article, we will cover\u00a0<span style=\"box-sizing: border-box; margin: 0px; padding: 0px;\"><strong>different methods for checking failed login attempts on a Linux system<\/strong>. We will also discuss best practices for improving security, setting up alerts for suspicious activity, and analyzing<\/span> login failures effectively.<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<h2 id=\"why-monitor-failed-login-attempts\">Why Monitor Failed Login Attempts?<\/h2>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>Failed login attempts can indicate\u00a0<strong>various security threats<\/strong>, such as:<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<ul>\n<li><strong>Brute-force attacks<\/strong>: Automated scripts attempting to guess user passwords.<\/li>\n<li><strong>Unauthorized access<\/strong>: Someone trying to log in with incorrect credentials.<\/li>\n<li><strong>User errors<\/strong>: Legitimate users mistyping passwords or entering incorrect usernames.<\/li>\n<li><strong>System misconfiguration<\/strong>: Authentication issues due to permission errors.<\/li>\n<\/ul>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>By\u00a0<strong>monitoring and analyzing<\/strong>\u00a0these failed attempts, administrators can:<br \/>\n\u2705 Detect hacking attempts early.<br \/>\n\u2705 Identify legitimate users struggling to log in.<br \/>\n\u2705 Secure accounts by blocking repeated failures.<br \/>\n\u2705 Improve system security by taking preventive measures.<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<h2 id=\"locating-failed-login-attempts-in-system-logs\">Locating Failed Login Attempts in System Logs<\/h2>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>Most Linux distributions store authentication logs in system log files. The location depends on the\u00a0<strong>init system<\/strong>\u00a0(SysV, Upstart, or systemd).<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<h3 id=\"checking-logs-in-varlogauth.log-debianubuntu\"><span id=\"2-1-checking-logs-in-var-log-auth-log-debian-ubuntu\"><strong>2.1. Checking Logs in\u00a0<code>\/var\/log\/auth.log<\/code>\u00a0(Debian\/Ubuntu)<\/strong><\/span><\/h3>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>On\u00a0<strong>Debian-based<\/strong>\u00a0distributions like Ubuntu, authentication logs are stored in\u00a0<code>\/var\/log\/auth.log<\/code>. Use the following command to filter failed login attempts:<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre class=\" language-bash\"><code class=\"prism  language-bash\"><span class=\"token function\">sudo<\/span> <span class=\"token function\">grep<\/span> <span class=\"token string\">\"Failed password\"<\/span> \/var\/log\/auth.log\r\n\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<p><strong>Example Output:<\/strong><\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre><code>Mar 17 12:15:42 server sshd[2453]: Failed password for root from 192.168.1.50 port 45678 ssh2\r\nMar 17 12:16:10 server sshd[2461]: Failed password for user1 from 192.168.1.55 port 47321 ssh2\r\n\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>Here, we can see failed login attempts for\u00a0<code>root<\/code>\u00a0and\u00a0<code>user1<\/code>\u00a0from different IP addresses.<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<h4 id=\"to-check-for-a-specific-user\"><strong>To check for a specific user:<\/strong><\/h4>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre class=\" language-bash\"><code class=\"prism  language-bash\"><span class=\"token function\">sudo<\/span> <span class=\"token function\">grep<\/span> <span class=\"token string\">\"Failed password for user1\"<\/span> \/var\/log\/auth.log\r\n\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<h4 id=\"to-check-attempts-from-a-specific-ip\"><strong>To check attempts from a specific IP:<\/strong><\/h4>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre class=\" language-bash\"><code class=\"prism  language-bash\"><span class=\"token function\">sudo<\/span> <span class=\"token function\">grep<\/span> <span class=\"token string\">\"192.168.1.50\"<\/span> \/var\/log\/auth.log\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<h3 id=\"checking-logs-in-varlogsecure-rhel-centos-fedora-rocky-linux-almalinux\"><span id=\"checking-logs-in-var-log-secure-rhel-centos-fedora-rocky-linux-almalinux\">Checking Logs in\u00a0<code>\/var\/log\/secure<\/code>\u00a0(RHEL, CentOS, Fedora, Rocky Linux, AlmaLinux)<\/span><\/h3>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>For\u00a0<strong>RHEL-based<\/strong>\u00a0distributions, failed