In Centos or RHEL, ssh failed login attempts are recorded in /var/log/secure file. Bash script the essential for DevOps Roles. You can ref to Bash script tutorial.
[huupv@localhost ~]$ sudo egrep "Failed password" /var/log/secure
To display a list of IP address ssh failed login attempts
[huupv@localhost ~]$ sudo egrep "Failed password" /var/log/secure | awk '{print $9 ": " $11}' | cut -d ';' -f1 | sed '/^\s*$/d' | uniq -c | sort -nr
I share bash script ssh failed login attempts on Linux. Checking log real time when user login into your system. In my bash script, I written three function : f_check_folder , f_get_log and f_failed_ssh. Running bash script with user root or user privilege.
Bash script ssh failed login attempts
#!/bin/bash
FILE1=/var/log/secure
FOLDER=/tmp/failed_ssh
TEMP_LOG=$FOLDER/tmp_secure.log
NUMBER=/tmp/failed_ssh/number.txt
####################
echo "HOSTNAME: `hostname`"
###################
f_check_folder () {
if [[ -d $FOLDER ]]; then
if [[ ! -s $NUMBER ]]; then
touch $NUMBER
echo 0 > $NUMBER
fi
else
mkdir -p $FOLDER
touch $NUMBER
echo 0 > $NUMBER
fi
}
f_get_log () {
NUM=`cat $NUMBER`
SUM=`expr "$NUM" + 1`
tail -n +"$SUM" $FILE1 > $TEMP_LOG
echo `wc -l < $FILE1` > $NUMBER
}
f_failed_ssh () {
sudo egrep "Failed password" $TEMP_LOG | awk '{print $9 ": " $11}' | cut -d ';' -f1 | sed '/^\s*$/d' | uniq -c | sort -nr
}
f_check_folder
f_get_log
f_failed_ssh
The screen output terminal:
Conclusion
Thought the article, you can use Bash script ssh failed login attempts. I hope will this your helpful.
