SSH Failed Login Analysis

AuthenticationAttacks Linux Auth Authentication Failure

What This Means

Analyze SSH failed login events in Linux auth logs. Distinguish between typos, misconfigurations, and active attacks by understanding failed authentication patterns and their security implications.

Example Log

Mar  8 15:10:22 dbserver sshd[23456]: Failed password for jsmith from 10.0.5.142 port 49821 ssh2
Mar  8 15:10:25 dbserver sshd[23457]: Connection closed by authenticating user jsmith 10.0.5.142 port 49822 [preauth]
Mar  8 15:10:30 dbserver sshd[23458]: Failed publickey for jsmith from 10.0.5.142 port 49823 ssh2

Indicators of Suspicious Activity

Failed password from internal IPs may indicate compromised credentials being tested
"Connection closed by authenticating user" suggests key mismatch or client misconfiguration
Failed publickey attempts from valid users indicate key rotation issues
Failures for valid accounts from unusual source IPs (not their workstation)
Authentication failures at unusual times for the user
Mix of password and publickey failures from the same source

How to Investigate

Determine if the failure is from a known user vs unknown/invalid user
Check the source IP — internal or external, expected or unexpected
Review the authentication method (password vs publickey vs keyboard-interactive)
Check if the user recently changed their password or SSH key
Correlate with successful logins to establish the users normal pattern
If publickey failure, verify the users authorized_keys file is correct

Recommended Mitigations

Implement centralized SSH key management to prevent key sprawl
Set MaxAuthTries to 3 in sshd_config to limit per-connection attempts
Enable detailed SSH logging (LogLevel VERBOSE) for forensic value
Deploy a jump host / bastion server as the single SSH entry point
Use SSH certificates instead of static keys for easier rotation
Monitor and alert on failed SSH logins for service accounts

Scan This Log Instantly

Paste a suspicious log line below and get an instant AI-powered security assessment.

0 / 2000

What is 6 + 9?

Need a Full Investigation?

Scan entire log files, detect attack patterns, reconstruct timelines, and generate a full investigation report.

Run Smart Scan

Related Log Types

Related Attack Patterns

Frequently Asked Questions

Where are SSH failed logins logged? ▼

On Debian/Ubuntu: /var/log/auth.log. On RHEL/CentOS: /var/log/secure. You can also use journalctl -u sshd to view SSH-specific logs on systemd-based systems.

What does Failed publickey mean? ▼

It means the client presented an SSH key that did not match any key in the users authorized_keys file. This can happen after key rotation, if the wrong key is offered, or if authorized_keys has incorrect permissions.

How do I set up SSH login alerts? ▼

Use a PAM module like pam_exec to run a script on successful/failed logins, configure rsyslog to forward auth.log to a SIEM, or use fail2ban with email notification enabled.