login attempts are logged in\u00a0<code>\/var\/log\/secure<\/code>. Run:<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre class=\" language-bash\"><code class=\"prism  language-bash\"><span class=\"token function\">sudo<\/span> <span class=\"token function\">grep<\/span> <span class=\"token string\">\"Failed password\"<\/span> \/var\/log\/secure\r\n\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<p><strong>Example Output:<\/strong><\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre><code>Mar 17 14:20:33 server sshd[3200]: Failed password for root from 203.0.113.12 port 59201 ssh2\r\n\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>To monitor failed login attempts\u00a0<strong>in real time<\/strong>, use:<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre class=\" language-bash\"><code class=\"prism  language-bash\"><span class=\"token function\">sudo<\/span> <span class=\"token function\">tail<\/span> -f \/var\/log\/secure\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<h2 id=\"using-journalctl-to-view-failed-logins-systemd-based-systems\">Using\u00a0<code>journalctl<\/code>\u00a0to View Failed Logins (Systemd-Based Systems)<\/h2>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>On\u00a0<strong>modern Linux distributions<\/strong>\u00a0using\u00a0<code>systemd<\/code>, you can use\u00a0<code>journalctl<\/code>\u00a0to check failed authentication attempts.<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre class=\" language-bash\"><code class=\"prism  language-bash\"><span class=\"token function\">sudo<\/span> journalctl -xe <span class=\"token operator\">|<\/span> <span class=\"token function\">grep<\/span> <span class=\"token string\">\"Failed password\"<\/span>\r\n\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>To check\u00a0<strong>failed logins from SSH<\/strong>, use:<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre class=\" language-bash\"><code class=\"prism  language-bash\"><span class=\"token function\">sudo<\/span> journalctl -u sshd <span class=\"token operator\">|<\/span> <span class=\"token function\">grep<\/span> <span class=\"token string\">\"Failed password\"<\/span>\r\n\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>For a\u00a0<strong>specific user<\/strong>, use:<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre class=\" language-bash\"><code class=\"prism  language-bash\"><span class=\"token function\">sudo<\/span> journalctl -u sshd <span class=\"token operator\">|<\/span> <span class=\"token function\">grep<\/span> <span class=\"token string\">\"user1\"<\/span>\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<h2 id=\"checking-failed-login-attempts-with-lastb\">Checking Failed Login Attempts with\u00a0<code>lastb<\/code><\/h2>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>The\u00a0<code>lastb<\/code>\u00a0command displays\u00a0<strong>unsuccessful login attempts<\/strong>\u00a0recorded in\u00a0<code>\/var\/log\/btmp<\/code>.<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre class=\" language-bash\"><code class=\"prism  language-bash\"><span class=\"token function\">sudo<\/span> lastb\r\n\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<p><strong>Example Output:<\/strong><\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre><code>root     ssh:notty    192.168.1.50    Mon Mar 17 12:34 - 12:35  (00:01)\r\nuser1    ssh:notty    203.0.113.10    Mon Mar 17 13:12 - 13:13  (00:01)\r\n\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>This output shows:<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<ul>\n<li>The\u00a0<strong>username<\/strong>\u00a0of failed logins.<\/li>\n<li>The\u00a0<strong>originating IP address<\/strong>.<\/li>\n<li>The\u00a0<strong>date and time<\/strong>\u00a0of the attempt.<\/li>\n<\/ul>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>To check\u00a0<strong>failed attempts for a specific user<\/strong>, use:<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre class=\" language-bash\"><code class=\"prism  language-bash\"><span class=\"token function\">sudo<\/span> lastb <span class=\"token operator\">|<\/span> <span class=\"token function\">grep<\/span> <span class=\"token string\">\"user1\"<\/span>\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<h2 id=\"using-faillog-to-view-failed-login-attempts\">Using\u00a0<code>faillog<\/code>\u00a0to View Failed Login Attempts<\/h2>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>The\u00a0<code>faillog<\/code>\u00a0command\u00a0<strong>displays failed login attempts<\/strong>\u00a0stored in\u00a0<code>\/var\/log\/faillog<\/code>.<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>To view\u00a0<strong>all failed logins<\/strong>, run:<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre class=\" language-bash\"><code class=\"prism  language-bash\"><span class=\"token function\">sudo<\/span> faillog\r\n\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<p><strong>Example Output:<\/strong><\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre><code>Login       Failures  Maximum  Latest\r\nroot            5      3       03\/17\/25 12:20:12\r\nuser1           2      3       03\/17\/25 13:15:05\r\n\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>To check\u00a0<strong>failed login attempts for a specific user<\/strong>, use:<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre class=\" language-bash\"><code class=\"prism  language-bash\"><span class=\"token function\">sudo<\/span> faillog -u user1\r\n\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>To\u00a0<strong>reset failed login attempts<\/strong>, run:<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre class=\" language-bash\"><code class=\"prism  language-bash\"><span class=\"token function\">sudo<\/span> faillog -r -u user1\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<h2 id=\"using-pam_tally2-for-failed-login-attempts\">Using\u00a0<code>pam_tally2<\/code>\u00a0for Failed Login Attempts<\/h2>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>The\u00a0<code>pam_tally2<\/code>\u00a0module can also display failed login attempts.<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>To view all failed attempts:<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre class=\" language-bash\"><code class=\"prism  language-bash\"><span class=\"token function\">sudo<\/span> pam_tally2\r\n\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<p><strong>Example Output:<\/strong><\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre><code>Username  Failures  From IP\r\nroot          6     192.168.1.50\r\nuser1         2     203.0.113.10\r\n\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>To reset a user\u2019s failed attempts:<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre class=\" language-bash\"><code class=\"prism  language-bash\"><span class=\"token function\">sudo<\/span> pam_tally2 -r -u user1\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<h2 id=\"setting-up-alerts-for-failed-login-attempts\">Setting Up Alerts for Failed Login Attempts<\/h2>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>To improve security, set up\u00a0<strong>automatic alerts<\/strong>\u00a0when failed login attempts exceed a limit.<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<h3 id=\"using-fail2ban-to-block-brute-force-attacks\">Using\u00a0<code>fail2ban<\/code>\u00a0to Block Brute-Force Attacks<\/h3>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>Fail2ban automatically blocks IPs after repeated failed logins.<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<h4 id=\"installing-fail2ban\"><strong>Installing fail2ban:<\/strong><\/h4>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre class=\" language-bash\"><code class=\"prism  language-bash\"><span class=\"token function\">sudo<\/span> apt <span class=\"token function\">install<\/span> fail2ban   <span class=\"token comment\"># Debian\/Ubuntu<\/span>\r\n<span class=\"token function\">sudo<\/span> dnf <span class=\"token function\">install<\/span> fail2ban   <span class=\"token comment\"># RHEL\/Fedora<\/span>\r\n\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<h4 id=\"enable-fail2ban-and-start-the-service\"><strong>Enable fail2ban and start the service:<\/strong><\/h4>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre class=\" language-bash\"><code class=\"prism  language-bash\"><span class=\"token function\">sudo<\/span> systemctl <span class=\"token function\">enable<\/span> fail2ban --now\r\n\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<h4 id=\"to-view-banned-ips\"><strong>To view banned IPs:<\/strong><\/h4>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre class=\" language-bash\"><code class=\"prism  language-bash\"><span class=\"token function\">sudo<\/span> fail2ban-client status sshd\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<h2 id=\"best-practices-for-preventing-unauthorized-logins\">Best Practices for Preventing Unauthorized Logins<\/h2>\n<\/div>\n<div class=\"cl-preview-section\">\n<h3 id=\"\u2705-disable-root-login-in-ssh\"><span id=\"%e2%9c%85-disable-root-login-in-ssh\">\u2705\u00a0<strong>Disable Root Login in SSH<\/strong><\/span><\/h3>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>Edit the SSH configuration file:<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre class=\" language-bash\"><code class=\"prism  language-bash\"><span class=\"token function\">sudo<\/span> <span class=\"token function\">nano<\/span> \/etc\/ssh\/sshd_config\r\n\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>Set:<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre><code>PermitRootLogin no\r\n\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>Restart SSH:<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre class=\" language-bash\"><code class=\"prism  language-bash\"><span class=\"token function\">sudo<\/span> systemctl restart sshd\r\n\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<h3 id=\"\u2705-use-ssh-key-authentication\"><span id=\"%e2%9c%85-use-ssh-key-authentication\">\u2705\u00a0<strong>Use SSH Key Authentication<\/strong><\/span><\/h3>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>Instead of passwords, use SSH keys:<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre class=\" language-bash\"><code class=\"prism  language-bash\">ssh-keygen -t rsa\r\nssh-copy-id user@server\r\n\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<h3 id=\"\u2705-set-account-lockout-policies\"><span id=\"%e2%9c%85-set-account-lockout-policies\">\u2705\u00a0<strong>Set Account Lockout Policies<\/strong><\/span><\/h3>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>Limit failed login attempts in\u00a0<code>\/etc\/security\/faillock.conf<\/code>:<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre><code>deny=5\r\nunlock_time=600\r\n\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<h3 id=\"\u2705-use-a-firewall-to-block-malicious-ips\"><span id=\"%e2%9c%85-use-a-firewall-to-block-malicious-ips\">\u2705\u00a0<strong>Use a Firewall to Block Malicious IPs<\/strong><\/span><\/h3>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre class=\" language-bash\"><code class=\"prism  language-bash\"><span class=\"token function\">sudo<\/span> ufw <span class=\"token function\">enable<\/span>\r\n<span class=\"token function\">sudo<\/span> ufw deny from 203.0.113.10\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<h2 id=\"troubleshooting-common-issues\">Troubleshooting Common Issues<\/h2>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>\ud83d\udd39\u00a0<strong>No logs are showing?<\/strong><br \/>\nEnsure logging is enabled in\u00a0<code>\/etc\/rsyslog.conf<\/code>.<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>\ud83d\udd39\u00a0<strong>Wrong timestamps in logs?<\/strong><br \/>\nCheck system time with:<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre class=\" language-bash\"><code class=\"prism  language-bash\">timedatectl\r\n\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>Sync time with:<\/p>\n<\/div>\n<div class=\"cl-preview-section\">\n<pre class=\" language-bash\"><code class=\"prism  language-bash\"><span class=\"token function\">sudo<\/span> systemctl restart systemd-timesyncd\r\n<\/code><\/pre>\n<\/div>\n<div class=\"cl-preview-section\">\n<h2 id=\"conclusion\">Conclusion<\/h2>\n<\/div>\n<div class=\"cl-preview-section\">\n<p>Checking failed login attempts in Linux is crucial for detecting unauthorized access and securing your system. By analyzing logs (<code>auth.log<\/code>,\u00a0<code>secure<\/code>,\u00a0<code>journalctl<\/code>), using tools (<code>lastb<\/code>,\u00a0<code>faillog<\/code>,\u00a0<code>pam_tally2<\/code>), and setting up alerts (<code>fail2ban<\/code>), administrators can prevent attacks and strengthen security. Implementing\u00a0<strong>best practices<\/strong> like SSH key authentication, firewall rules, and account lockouts further enhances protection.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Security is a critical aspect of Linux system administration. Monitoring failed login attempts is an essential practice to detect unauthorized access attempts, brute-force attacks, or user login issues. Linux provides multiple ways to track failed login attempts using system logs, command-line tools, and built-in utilities. In this article, we will cover\u00a0different methods for checking failed [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":3612,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[172],"tags":[715,697,716],"class_list":["post-3611","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux-tutorials","tag-failed-login-attempts","tag-linux-security","tag-monitor-logons-on-linux"],"blocksy_meta":[],"featured_image_urls_v2":{"full":["https:\/\/draculaservers.com\/tutorials\/wp-content\/uploads\/2025\/03\/Dracula-Servers-Thumbnail-87.png",1280,720,false],"thumbnail":["https:\/\/draculaservers.com\/tutorials\/wp-content\/uploads\/2025\/03\/Dracula-Servers-Thumbnail-87-150x150.png",150,150,true],"medium":["https:\/\/draculaservers.com\/tutorials\/wp-content\/uploads\/2025\/03\/Dracula-Servers-Thumbnail-87-300x169.png",300,169,true],"medium_large":["https:\/\/draculaservers.com\/tutorials\/wp-content\/uploads\/2025\/03\/Dracula-Servers-Thumbnail-87-768x432.png",768,432,true],"large":["https:\/\/draculaservers.com\/tutorials\/wp-content\/uploads\/2025\/03\/Dracula-Servers-Thumbnail-87-1024x576.png",1024,576,true],"1536x1536":["https:\/\/draculaservers.com\/tutorials\/wp-content\/uploads\/2025\/03\/Dracula-Servers-Thumbnail-87.png",1280,720,false],"2048x2048":["https:\/\/draculaservers.com\/tutorials\/wp-content\/uploads\/2025\/03\/Dracula-Servers-Thumbnail-87.png",1280,720,false],"pk-small":["https:\/\/draculaservers.com\/tutorials\/wp-content\/uploads\/2025\/03\/Dracula-Servers-Thumbnail-87-80x80.png",80,80,true],"pk-thumbnail":["https:\/\/draculaservers.com\/tutorials\/wp-content\/uploads\/2025\/03\/Dracula-Servers-Thumbnail-87-300x225.png",300,225,true]},"post_excerpt_stackable_v2":"<p>Security is a critical aspect of Linux system administration. Monitoring failed login attempts is an essential practice to detect unauthorized access attempts, brute-force attacks, or user login issues. Linux provides multiple ways to track failed login attempts using system logs, command-line tools, and built-in utilities. In this article, we will cover\u00a0different methods for checking failed login attempts on a Linux system. We will also discuss best practices for improving security, setting up alerts for suspicious activity, and analyzing login failures effectively. Why Monitor Failed Login Attempts? Failed login attempts can indicate\u00a0various security threats, such as: Brute-force attacks: Automated scripts attempting&hellip;<\/p>\n","category_list_v2":"<a href=\"https:\/\/draculaservers.com\/tutorials\/category\/linux-tutorials\/\" rel=\"category tag\">Linux Tutorials<\/a>","author_info_v2":{"name":"Abdul Mannan","url":"https:\/\/draculaservers.com\/tutorials\/author\/abdul-mannan-tbgmail-com\/"},"comments_num_v2":"0 comments","yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>How to Check User\u2019s Failed Login Attempts on Linux - Dracula Servers Tutorials<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/draculaservers.com\/tutorials\/?p=3611\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to Check User\u2019s Failed Login Attempts on Linux - Dracula Servers Tutorials\" \/>\n<meta property=\"og:description\" content=\"Security is a critical aspect of Linux system administration. Monitoring failed login attempts is an essential practice to detect unauthorized access attempts, brute-force attacks, or user login issues. Linux provides multiple ways to track failed login attempts using system logs, command-line tools, and built-in utilities. In this article, we will cover\u00a0different methods for checking failed [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/draculaservers.com\/tutorials\/?p=3611\" \/>\n<meta property=\"og:site_name\" content=\"Dracula Servers Tutorials\" \/>\n<meta property=\"article:published_time\" content=\"2025-03-18T10:00:54+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-03-18T12:39:51+00:00\" \/>\n<meta name=\"author\" content=\"Abdul Mannan\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Abdul Mannan\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/?p=3611#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/?p=3611\"},\"author\":{\"name\":\"Abdul Mannan\",\"@id\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/#\\\/schema\\\/person\\\/ac89d0281f4fb596bfaa0bc1e746c8a6\"},\"headline\":\"How to Check User\u2019s Failed Login Attempts on Linux\",\"datePublished\":\"2025-03-18T10:00:54+00:00\",\"dateModified\":\"2025-03-18T12:39:51+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/?p=3611\"},\"wordCount\":592,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/?p=3611#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/Dracula-Servers-Thumbnail-87.png\",\"keywords\":[\"Failed Login Attempts\",\"Linux Security\",\"Monitor Logons on Linux\"],\"articleSection\":[\"Linux