Users that try and fail to log in to your system leave a record in the system logs. This is how to find out what time this was and which user they attempted to log in as.
The /var/log/auth.log file is the one that contains the login records. All successful and failed logins are recorded here.
This example is listing password login failures.
jason@ubuntu:~/Documents$ awk /failure/'{print $1, $2, $3, $15}' /var/log/auth.log Feb 1 01:08:58 user=jason |
This lists the time and date of the attempted login and the username.
It can also be done like this.
jason@ubuntu:~/Documents$ grep failure /var/log/auth.log Feb 1 01:08:58 ubuntu gdm-password]: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=jason Feb 1 01:31:11 ubuntu sshd[4575]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.147.1 user=jason |
This is also listing a recent SSH password failure in the logfile.
Successful logins are listed here.
jason@ubuntu:~/Documents$ grep ssh /var/log/auth.log Feb 1 01:30:26 ubuntu sudo: jason : TTY=pts/0 ; PWD=/home/jason/Documents ; USER=root ; COMMAND=/usr/bin/apt install ssh Feb 1 01:30:41 ubuntu useradd[3327]: new user: name=sshd, UID=126, GID=65534, home=/run/sshd, shell=/usr/sbin/nologin Feb 1 01:30:41 ubuntu usermod[3335]: change user 'sshd' password Feb 1 01:30:41 ubuntu chage[3342]: changed password expiry for sshd Feb 1 01:30:43 ubuntu sshd[3493]: Server listening on 0.0.0.0 port 22. Feb 1 01:30:43 ubuntu sshd[3493]: Server listening on :: port 22. Feb 1 01:31:11 ubuntu sshd[4575]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.147.1 user=jason Feb 1 01:31:13 ubuntu sshd[4575]: Failed password for jason from 192.168.147.1 port 54543 ssh2 Feb 1 01:31:15 ubuntu sshd[4575]: error: Received disconnect from 192.168.147.1 port 54543:13: User request [preauth] Feb 1 01:31:15 ubuntu sshd[4575]: Disconnected from authenticating user jason 192.168.147.1 port 54543 [preauth] Feb 1 01:35:08 ubuntu sshd[4617]: Accepted password for jason from 192.168.147.1 port 54556 ssh2 Feb 1 01:35:08 ubuntu sshd[4617]: pam_unix(sshd:session): session opened for user jason by (uid=0) |
This version of my awk one-liner will also list the login method, whether it is TTY or SSH.
jason@ubuntu:~/Documents$ awk /rhost/'{print $1, $2, $3, $15, $12}' /var/log/auth.log Feb 1 01:08:58 user=jason tty=/dev/tty1 Feb 1 01:31:11 user=jason tty=ssh |
This is a very useful administration tip and is very good to use on a busy server to list all failed logins.
1 thought on “How to list all password login failures in Ubuntu 20.04.”