Zuzia.app logo
Get started
Features
For Whom
How It Works
Reviews
Faq
Pricing
Sign up Log In

How to Monitor Failed SSH Login Attempts on Linux Server - Complete Guide to SSH Security Monitoring

Are you wondering how to automatically monitor failed SSH login attempts and receive alerts when suspicious activity is detected? Need to detect brute force attacks, identify unauthorized access attempts, and maintain server security? Th...

Last updated: 2025-11-17

How to Monitor Failed SSH Login Attempts on Linux Server - Complete Guide to SSH Security Monitoring

Are you wondering how to automatically monitor failed SSH login attempts and receive alerts when suspicious activity is detected? Need to detect brute force attacks, identify unauthorized access attempts, and maintain server security? This comprehensive guide shows you how to monitor failed SSH login attempts using Linux commands, set up automated monitoring with Zuzia.app, detect security threats, and prevent unauthorized access.

Understanding Failed SSH Login Monitoring

Monitoring failed SSH login attempts helps detect brute force attacks, identify suspicious IP addresses, monitor authentication security, prevent unauthorized access, maintain server security, and comply with security policies. Failed login attempts can indicate brute force attacks, credential stuffing, or unauthorized access attempts.

SSH security monitoring is critical for protecting servers from unauthorized access. Brute force attacks are common, and monitoring failed login attempts helps detect and respond to these threats quickly.

Why Monitor Failed SSH Login Attempts

Monitoring failed SSH login attempts provides several benefits:

  • Security protection: Detect and prevent brute force attacks
  • Threat detection: Identify suspicious IP addresses and attack patterns
  • Early warning: Get early warning of potential security threats
  • Compliance: Maintain compliance with security policies
  • Incident response: Respond to security incidents quickly
  • Access control: Maintain control over server access

How to Set Up Failed SSH Login Monitoring

Set up automated monitoring of failed SSH login attempts step by step:

Step 1: Add Scheduled Task in Zuzia.app

  1. Add Scheduled Task

    • Navigate to Zuzia.app dashboard
    • Click "Add Scheduled Task"
    • Choose "Command" task type

  2. Configure Command

    • Use command: grep 'Failed password' /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -nr
    • Set execution frequency (e.g., every 30 minutes)
    • Configure task name and description

Step 2: Configure Alert Conditions

  1. Set Alert Thresholds

    • Configure alerts when failed attempts exceed thresholds (e.g., > 10 from single IP)
    • Set different thresholds for different scenarios
    • Choose alert conditions

  2. Choose Notification Channels

    • Configure email notifications
    • Set up webhook integrations
    • Configure SMS notifications (if available)

Step 3: Monitor Results

  1. Review Failed Login Data

    • Check dashboard for failed login attempts
    • Review suspicious IP addresses
    • Identify attack patterns

  2. Track Security Trends

    • Monitor failed login trends over time
    • Identify persistent attackers
    • Detect attack patterns

Example Commands

Use these commands for monitoring failed SSH login attempts:

Failed Login Attempts by IP

# Command to execute - failed login attempts by IP
grep 'Failed password' /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -nr

This shows failed login attempts grouped by IP address, sorted by count.

Count Total Failed Attempts

# Count total failed attempts
grep 'Failed password' /var/log/auth.log | wc -l

# Failed attempts in last hour
grep 'Failed password' /var/log/auth.log | grep "$(date '+%b %d %H')" | wc -l

Recent Failed Attempts

# Recent failed attempts
grep 'Failed password' /var/log/auth.log | tail -n 20

# Failed attempts with timestamps
grep 'Failed password' /var/log/auth.log | tail -n 20 | awk '{print $1, $2, $3, $(NF-3), $(NF-1)}'

Alternative Commands

# Failed attempts from specific log file
grep 'Failed password' /var/log/auth.log.1 | awk '{print $(NF-3)}' | sort | uniq -c | sort -nr

# Failed attempts for specific user
grep 'Failed password' /var/log/auth.log | grep "invalid user" | awk '{print $(NF-2)}' | sort | uniq -c | sort -nr

# Failed attempts with usernames
grep 'Failed password' /var/log/auth.log | awk '{print $(NF-5), $(NF-3)}' | sort | uniq -c | sort -nr

# Failed attempts excluding specific IPs
grep 'Failed password' /var/log/auth.log | awk '{print $(NF-3)}' | grep -v "192.168.1.1" | sort | uniq -c | sort -nr

Use Cases for Failed SSH Login Monitoring

This monitoring helps you:

Detect Brute Force Attacks

  • Attack detection: Detect brute force attacks automatically
  • Pattern recognition: Identify attack patterns
  • Early warning: Get early warning of attacks
  • Response: Respond to attacks quickly

Identify Suspicious IP Addresses

  • IP tracking: Track suspicious IP addresses
  • Threat identification: Identify potential threats
  • Blocking: Block malicious IP addresses
  • Analysis: Analyze attack sources

Monitor Authentication Security

  • Security monitoring: Monitor authentication security continuously
  • Threat assessment: Assess security threats
  • Vulnerability detection: Detect authentication vulnerabilities
  • Security improvement: Improve authentication security

Prevent Unauthorized Access

  • Access prevention: Prevent unauthorized access attempts
  • Blocking: Block suspicious IPs automatically
  • Protection: Protect servers from attacks
  • Security: Maintain server security

Maintain Server Security

  • Security maintenance: Maintain server security standards
  • Compliance: Ensure compliance with security policies
  • Monitoring: Monitor security continuously
  • Response: Respond to security issues quickly