Tutorials\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/?p=3611#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/?p=3611\",\"url\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/?p=3611\",\"name\":\"How to Check User\u2019s Failed Login Attempts on Linux - Dracula Servers Tutorials\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/?p=3611#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/?p=3611#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/Dracula-Servers-Thumbnail-87.png\",\"datePublished\":\"2025-03-18T10:00:54+00:00\",\"dateModified\":\"2025-03-18T12:39:51+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/?p=3611#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/?p=3611\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/?p=3611#primaryimage\",\"url\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/Dracula-Servers-Thumbnail-87.png\",\"contentUrl\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/Dracula-Servers-Thumbnail-87.png\",\"width\":1280,\"height\":720,\"caption\":\"How to check failed login attempts on Linux\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/?p=3611#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to Check User\u2019s Failed Login Attempts on Linux\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/#website\",\"url\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/\",\"name\":\"Dracula Servers Tutorials\",\"description\":\"Dedicated Servers\",\"publisher\":{\"@id\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/#organization\",\"name\":\"Dracula Servers\",\"url\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/wp-content\\\/uploads\\\/2016\\\/06\\\/dracula_full_logo_smaller.png\",\"contentUrl\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/wp-content\\\/uploads\\\/2016\\\/06\\\/dracula_full_logo_smaller.png\",\"width\":1625,\"height\":200,\"caption\":\"Dracula Servers\"},\"image\":{\"@id\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/draculaservers.com\\\/tutorials\\\/#\\\/schema\\\/person\\\/ac89d0281f4fb596bfaa0bc1e746c8a6\",\"name\":\"Abdul Mannan\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2809442d44177cab4f90e1d9b3295560462063881ca1374b6d597d8f0b48fc21?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2809442d44177cab4f90e1d9b3295560462063881ca1374b6d597d8f0b48fc21?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2809442d44177cab4f90e1d9b3295560462063881ca1374b6d597d8f0b48fc21?s=96&d=mm&r=g\",\"caption\":\"Abdul Mannan\"},\"description\":\"An individual trying to decipher the enigmas of technology by the sheer driving force of curiosity. Interested in learning new skills and being better at those skills than the lot.\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to Check User\u2019s Failed Login Attempts on Linux - Dracula Servers Tutorials","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/draculaservers.com\/tutorials\/?p=3611","og_locale":"en_US","og_type":"article","og_title":"How to Check User\u2019s Failed Login Attempts on Linux - Dracula Servers Tutorials","og_description":"Security is a critical aspect of Linux system administration. Monitoring failed login attempts is an essential practice to detect unauthorized access attempts, brute-force attacks, or user login issues. Linux provides multiple ways to track failed login attempts using system logs, command-line tools, and built-in utilities. In this article, we will cover\u00a0different methods for checking failed [&hellip;]","og_url":"https:\/\/draculaservers.com\/tutorials\/?p=3611","og_site_name":"Dracula Servers Tutorials","article_published_time":"2025-03-18T10:00:54+00:00","article_modified_time":"2025-03-18T12:39:51+00:00","author":"Abdul Mannan","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Abdul Mannan","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/draculaservers.com\/tutorials\/?p=3611#article","isPartOf":{"@id":"https:\/\/draculaservers.com\/tutorials\/?p=3611"},"author":{"name":"Abdul Mannan","@id":"https:\/\/draculaservers.com\/tutorials\/#\/schema\/person\/ac89d0281f4fb596bfaa0bc1e746c8a6"},"headline":"How to Check User\u2019s Failed Login Attempts on Linux","datePublished":"2025-03-18T10:00:54+00:00","dateModified":"2025-03-18T12:39:51+00:00","mainEntityOfPage":{"@id":"https:\/\/draculaservers.com\/tutorials\/?p=3611"},"wordCount":592,"commentCount":0,"publisher":{"@id":"https:\/\/draculaservers.com\/tutorials\/#organization"},"image":{"@id":"https:\/\/draculaservers.com\/tutorials\/?p=3611#primaryimage"},"thumbnailUrl":"https:\/\/draculaservers.com\/tutorials\/wp-content\/uploads\/2025\/03\/Dracula-Servers-Thumbnail-87.png","keywords":["Failed