zgrep "Failed password" /var/log/auth.log* | awk '{print $9}' | sort | uniq -c | sort -nr | less

Check for login failures and summarize

This command checks for the number of times when someone has tried to login to your server and failed. If there are a lot, then that user is being targeted on your system and you might want to make sure that user either has remote logins disabled, or has a strong password, or both. If your output has an "invalid" line, it is a summary of all logins from users that don't exist on your system.
Sample Output
3478 invalid
   1255 root
     11 mysql
      8 mail
      6 www-data

8
By: dbart
2009-03-03 13:45:56

These Might Interest You

  • All valid files are withheld so only failures show up. No output, all checks good.


    6
    md5sum --check MD5SUMS | grep -v ": OK"
    gpenguin · 2009-10-02 05:21:17 2
  • Summarize established connections after netstat output. Using tee and /dev/stderr you can send one command output to terminal before executing wc so you can summarize at the bottom of the output. Show Sample Output


    3
    netstat -n | grep ESTAB |grep :80 | tee /dev/stderr | wc -l
    rubenmoran · 2016-06-26 11:37:19 0
  • This command will reveal login has been made to the system as well as when the reboot occurs. It uses a file called /var/log/wtmp,which captures all the information about the successful login and reboot information. It has many switch ,by which you can get an idea when people login how long they stay. Show Sample Output


    -3
    last
    unixbhaskar · 2009-08-29 12:08:30 0
  • Working with lists of IP addresses it is sometimes useful to summarize a count of how many times an IP address appears in the file. This example, summarizeIP, uses another function "verifyIP" previously defined in commandlinefu.com to ensure only valid IP addresses get counted. The summary list is presented in count order starting with highest count. Show Sample Output


    1
    function summaryIP() { < $1 awk '{print $1}' | while read ip ; do verifyIP ${ip} && echo ${ip}; done | awk '{ip_array[$1]++} END { for (ip in ip_array) printf("%5d\t%s\n", ip_array[ip], ip)}' | sort -rn; }
    mpb · 2015-05-01 16:45:05 1
  • Get the list of changed files between revision 43 and HEAD revision: svn diff . -r43:HEAD --summarize Strip extra 8 characters from every line: cut -c9-99999 Copy the listed files to home/me/destination: cpio -pvdmu ~/destination Make a plain copy (-p), list files being copied (-v), create needed directories (-d), preserve modification time (-m), overwrite unconditionally (-u) Show Sample Output


    0
    svn diff . -r43:HEAD --summarize | cut -c9-99999 | cpio -pvdmu ~/destination
    Sebasg · 2012-12-26 05:02:59 0

  • 0
    curl -c cookie.txt -d username=hello -d password=w0r1d http://www.site.com/login
    kev · 2011-11-09 02:57:39 0

What Others Think

apt-get install denyhosts # for the win
linuxrawkstar · 480 weeks and 5 days ago
if you want to see the list of invalid users attempted login against your system zgrep "Invalid user" /var/log/auth.log* | awk '{print $8}' | sort | uniq -c | sort -nr | less
starchox · 480 weeks and 5 days ago
That's a lot of pipes.
Buzzcp · 442 weeks and 3 days ago
@starchox, even better: zgrep "Invalid user" /var/log/auth.log* | awk '{print $8 " " $10}' | sort | uniq -c | sort -nr | less
Buzzcp · 442 weeks and 3 days ago

What do you think?

Any thoughts on this command? Does it work on your machine? Can you do the same thing with only 14 characters?

You must be signed in to comment.

What's this?

commandlinefu.com is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

Share Your Commands



Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.

» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10

Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for: