How to View all Failed Login SSH Attempts on the Raspberry Pi
About: If you decide to use your Raspberry Pi as a Server and expose it to the internet you will quickly see many brute-force attempts trying to login to your system. This is normal for any device that is exposed to the internet. You leave your IP Address everywhere you go and many hackers will scan your IP Address for open ports trying to expose that ports security flaws. If you have port forwarding open on your Router and it is pointed to your Raspberry Pi then it can be very easy for a hacker to brute-force your system and get inside your system.
There are many reasons why you would expose your Raspberry Pi server to the internet. For example you may be hosting a web server on your Raspberry Pi and need to forward ports so that other users can view your web page on your server. Today I will show you how to view your system authorization log on the Raspberry Pi. The commands I will show you will work on any Debian based Linux distribution like Ubuntu or Linux Mint as well as the Raspberry Pi’s Raspbian distribution.
Objective: To view failed or accepted logins on your Raspberry Pi system.
Material: You will need the following:
- Raspberry Pi (Click the link to check out the price on Amazon. Usually comes with free shipping)
Instructions: I will assume you are already running Raspbian or some other distribution on the Raspberry Pi that you will want to look at all the failed attempts in your system authorization log.
Logging this file will allow you to see all the Failed or Successful logins to your system. If your Raspberry Pi only sits on your network and you don’t have any port forwarding setup on your router to point to your Raspberry Pi you will not see many attempts in the log file. You will most likely just see all your successful logins.
There are ways to improve or reduce the attempts of getting brute-force attempts to your system and I suggest you read my article on ways to improve your Raspberry Pi security. I explain how to change your SSH port and install tools like Fail2Ban which will stop brute-force attacks by banning the IP Address of the hacker if they type the wrong password multiple times.
View your System’s Authorization Log
To view your systems authorization log simply type the following command in a terminal window:
1 | cat /var/log/auth.log |
This will show all the open and closed sessions that are run by services as well as failed and successful login attempts to your server. This file can get big so it may be easier to find something you are looking for with the grep command.
View Failed SSH Login Attempts
To view all your failed login attempts type the following command into a terminal window:
1 | cat /var/log/auth.log | grep 'Failed password' |
This will show your the IP Address that attempted to login to your user as well as the attempted username that was used.
View Successful SSH Login Attempts
To view all your failed login attempts type the following command into a terminal window:
1 | cat /var/log/auth.log | grep 'Accepted password' |
This will show your the IP Address that attempted to login to your user as well as the attempted username that was used.