Login Attempts","Linux Security","Monitor Logons on Linux"],"articleSection":["Linux Tutorials"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/draculaservers.com\/tutorials\/?p=3611#respond"]}]},{"@type":"WebPage","@id":"https:\/\/draculaservers.com\/tutorials\/?p=3611","url":"https:\/\/draculaservers.com\/tutorials\/?p=3611","name":"How to Check User\u2019s Failed Login Attempts on Linux - Dracula Servers Tutorials","isPartOf":{"@id":"https:\/\/draculaservers.com\/tutorials\/#website"},"primaryImageOfPage":{"@id":"https:\/\/draculaservers.com\/tutorials\/?p=3611#primaryimage"},"image":{"@id":"https:\/\/draculaservers.com\/tutorials\/?p=3611#primaryimage"},"thumbnailUrl":"https:\/\/draculaservers.com\/tutorials\/wp-content\/uploads\/2025\/03\/Dracula-Servers-Thumbnail-87.png","datePublished":"2025-03-18T10:00:54+00:00","dateModified":"2025-03-18T12:39:51+00:00","breadcrumb":{"@id":"https:\/\/draculaservers.com\/tutorials\/?p=3611#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/draculaservers.com\/tutorials\/?p=3611"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/draculaservers.com\/tutorials\/?p=3611#primaryimage","url":"https:\/\/draculaservers.com\/tutorials\/wp-content\/uploads\/2025\/03\/Dracula-Servers-Thumbnail-87.png","contentUrl":"https:\/\/draculaservers.com\/tutorials\/wp-content\/uploads\/2025\/03\/Dracula-Servers-Thumbnail-87.png","width":1280,"height":720,"caption":"How to check failed login attempts on Linux"},{"@type":"BreadcrumbList","@id":"https:\/\/draculaservers.com\/tutorials\/?p=3611#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/draculaservers.com\/tutorials\/"},{"@type":"ListItem","position":2,"name":"How to Check User\u2019s Failed Login Attempts on Linux"}]},{"@type":"WebSite","@id":"https:\/\/draculaservers.com\/tutorials\/#website","url":"https:\/\/draculaservers.com\/tutorials\/","name":"Dracula Servers Tutorials","description":"Dedicated Servers","publisher":{"@id":"https:\/\/draculaservers.com\/tutorials\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/draculaservers.com\/tutorials\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/draculaservers.com\/tutorials\/#organization","name":"Dracula Servers","url":"https:\/\/draculaservers.com\/tutorials\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/draculaservers.com\/tutorials\/#\/schema\/logo\/image\/","url":"https:\/\/draculaservers.com\/tutorials\/wp-content\/uploads\/2016\/06\/dracula_full_logo_smaller.png","contentUrl":"https:\/\/draculaservers.com\/tutorials\/wp-content\/uploads\/2016\/06\/dracula_full_logo_smaller.png","width":1625,"height":200,"caption":"Dracula Servers"},"image":{"@id":"https:\/\/draculaservers.com\/tutorials\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/draculaservers.com\/tutorials\/#\/schema\/person\/ac89d0281f4fb596bfaa0bc1e746c8a6","name":"Abdul Mannan","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/2809442d44177cab4f90e1d9b3295560462063881ca1374b6d597d8f0b48fc21?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/2809442d44177cab4f90e1d9b3295560462063881ca1374b6d597d8f0b48fc21?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2809442d44177cab4f90e1d9b3295560462063881ca1374b6d597d8f0b48fc21?s=96&d=mm&r=g","caption":"Abdul Mannan"},"description":"An individual trying to decipher the enigmas of technology by the sheer driving force of curiosity. Interested in learning new skills and being better at those skills than the lot."}]}},"_links":{"self":[{"href":"https:\/\/draculaservers.com\/tutorials\/wp-json\/wp\/v2\/posts\/3611","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/draculaservers.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/draculaservers.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/draculaservers.com\/tutorials\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/draculaservers.com\/tutorials\/wp-json\/wp\/v2\/comments?post=3611"}],"version-history":[{"count":0,"href":"https:\/\/draculaservers.com\/tutorials\/wp-json\/wp\/v2\/posts\/3611\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/draculaservers.com\/tutorials\/wp-json\/wp\/v2\/media\/3612"}],"wp:attachment":[{"href":"https:\/\/draculaservers.com\/tutorials\/wp-json\/wp\/v2\/media?parent=3611"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/draculaservers.com\/tutorials\/wp-json\/wp\/v2\/categories?post=3611"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/draculaservers.com\/tutorials\/wp-json\/wp\/v2\/tags?post=3611"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}