Check for login failures and summarize

zgrep "Failed password" /var/log/auth.log* | awk '{print $9}' | sort | uniq -c | sort -nr | less
This command checks for the number of times when someone has tried to login to your server and failed. If there are a lot, then that user is being targeted on your system and you might want to make sure that user either has remote logins disabled, or has a strong password, or both. If your output has an "invalid" line, it is a summary of all logins from users that don't exist on your system.
Sample Output
3478 invalid
   1255 root
     11 mysql
      8 mail
      6 www-data

By: dbart
2009-03-03 13:45:56

What Others Think

apt-get install denyhosts # for the win
linuxrawkstar · 689 weeks ago
if you want to see the list of invalid users attempted login against your system zgrep "Invalid user" /var/log/auth.log* | awk '{print $8}' | sort | uniq -c | sort -nr | less
starchox · 688 weeks and 6 days ago
That's a lot of pipes.
Buzzcp · 650 weeks and 5 days ago
@starchox, even better: zgrep "Invalid user" /var/log/auth.log* | awk '{print $8 " " $10}' | sort | uniq -c | sort -nr | less
Buzzcp · 650 weeks and 5 days ago
seofox · 25 weeks and 4 days ago

What do you think?

Any thoughts on this command? Does it work on your machine? Can you do the same thing with only 14 characters?

You must be signed in to comment.

What's this? is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

Share Your Commands

Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.


Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for: