List All Failed SSH Login and Group by IP Address on Centos

Surprised by the huge number of fail login attempts when you log into your Centos server? Want to find out who was the bad guy trying to crack your server login?

This post will walk you through how to exam SSH login log on your Centos server, find the IP addresses that initiated a large number of login attempts. and block these IP from further brute force attacks.

Follow the instruction below you can get a list all failed SSH logins and group them by the IP addresses.

Locate the Log Files

Fist, use CD command to locate the log file directory on your Centos server.

You will see a lot log files. The SSH login log files are those starting with secure, e.g. secure-20171224. Now we want to combine all SSH login files before we go over them.

Combine all SSL Log Files

Run the command below to combine them together to a new file.

Analyze Log

We have combined all SSH login log to a single file named merged-file. We can run some analysis now.

Run the command above, you will generate another file(named result) in which each row is an IP address that attempted to login and failed, along with how many times he tried, for example you will see results like below:

18 101.95.26.126
1 102.250.51.207
1 102.251.192.26
31 103.10.168.138
37 103.10.230.126
2 103.11.135.132
36 103.12.196.125
3 103.15.74.82
7 103.16.168.138
385 103.192.253.37
6 103.192.61.9
1 103.192.76.100

SSH brute force

Download the file, convert it to a spreadsheet, so you can do sorting by the number of attempts. Then you can use iptable or access.denied to block access from those IPs on your Centos server.