fabic974 random (binary) wanderings in the philament empires…

SSH: List failed password-based connections attempts (using jq)

Basically one may extract the syslog message using jq in this way :

$ journalctl -u ssh -o json-pretty -b | jq '.MESSAGE'

And we may list “failed password authentication” of valid users in this way :

$ journalctl -u ssh -o json -b \
    | jq -rC '.MESSAGE | capture("^Failed password for (?<invalid>invalid user )?(?<user>\\w+)") | [.user, .invalid] | @sh' \
    | sed -e "s/'\(.*\)'/\1/" -e "s/'//g" \
    | sort -u -k1,1 \
    | grep -v 'invalid user *$'
  • journalctl -t su : list su attempts;
  • journalctl -t sudo : list sudo invocations.