Comply with Security Policies

  • Policy compliance: Ensure compliance with security policies
  • Audit trails: Maintain audit trails for compliance
  • Reporting: Generate security reports
  • Documentation: Document security monitoring

Advanced Monitoring Options

Enhance failed SSH login monitoring with advanced options:

Track IP Addresses Over Time

  • Historical tracking: Track IP addresses over time
  • Pattern detection: Detect attack patterns
  • Trend analysis: Analyze attack trends
  • Forecasting: Predict potential attacks

Set Different Thresholds for Different IPs

  • IP-specific thresholds: Set thresholds based on IP reputation
  • Geographic thresholds: Set thresholds based on geographic location
  • Flexible monitoring: Monitor different IPs with different thresholds
  • Customized alerts: Customize alerts per IP

Integrate with Firewall Blocking

  • Automatic blocking: Automatically block IPs that exceed thresholds
  • Firewall integration: Integrate with firewall rules
  • IP blocking: Block malicious IPs automatically
  • Security automation: Automate security responses

Monitor Successful Logins

  • Login monitoring: Monitor successful logins too
  • Access tracking: Track who accesses servers
  • Anomaly detection: Detect unusual login patterns
  • Security analysis: Analyze login patterns

Troubleshooting Failed SSH Login Issues

When monitoring shows many failed login attempts:

Identify Attack Patterns

  1. Review Failed Attempts

    • Review failed login attempts
    • Identify attack patterns
    • Check IP addresses

  2. Investigate Attacks

    • Investigate attack sources
    • Check attack timing
    • Analyze attack methods

Take Action

  1. Block Suspicious IPs

    • Block IPs that exceed thresholds
    • Use firewall rules to block IPs
    • Implement automatic blocking

  2. Strengthen Security

    • Strengthen SSH security
    • Use key-based authentication
    • Implement fail2ban or similar tools

Best Practices for Failed SSH Login Monitoring

Follow these best practices:

  • Monitor regularly: Monitor failed login attempts regularly
  • Set appropriate thresholds: Set thresholds based on normal activity
  • Respond quickly: Respond to alerts quickly
  • Block malicious IPs: Block malicious IPs automatically
  • Review logs: Review logs regularly
  • Document incidents: Document security incidents

FAQ: Common Questions About Failed SSH Login Monitoring

How often should I run this task?

We recommend running it every 30 minutes to 1 hour. More frequent checks may be needed for servers with high attack rates. Adjust frequency based on your security requirements and attack patterns. More frequent checks provide better security but increase system load.

Can I block IPs automatically?

Yes, you can configure automatic actions in Zuzia.app to block IPs that exceed failed attempt thresholds using firewall rules. Set up automatic blocking to respond to attacks quickly. Use tools like fail2ban or iptables rules for automatic blocking.

What if many failed attempts are detected?

You'll receive a notification with information about the IP addresses and number of attempts. You can then take action to block suspicious IPs. Review attack patterns, block malicious IPs, investigate attack sources, and strengthen security. Quick response helps prevent successful attacks.

Can I monitor successful logins too?

Yes, you can modify the command to monitor successful logins. For example: grep 'Accepted password' /var/log/auth.log | tail -n 20. Monitor both failed and successful logins for comprehensive security monitoring. Successful login monitoring helps detect unauthorized access and unusual access patterns.

What log file should I monitor?

Monitor /var/log/auth.log on Debian/Ubuntu systems or /var/log/secure on RHEL/CentOS systems. Check your system's log file location and adjust commands accordingly. Some systems may use journald, requiring different commands like journalctl -u ssh.

How do I detect brute force attacks?

Detect brute force attacks by monitoring for multiple failed login attempts from the same IP, tracking failed attempts over time, identifying patterns in failed attempts, and setting up alerts for suspicious activity. Automated monitoring helps detect brute force attacks quickly.

Can I monitor multiple servers?

Yes, you can add this task to multiple servers simultaneously. Each server will have its own results and alerts. Monitor all servers consistently to maintain security standards across your infrastructure. Use Zuzia.app to manage monitoring across all servers from one dashboard.

How does AI help with SSH security monitoring?

If you have Zuzia.app's full package, AI analysis can detect attack patterns automatically, identify suspicious IP addresses, predict potential attacks, suggest security improvements, and provide insights for improving SSH security. AI helps you understand attack patterns and prevent security issues proactively.

What if I use key-based authentication?

Even with key-based authentication, monitor failed login attempts as they can indicate attack attempts or misconfigurations. Failed attempts may also indicate attempts to use password authentication when it should be disabled. Monitor all authentication attempts for comprehensive security.

Can I export security data?

Yes, Zuzia.app allows you to export monitoring data. Export data for analysis, reporting, compliance, or security investigation. Use exported data to analyze attack patterns, create security reports, and investigate security incidents.

Related Articles

How to Monitor System Users on Linux Server - Complete Guide to User Access Security Monitoring
How to Check Active SSH Connections on Linux Server - Complete Guide
How to Check for Empty Password Accounts in Security Audit - Complete Guide to Account Authentication Security
How to Check SSH Security Configuration in Security Audit - Complete Guide to Remote Access Security Hardening
How to Monitor Firewall Rules with iptables on Linux Server - Complete Security Monitoring Guide
How to Monitor Network Connections on Linux Server - Complete Guide to Network Connection Security Monitoring

We use cookies to ensure the proper functioning of our website.