CentOS 8 – Show Failed or Bad SSH Login Attempts

centosssh

Under CentOS 8 I'm trying to find SSH failed login attempts.
Lastb returns:

# lastb

btmp begins Thu Jul  9 10:53:49 2020

Aureport returns some records (one examples is):

# aureport -au -i --failed 

Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 06/25/2020 13:46:36 root 10.10.0.2 ssh /usr/sbin/sshd no 66

When i try to login with bad credentials aureport or lastb do not show new record. Where can i found failed SSH logins ?

Best Answer

As sshd service managed by systemd, you should look into journal. For example:

$ journalctl -u sshd
 Jul 19 05:24:07 xx-1 sshd[30983]: Received disconnect from 43.254.220.207 port 59846:11: Bye Bye [preauth]
 Jul 19 05:24:07 xx-fsn1-1 sshd[30983]: Disconnected from invalid user ik 43.254.220.207 port 59846 [preauth]
 Jul 19 05:26:25 xx-1 sshd[30986]: Invalid user test from 139.213.220.70 port 62857
 Jul 19 05:26:25 xx-1 sshd[30986]: Received disconnect from 139.213.220.70 port 62857:11: Bye Bye [preauth]
 Jul 19 05:26:25 xx-1 sshd[30986]: Disconnected from invalid user test 139.213.220.70 port 62857 [preauth]
Related Topic