How to track all the successful and failed login attempts by users in Linux

There are various commands which can be used for this purpose. I will try to briefly explain each of them with examples
 

Method 1

All the login attempts made to your system are stored in /var/log/secure. So you can manually open the file with any reader and look out for the user access and attempt result.

# less /var/log/secure | grep deepak
May 18 14:56:17 lab1 unix_chkpwd[17490]: password check failed for user (deepak)
May 18 14:56:17 lab1 sshd[17489]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=server1.example.com  user=deepak
May 18 14:56:18 lab1 sshd[17481]: Accepted keyboard-interactive/pam for deepak from 192.168.0.25 port 60735 ssh2
May 18 14:56:18 lab1 sshd[17481]: pam_unix(sshd:session): session opened for user deepak by (uid=0)
May 18 16:50:04 lab1 unix_chkpwd[19626]: password check failed for user (deepak)
May 18 16:50:04 lab1 sudo: pam_unix(sudo:auth): authentication failure; logname=deepak uid=0 euid=0 tty=/dev/pts/12 ruser= rhost=  user=deepak
May 18 16:50:04 lab1 sudo: deepak : TTY=pts/12 ; PWD=/home/deepak ; USER=root ; COMMAND=/bin/su -
May 18 16:50:04 lab1 su: pam_unix(su-l:session): session opened for user root by deepak(uid=0)

 

Method 2

To collect authentication report for all the attempts made to your system recently.

# aureport -au -i
Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 05/16/14 10:12:54 rahul ? /dev/pts/116  /usr/bin/sudo  yes 6946469
2. 05/16/14 12:09:19 abdul ? /dev/pts/117  /usr/bin/sudo  yes 6947443
3. 05/16/14 12:16:11 abdul ? /dev/pts/102  /usr/bin/sudo  yes 6947512
4. 05/16/14 13:00:10 rahul ? /dev/pts/116  /usr/bin/sudo  yes 6947866
5. 05/16/14 13:22:15 rahul 10.10.10.26 ssh /usr/sbin/sshd yes 6948054
6. 05/16/14 13:22:36 rahul ? /dev/pts/140  /usr/bin/sudo  yes 6948062

 

Collect success reports

# aureport -au -i --success
Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 05/16/14 10:12:54 rahul ? /dev/pts/116 /usr/bin/sudo yes 6946469
2. 05/16/14 12:09:19 abdul ? /dev/pts/117 /usr/bin/sudo yes 6947443
3. 05/16/14 12:16:11 abdul ? /dev/pts/102 /usr/bin/sudo yes 6947512
4. 05/16/14 13:00:10 rahul ? /dev/pts/116 /usr/bin/sudo yes 6947866

 

Collect failed reports

# aureport -au -i --failed
Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 05/16/14 15:42:11 deepak ? /dev/pts/124 /usr/bin/sudo  no 6949322
2. 05/17/14 12:02:53 amar 10.10.10.26 ssh  /usr/sbin/sshd no 6959885
3. 05/18/14 01:21:06 abhay ? /dev/pts/12   /usr/bin/sudo  no 6967954
4. 05/18/14 01:21:06 abhay ? /dev/pts/12   /usr/bin/sudo  no 6967955
5. 05/18/14 01:21:06 abhay ? /dev/pts/12   /usr/bin/sudo  no 6967956

 

Login Failures

# aureport -l --failed
Login Report
============================================
# date time auid host term exe success event
============================================
1. 05/16/14 21:50:22 priya  10.191.29.164  sshd /usr/sbin/sshd no 6952386
2. 05/17/14 12:02:09 amar   10.10.10.26    sshd /usr/sbin/sshd no 6959875
3. 05/17/14 12:02:48 amar   10.10.10.26    sshd /usr/sbin/sshd no 6959884
4. 05/17/14 12:02:53 amar   10.10.10.26    sshd /usr/sbin/sshd no 6959886
5. 05/17/14 19:46:32 suzane 172.18.249.112 sshd /usr/sbin/sshd no 6964909
6. 05/17/14 19:46:43 suzane 172.18.249.112 sshd /usr/sbin/sshd no 6964987

 

Successful Logins

# aureport -l --success
Login Report
============================================
# date time auid host term exe success event
============================================
1. 05/16/14 13:22:15 42771 10.10.10.26         /dev/pts/140 /usr/sbin/sshd yes 6948060
2. 05/16/14 21:37:10 34566 server1.example.com /dev/pts/124 /usr/sbin/sshd yes 6952264
3. 05/16/14 21:50:28 48467 server1.example.com /dev/pts/141 /usr/sbin/sshd yes 6952397
4. 05/16/14 23:33:18 42572 server1.example.com /dev/pts/148 /usr/sbin/sshd yes 6953354
5. 05/17/14 07:05:56 42572 server1.example.com /dev/pts/149 /usr/sbin/sshd yes 6957230
6. 05/17/14 07:12:39 42572 server1.example.com /dev/pts/149 /usr/sbin/sshd yes 6957294

 

Login summary report

# aureport -l --success --summary -i
Success Login Summary Report
============================
total  auid
============================
4  ankit
4  anurag
3  amit
2  suzane
1  prateek
1  deepak
1  priya
1  rashmi

 

Limitation with audit report

It reads /var/log/audit/audit.log for generating all the reports. But in most cases logrotate is configured for all the log files due to which the log file gets renewed after every regular interval of time and the report generated will be only as per the date log file started storing log files.

Method 3

To collect all the records of bad login attempts by a user

# lastb deepak
deepak ssh:notty    10.10.10.26 Fri Apr  4 04:38 - 04:38  (00:00)
deepak ssh:notty    10.10.10.23 Sun Mar 16 21:20 - 21:20  (00:00)
deepak ssh:notty    10.10.10.23 Sun Mar 16 21:20 - 21:20  (00:00)
deepak ssh:notty    10.10.10.23 Sun Mar 16 21:19 - 21:19  (00:00)
deepak ssh:notty    10.10.10.23 Sun Mar 16 21:19 - 21:19  (00:00)
deepak ssh:notty    10.10.10.23 Tue Jan 21 00:48 - 00:48  (00:00)
deepak ssh:notty    10.10.10.24 Sun Jan 19 22:56 - 22:56  (00:00)
deepak ssh:notty    10.10.10.24 Sun Jan 19 22:41 - 22:41  (00:00)
deepak ssh:notty    10.10.10.24 Sun Jan 19 22:41 - 22:41  (00:00)
deepak ssh:notty    10.10.10.26 Sun Jan 19 22:37 - 22:37  (00:00)
deepak ssh:notty    10.10.10.24 Sun Jan 19 22:21 - 22:21  (00:00)
btmp begins Fri Feb 19 10:22:42 2010

This will contain the records from the time logs were stored inside /var/log/btmp
NOTE: Using lastb without any argument will show you the long list of all the users with bad login attempts
 
Related Articles
Using audit in Linux to track system changes and unauthorized access
How to check last login time for users in Linux
How to change default login shell permanently in linux