// Services · SSH / Auth
SSH / Auth Log
SSH authentication events are recorded by the system auth subsystem. On Linux: /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/CentOS). These logs are the primary source for detecting brute-force attacks and unauthorized access attempts.
Typical SSH Log Entries Explained
# Successful password login Apr 10 18:00:01 webserver sshd[5000]: Accepted password for alice from 203.0.113.42 port 55123 ssh2 # Successful public key login (preferred — no brute force risk) Apr 10 18:01:15 webserver sshd[5001]: Accepted publickey for deploy from 10.0.0.5 port 44321 ssh2: RSA SHA256:abc123def456ghi789... # Failed password attempt Apr 10 18:05:22 webserver sshd[5010]: Failed password for root from 198.51.100.7 port 37291 ssh2 # Non-existent user Apr 10 18:05:23 webserver sshd[5011]: Invalid user admin from 198.51.100.7 port 37292 # Too many failures — connection dropped Apr 10 18:05:30 webserver sshd[5010]: error: maximum authentication attempts exceeded for root from 198.51.100.7 port 37291 ssh2 [preauth] # Disconnect Apr 10 18:10:00 webserver sshd[5000]: Disconnected from user alice 203.0.113.42 port 55123 # PAM session events Apr 10 18:00:02 webserver sshd[5000]: pam_unix(sshd:session): session opened for user alice by (uid=0) Apr 10 18:30:45 webserver sshd[5000]: pam_unix(sshd:session): session closed for user alice
SSH Log Field Reference
| Field | Example | Meaning |
|---|---|---|
| Timestamp | Apr 10 18:00:01 | Syslog timestamp (local time, no year in traditional format). Use journalctl -u sshd for ISO timestamps with year. |
| Hostname | webserver | Server hostname. Critical in aggregated multi-server log environments. |
| Process | sshd[5000] | sshd daemon with PID. Each connection spawns a child process — use PID to correlate events for one session. |
| Auth result | Accepted / Failed | Accepted = success. Failed = wrong credential. Invalid user = username doesn't exist on system. |
| Auth method | password / publickey | Authentication method used. Publickey = much safer (immune to password brute force). |
| Username | alice / root | Username attempted. Repeated root/admin = automated scanner. Disable root login: PermitRootLogin no. |
| Remote IP | 203.0.113.42 | Client's IP. Look up with whois or threat intel feeds (AbuseIPDB, Shodan) to identify malicious actors. |
| Remote port | 55123 | Client's ephemeral source port. Use with IP to correlate multiple events to the same TCP connection. |
| Protocol | ssh2 | SSH protocol version. ssh1 is deprecated and insecure — block at firewall if seen. |
| [preauth] | tag | Failure happened before authentication completed. Indicates automated scanners probing your server. |
| Key fingerprint | SHA256:abc123... | SHA256 fingerprint of the public key used. Match against authorized_keys to identify the key. |
Detecting & Responding to Brute Force Attacks
bash
# Count failed login attempts by source IP (auth.log) grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -rn | head -20 # Count by targeted username grep "Failed password" /var/log/auth.log | awk '{print $9}' | sort | uniq -c | sort -rn # Find IPs attempting non-existent users (scanners) grep "Invalid user" /var/log/auth.log | awk '{print $10}' | sort | uniq -c | sort -rn | head -20 # Using systemd journal (modern systems) journalctl -u sshd --since "24 hours ago" | grep "Failed" | awk '{print $11}' | sort | uniq -c | sort -rn # Block an IP immediately ufw deny from 198.51.100.7 to any # Or with iptables: iptables -A INPUT -s 198.51.100.7 -j DROP # Install fail2ban (automatic blocking) apt install fail2ban # Debian/Ubuntu yum install fail2ban # RHEL/CentOS
SSH Hardening via sshd_config
/etc/ssh/sshd_config
# Disable password authentication entirely (public key only) PasswordAuthentication no ChallengeResponseAuthentication no # Disable root login PermitRootLogin no # Limit login attempts per connection MaxAuthTries 3 # Reduce authentication grace period (default 120s) LoginGraceTime 30 # Only allow specific users AllowUsers alice deploy # Change SSH port (security by obscurity but reduces scan noise) Port 2222 # Reload after changes # systemctl reload sshd
⚠ Warning
Hundreds of "Failed password for root" per minute from varying IPs = automated botnet scan. This is normal internet noise but dangerous if PasswordAuthentication is still enabled. Disable password auth and use only public key authentication — this eliminates the attack vector entirely.