Login Get Started
Hostxpeed
Login Get Started →
Getting Started

How to See Failed Login Attempts

5 min read
21 views
Jun 11, 2026

Prerequisites

Before checking failed login attempts, make sure you have:

  • SSH access to your VPS
  • Root or sudo privileges

⚠️ Multiple failed login attempts from the same IP indicate a brute force attack.

Method 1: Using lastb Command (Quick View)

Connect to your VPS:

ssh hxroot@YOUR_SERVER_IP -p 22

View last 10 failed attempts:

lastb -10

Example output:

root     ssh:notty    185.45.6.78      Mon Apr 28 05:23:15 2026 - 05:23:15  (00:00)
admin    ssh:notty    185.45.6.78      Mon Apr 28 05:23:12 2026 - 05:23:12  (00:00)
user     ssh:notty    203.0.113.45     Mon Apr 28 05:23:09 2026 - 05:23:09  (00:00)

Method 2: Count Failed Attempts by IP

lastb | awk '{print $3}' | sort | uniq -c | sort -rn | head -10

Output shows IP addresses with most failed attempts:

  245 185.45.6.78
   89 203.0.113.45
   12 198.51.100.23

Method 3: Count Failed Attempts by Username

lastb | awk '{print $1}' | sort | uniq -c | sort -rn | head -10

Shows which usernames attackers are trying:

  156 root
   78 admin
   45 user
   32 test

Method 4: Check SSH Logs Directly

Ubuntu/Debian:

grep "Failed password" /var/log/auth.log | tail -20

CentOS/RHEL:

grep "Failed password" /var/log/secure | tail -20

Show with timestamps and IPs:

grep "Failed password" /var/log/auth.log | awk '{print $1,$2,$3,$9,$11}' | tail -20

Method 5: Failed Attempts in Last Hour

grep "$(date --date='1 hour ago' +'%b %e %H')" /var/log/auth.log | grep "Failed password" | wc -l

Method 6: Monitor Failed Attempts in Real Time

tail -f /var/log/auth.log | grep "Failed password"

Press Ctrl+C to stop.

Method 7: Check for Invalid User Attempts

grep "Invalid user" /var/log/auth.log | tail -20

Method 8: Visualize Failed Attempts Over Time

#!/bin/bash
for hour in {0..23}; do
    COUNT=$(grep "$(date +'%b %e') $hour:" /var/log/auth.log | grep "Failed password" | wc -l)
    echo "$hour:00 - $(printf '%3d' $COUNT) attempts"
done

Set Up Failed Login Alert

Create monitoring script:

#!/bin/bash
THRESHOLD=10
FAILED_COUNT=$(grep "$(date +'%b %e')" /var/log/auth.log | grep "Failed password" | wc -l)
if [ $FAILED_COUNT -gt $THRESHOLD ]; then
    echo "Warning: $FAILED_COUNT failed login attempts detected today on $(hostname)" | mail -s "SSH Attack Alert" admin@example.com
fi

Add to cron:

0 * * * * /root/check_failed_logins.sh

Common Attack Patterns

  • Brute force on root account
  • Attempting common usernames (admin, user, test, ubuntu)
  • Dictionary attacks with thousands of passwords
  • Slow attacks (trying once every few minutes to avoid detection)

Protect Against Failed Login Attempts

Install Fail2ban:

apt install fail2ban -y

Change SSH port from default 22:

nano /etc/ssh/sshd_config
Port 2222
systemctl restart sshd

Disable root login:

PermitRootLogin no

Use SSH keys only:

PasswordAuthentication no

Export Failed Login Data for Analysis

lastb > failed_logins_$(date +%Y%m%d).txt
grep "Failed password" /var/log/auth.log > failed_attempts.log

✅ You can now monitor failed login attempts and take action to secure your Hostxpeed VPS.

Was this article helpful?