Monitoring & Log Management

Shell Scripting to Detect and Report Failed SSH Logins

failed ssh login script ubuntu brute force detection auth log bash

Your Server is Under Attack Right Now

A dark, moody server room bathed in red emergency warning lights, glowing server racks, cinematic lighting, ultra-realistic, 8k resolution, cyberpunk hacker vibe --ar 16:9 --v 6.0

Open up your terminal right now. I guarantee some script kiddie or automated bot is hammering your SSH port. They want in. Badly. You could ignore it and hope your passwords are strong enough. Or, you could actively track who is knocking at the front door. A failed ssh login script isn't just a fun weekend project. It’s basic survival. Let’s build one.

Digging Through the Trash

A glowing digital magnifying glass hovering over glowing green lines of binary code, matrix style, macro photography, depth of field, neon green and black --ar 16:9 --v 6.0

Before we write any code, we need to know where Ubuntu hides the evidence. For reliable ubuntu brute force detection, your goldmine is `/var/log/auth.log`. Every time someone screws up a password, the system quietly scribbles it down here. If you're on a newer system using systemd, `journalctl -u ssh` is your best friend. We just need a way to filter the noise and pull out the actual failed attempts.

The 3-Line Bash Filter

A sleek mechanical keyboard with glowing cyan keys, an open terminal window on a monitor in the background showing colorful bash scripts, moody developer setup, hyper-detailed --ar 16:9 --v 6.0

Time to get our hands dirty. You don't need a massive Python application for this. An auth log bash script does the heavy lifting with tools you already have. We'll use `grep` to hunt down the phrase "Failed password". Pipe that into `awk` to extract just the IP addresses. Then, sort them and run `uniq -c` to count how many times each IP tried to break in. Simple. Ruthless. Effective.

Building the Hit List

Raw data is useless if it’s hard to read. Let's make our script spit out a clean, formatted report. Think of it as a leaderboard of bad actors. I usually set my script to trigger an alert if a single IP hits more than 10 failed attempts. At that point, it’s not a typo. It’s an attack. You can output this list right to your terminal or pipe it into an email so you wake up to a fresh list of blocked enemies every morning.

Setting It on Autopilot

Scripts are great. Forgetting to run them is not. Once you've got your detection logic dialed in, hand it off to `cron`. Tell the system to run your script every hour. Or every ten minutes. If things look spicy, you can even wire this script directly into `iptables` or `ufw` to automatically ban the offending IPs. Complete automation. You get to sleep while your server defends itself.