How do I get Linux to notify me about failed login attempts?

For SSH in particular, you’ll probably need to make sure logging is enabled in /etc/ssh/sshd_config.

Otherwise, it’s a vague question that depends on how you want to be alerted and the details of your system and its configuration, even how they log in. You could just tail a log file: tail -f /var/log/messages is common or journalctl -f on some Linux systems. One thread of solutions for email alerts is on ServerFault.

On most modern GNU/Linux systems this should get you a digest of every failed attempt with SSH or TTY over the past hour:

journalctl --since="$(date -d -1hours +\%F\ \%H):00:00" --until="$(date +\%F\ \%H):00:00" | grep -iE "Failed (pass|log)"

Actually, that covers the last hour to the current hour. You could crontab a process to retrieve that every hour and email it to you.

Entries would look like:

Mar 21 06:16:23 yourhostname sshd[29477]: Failed password for root from 103.41.125.20 port 35243 ssh2
Mar 21 06:16:33 yourhostname login[317]: FAILED LOGIN 1 FROM tty4 FOR bolwerk, Authentication failure
Mar 21 06:22:29 yourhostname sshd[29695]: Failed password for invalid user poo from ::1 port 60139 ssh2

Here’s a script you can put in crontab to gather that:

#!/bin/sh

# gather journal information in time frame
export CRUFT=$(journalctl --since="$(date -d -1hours +\%F\ \%H):00:00" --until="$(date +\%F\ \%H):00:00" | grep -iE "Failed (pass|log)")

#email settings
export EMAILFROM="From: Security Alert <yourmail@email.domain>"
export EMAILSUBJECT="Subject: Failed login Summaries from $(date -d -1hours +\%H):00 to $(date +\%H):00"
export EMAILALERTTO="your@email.domain"

if [ "x$CRUFT" != "x" ]; then
        echo -e "$EMAILFROM\n$EMAILSUBJECT\n\nFailed logins:\n$CRUFT" | ssmtp "$EMAILALERTTO"
fi

It assumes you want to send out the last hour’s failed attempts every hour. Also assumes you have journalctl, probably requires a GNU userland (most distrobs have that).

To make it work, you will need to configure SSMTP properly. Here is a link that talks about doing that with gmail. Read up on security for SSMTP too; configuring wrong expose your password, if you have a shared system. You may want to include this line in the ssmtp.conf configuration:

FromLineOverride=yes

It will make a digest of failed login events over the past hour and email them to you. On a public network with the standard port, people/bots are constantly trying to brute force insecure boxes. It’s not much of a threat if you set your passwords correctly, etc…

If I might make a general suggestion, successful logins might be more interesting. On a public network with the standard port, people/bots are constantly trying to brute force insecure boxes. It’s not much of a threat if you set your passwords correctly, etc… But putting an alert script of some sort in /etc/profile to catch any successful login would probably be a cinch.

Notes: Here is CentOS documention on journalctl; should be similar on many other GNU/Linux OSes. Other examples of subtracting from date command, depending how you want to time reports.

Bolwerk

Posted 2015-03-20T19:32:08.823

Reputation: 381

Thank you so much for the information, my ultimate goal is to login to node and below were it says last login: xxxx It the say username 0 failed login attempts or something of that nature. I am using RHEL 6.5 – Syseng – 2015-03-23T15:19:47.917

Tricky but doable probably. If this didn't change in CentOS7 (my only experience anything like RHEL), run echo "$LPATHDIR/lastnotification" and it shows you the file storing that information. It's just a UNIX epoch date stamp with the time of the last login. The file /etc/profile.d/abrt-console-notification.sh is what controls this. The efficient way to do what you want is probably to write a DB backend of some sort that stores failed logins and lets a script in profile.d read from it. Sounds like a lot of trouble. – Bolwerk – 2015-03-24T01:38:32.773

How do I get Linux to notify me about failed login attempts?

Answers