Skip to main content

Analyzing Authentication Failures in Linux Logs

Linux system administrators often need to monitor authentication failures in system logs to identify and address security threats. The auth.log file is one such log that contains valuable information about authentication attempts. In this blog, we will explore seven commands that can help you analyze authentication failure logs.

Sample Input Data

We'll be working with a sample auth.log file containing various authentication events. Here's a snippet of the sample data:

Nov  1 08:19:20 ip-172-31-94-205 sshd[454487]: pam_unix(sshd:auth): check pass; user unknown
Nov 1 08:19:23 ip-172-31-94-205 sshd[454487]: Failed password for invalid user centos from 118.41.204.72 port 49772 ssh2
Nov 1 08:20:58 ip-172-31-94-205 sshd[454583]: Invalid user supervisor from 122.176.30.69 port 40798
Nov 1 08:39:42 ip-172-31-94-205 sshd[459681]: Failed password for root from 106.51.71.157 port 50397 ssh2
...

Command 1: Filtering Authentication Failure Events

The first command filters out lines containing "Failed password" from the auth.log:

cat auth.log | grep "Failed password"

Output (Sample):

Nov  1 08:19:23 ip-172-31-94-205 sshd[454487]: Failed password for invalid user centos from 118.41.204.72 port 49772 ssh2
Nov 1 08:39:42 ip-172-31-94-205 sshd[459681]: Failed password for root from 106.51.71.157 port 50397 ssh2
...

This command extracts lines where authentication failures occurred.

Command 2: Extracting Timestamps

The second command extracts the timestamps (date and time) from the authentication failure events:

cat auth.log | grep "Failed password" | awk '{print $1}'

Output (Sample):

Nov
Nov
...

This command helps in understanding when the authentication failures took place.

Command 3: Extracting Relevant Information

The third command extracts key information, including the date, time, source IP, and username of authentication failures for invalid users:

cat auth.log | grep "Failed password for invalid" | awk '{print $1, $2, $3, $13}'

Output (Sample):

Nov  1 08:19:23 118.41.204.72
Nov 1 08:20:58 122.176.30.69
...

This command provides a more focused view of authentication failure events.

Command 4: Detailed Information

The fourth command extracts additional information, such as the date, time, source IP, username, and port number:

cat auth.log | grep "Failed password for invalid" | awk '{print $1, $2, $3, $13, $14, $15}'

Output (Sample):

Nov  1 08:19:23 centos 118.41.204.72 port 49772
Nov 1 08:20:58 supervisor 122.176.30.69 port 40798
...

This command provides more context about authentication failures.

Command 5: Sorting Events

The fifth command counts and sorts unique authentication failure events:

cat auth.log | grep "Failed password for invalid" | awk '{print $1, $2, $3, $13, $14, $15}' | sort

Output (Sample):

Nov 1 08:19:23 centos 118.41.204.72 port 49772
Nov 1 08:20:58 supervisor 122.176.30.69 port 40798
...

This command helps identify the frequency of each unique authentication failure event.

Command 6: Aggregating and Sorting by IP

The sixth command aggregates events by source IP, counts them, and sorts the results:

cat auth.log | grep "Failed password for invalid" | awk '{print $1, $2, $3, $13, $14, $15}' | awk '{ip_count[$4]++} END {for (ip in ip_count) print $1"-"$2":"$3, ip,  ip_count[ip]}' | sort

Output (Sample):

Nov 1 08:20:58 122.176.30.69 port 40798 1
Nov 1 08:19:23 118.41.204.72 port 49772 1
...

This command helps you identify which source IPs are involved in multiple authentication failures.

Command 7: Geolocating IP Addresses

The seventh command adds geolocation information to source IP addresses using a tool like geoiplookup:

  • you may need to install the geoiplookup tool using sudo apt install geoip-bin before running this command.
cat auth.log | grep "Failed password for invalid" | awk '{print $1, $2, $3, $13, $14, $15}' | awk '{ip_count[$4]++} END {for (ip in ip_count) print $1"-"$2":"$3, ip,  ip_count[ip]}' | sort -k3 -n -r | while read line; do ip=$(echo $line | awk '{print $2}'); location=$(geoiplookup $ip); echo "$line $location"; done

Output (Sample):

Nov 1 08:20:58 122.176.30.69 port 40798 5 GeoIP Country Edition: IN, India
Nov 1 08:19:23 118.41.204.72 port 49772 1 GeoIP Country Edition: KR, South Korea
...

This command first sort the previous result by the number of authentication failures in descending order. It then iterates through each line and extracts the source IP address. Finally, it uses the geoiplookup tool to add geolocation information to each source IP address.

Command 8: getting top 10 IP addresses

The eighth command gets the top 10 IP addresses with the most authentication failures:

cat auth.log | grep "Failed password for invalid" | awk '{print $1, $2, $3, $13, $14, $15}' | awk '{ip_count[$4]++} END {for (ip in ip_count) print $1"-"$2":"$3, ip,  ip_count[ip]}' | sort -k3 -n -r | head -n 10

or using sed command

cat /var/log/auth.log | grep "Failed password for invalid" | awk '{print $1, $2, $3, $13, $14, $15}' | awk '{ip_count[$4]++} END {for (ip in ip_count) print $1"-"$2":"$3, ip,  ip_count[ip]}' | sort -k3 -n -r | while read line; do ip=$(echo $line | awk '{print $2}'); location=$(geoiplookup $ip | awk  -F: '{print $2}' ); echo "$line $location"; done | sed '11, $d'

Command 9: Exporting data

You can separate the output with commas (,) and save the output to your local machine as a CSV file:

cat /var/log/auth.log | grep "Failed password for invalid" | awk '{print $1, $2, $3, $13, $14, $15}' | awk '{ip_count[$4]++} END {for (ip in ip_count) print $1"-"$2":"$3, ip,  ip_count[ip]}' | sort -k3 -n -r | while read line; do ip=$(echo $line | awk '{print $2}'); location=$(geoiplookup $ip | awk  -F: '{print $2}' ); echo "$line $location"; done | sed '11, $d' | tr ' ' ',' > authentication_failures.csv

Output (Sample):

This command exports the output to a CSV file and your console output will be empty.