Brute-force attacks are common on public-facing Linux servers, especially through SSH. These attacks involve repeated login attempts using numerous username-password combinations to gain unauthorised access. This guide will help you detect signs of brute-force attacks using logs and monitoring tools.
Follow the guide:
- As SSH authentication logs are the primary place to detect brute-force activity, check them for repeated login attempts.
- For most Linux systems:
sudo cat /var/log/auth.log | grep “Failed password”
- On CentOS/RHEL:
sudo cat /var/log/secure | grep “Failed password”
You will find output like:
Failed password for invalid user admin from 192.168.1.10 port 45822 ssh2 Failed password for root from 192.168.1.10 port 45823 ssh2
- Look for:
Multiple failed attempts from the same IP address.
Login attempts for non-existent users.
Rapid succession of attempts within a short time.
- For most Linux systems:
- To view failed login attempts, use the “lastb” command, as it shows a list of bad login attempts recorded in /var/log/btmp:
sudo lastb
This assists in identifying usernames, timestamps, and source IPs used in failed logins.
- And, if you already use “fail2ban” installed, you can view the list of IPs it has banned due to repeated failures using the below command:
sudo fail2ban-client status sshd
The output will be as shown below:
Status for the jail: sshd Banned IP list: 192.168.1.10 192.168.1.22
- Use log analysis tools like “GoAccess”, “Logwatch”, or “SIEM” solutions such as “OSSEC” and “Wazuh” to monitor system logs and detect unusual login patterns or brute-force attacks.
- Set up real-time alerts using tools like “auditd” or custom scripts with “mailx” to get notified when multiple failed login attempts or suspicious IP activities are detected.
- To prevent brute-force attacks, implement measures such as using Fail2Ban, disabling root SSH login, changing the default SSH port, enabling SSH key authentication, and applying firewall rules.
Brute-force attacks are frequent but can be detected using Linux logs and tools. Regular monitoring and proactive hardening of your SSH access significantly reduce your server’s vulnerability.
If you are unsure about any steps, contact your support staff for assistance.
Want to block brute-force attempts automatically? Learn How to Install and Configure Fail2Ban for Linux SSH Security