Search Our Database

Introduction

This article guides you through how to check successful and failed login attempts on a Linux server via the command-line interface (CLI).
Monitoring login history is important for security auditing, detecting unauthorized access attempts, and troubleshooting login issues.

We will use the last and lastb commands, along with system logs, to view both successful and failed login records.

Pre-requisites

• Root or sudo access to your Linux server.
• SSH access to the server.
• Basic familiarity with terminal commands.

Steps to Check Successful and Failed Logins

Step 1: Connect to Your Server via SSH

Use an SSH client (e.g., PuTTY or terminal) to log in:

ssh youruser@your.server.ip

Step 2: View Successful Login Attempts

Run the following command to see a list of successful logins:

last

📌 Note: The output shows the username, source IP address/hostname, login date, and session duration.

Step 3: View Failed Login Attempts

To view failed login attempts, run:

sudo lastb

📌 Note: This reads from /var/log/btmp and may require sudo privileges.

Step 4: Check Detailed Authentication Logs

For more detailed information, including SSH login attempts, view the system’s secure log:

sudo grep "sshd" /var/log/secure

Or, using journalctl:

sudo journalctl -u sshd --since "1 day ago"

Step 5: Filter by Specific Username or IP

You can filter login attempts for a specific user or IP address using grep:

last | grep username

Or for failed logins:

sudo lastb | grep username

Conclusion

By using the last, lastb, and system log commands, you can easily monitor both successful and failed login attempts on your Linux server.
This helps in maintaining server security and identifying any suspicious activity.

If you require assistance or encounter any issues, please contact our support team at support@ipserverone.com.