Finding latest successful logins and failed attempts to a CentOS server
In Linux, the
last command shows successful login attempts and displays session information (pts, source, date and length).
lastb command records all bad login attempts. Both share the same
man page, but the difference is that
last reads the binary
/var/log/wtmp file, and
lastb reads the
/var/log/btmp file by default.
The range of these files depends on your log rotation schedule, but it should span a few weeks. Most distributions will rotate
/var/log/wtmp monthly, so you can read a previous record, usually listed as
/var/log/wtmp.1 by specifying the file with the
last -f /var/log/wtmp.1
The question is here offtopic, but a very short answer: maybe you should just check /var/log/secure (e.g. grep for "failed").
This is a old thread but I got similar task like this,so in my case this is a log entry
Nov 15 17:14:47 megatron sshd: Failed password for git from 192.168.122.1 port 49227 ssh2
So we can do it like this,if we are sure user is static
#!/bin/bash LOG=/var/log/secure MESSAGE="Failed password for git" grep -i "$MESSAGE" "$LOG
In case if we know on the per user basis
#!/bin/bash LOG=/var/log/secure if [ -n "$1" ] then NEWUSER="$1" else NEWUSER="root" fi MESSAGE="Failed password for $NEWUSER" grep -i "$MESSAGE" "$LOG"
So script should execute like
[root@megatron bash1]# ./failedlogin.sh git
OR more easier approach
#!/bin/bash LOG=/var/log/secure MESSAGE="Failed password for" grep -i "$MESSAGE" "$LOG"