Finding latest successful logins and failed attempts to a CentOS server
Solution 1:
In Linux, the last
command shows successful login attempts and displays session information (pts, source, date and length).
The lastb
command records all bad login attempts. Both share the same man
page, but the difference is that last
reads the binary /var/log/wtmp
file, and lastb
reads the /var/log/btmp
file by default.
The range of these files depends on your log rotation schedule, but it should span a few weeks. Most distributions will rotate /var/log/wtmp
monthly, so you can read a previous record, usually listed as /var/log/wtmp.1
by specifying the file with the -f
parameter... last -f /var/log/wtmp.1
Solution 2:
The question is here offtopic, but a very short answer: maybe you should just check /var/log/secure (e.g. grep for "failed").
Solution 3:
This is a old thread but I got similar task like this,so in my case this is a log entry
Nov 15 17:14:47 megatron sshd[4768]: Failed password for git from 192.168.122.1 port 49227 ssh2
So we can do it like this,if we are sure user is static
#!/bin/bash
LOG=/var/log/secure
MESSAGE="Failed password for git"
grep -i "$MESSAGE" "$LOG
In case if we know on the per user basis
#!/bin/bash
LOG=/var/log/secure
if [ -n "$1" ]
then
NEWUSER="$1"
else
NEWUSER="root"
fi
MESSAGE="Failed password for $NEWUSER"
grep -i "$MESSAGE" "$LOG"
So script should execute like
[root@megatron bash1]# ./failedlogin.sh git
OR more easier approach
#!/bin/bash
LOG=/var/log/secure
MESSAGE="Failed password for"
grep -i "$MESSAGE" "$LOG"