ssh - check login log on server

In this short article, we would like to show how to check ssh login attempts history (succeed and failed authentications).

Quick solution (run following command):

less /var/log/auth.log

Practical example

In this section, you can see how to find available ssh login logs and display them.

Simple steps:

1. display available log files, using:

   ls -al /var/log/auth.*

   Example output:

   -rw-r----- 1 root admin  2730199 Dec  1 20:58 /var/log/auth.log
   -rw-r----- 1 root admin 19017431 Nov 30 23:59 /var/log/auth.log.1
   -rw-r----- 1 root admin  1427371 Nov 29 23:59 /var/log/auth.log.2.gz
   -rw-r----- 1 root admin  1430921 Nov 28 23:58 /var/log/auth.log.3.gz
   -rw-r----- 1 root admin  1727737 Nov 27 23:58 /var/log/auth.log.4.gz

    
2. display selected log file, using:

   less /var/log/auth.log

   Hint:

   To display compressed logs (*.gz files) use zless command.
   e.g. zless /var/log/auth.log.2.gz (/var/log/auth.log.3.gz, /var/log/auth.log.4.gz, etc.).

   Example output:

   ...
   Dec 1 19:50:20 debian-pc sshd[20133]: Failed password for admin from 123.123.123.123 port 12345
   Dec 1 19:50:23 debian-pc sshd[20133]: Connection closed by authenticating user admin 123.123.123.123 port 12345 [preauth]
   Dec 1 20:04:02 debian-pc sshd[20134]: Failed password for john from 123.123.123.123 port 12345
   Dec 1 20:04:07 debian-pc sshd[20134]: Connection closed by authenticating user john 123.123.123.123 port 12345 [preauth]
   ...

See also

1. less - browse gzipped logs