All login attempts are logged to /var/log/auth.log.

1. Filter for brute-force interactive SSH logins

Open a terminal, and type the below; if it's longer than 1 page you will be able to scroll up and down; type q to exit:

grep sshd.*Failed /var/log/auth.log | less

• Here's a real example from one of my VPSs:

  
  
  

  
  
  Aug 18 11:00:57 izxvps sshd[5657]: Failed password for root from 95.58.255.62 port 38980 ssh2
  
  Aug 18 23:08:26 izxvps sshd[5768]: Failed password for root from 91.205.189.15 port 38156 ssh2
  
  Aug 18 23:08:30 izxvps sshd[5770]: Failed password for nobody from 91.205.189.15 port 38556 ssh2
  
  Aug 18 23:08:34 izxvps sshd[5772]: Failed password for invalid user asterisk from 91.205.189.15 port 38864 ssh2
  
  Aug 18 23:08:38 izxvps sshd[5774]: Failed password for invalid user sjobeck from 91.205.189.15 port 39157 ssh2
  
  Aug 18 23:08:42 izxvps sshd[5776]: Failed password for root from 91.205.189.15 port 39467 ssh2
  
  

2. Look for failed connections (i.e. no login attempted, could be a port scanner, etc.):

Use this command:

grep sshd.*Did /var/log/auth.log | less

• Example:

  
  
  

  
  
  Aug  5 22:19:10 izxvps sshd[7748]: Did not receive identification string from 70.91.222.121
  
  Aug 10 19:39:49 izxvps sshd[1919]: Did not receive identification string from 50.57.168.154
  
  Aug 13 23:08:04 izxvps sshd[3562]: Did not receive identification string from 87.216.241.19
  
  Aug 17 15:49:07 izxvps sshd[5350]: Did not receive identification string from 211.22.67.238
  
  Aug 19 06:28:43 izxvps sshd[5838]: Did not receive identification string from 59.151.37.10
  
  

How to reduce failed/brute-force login attempts

• Try switching your SSH to a non-standard port from the default 22


• Or install an auto-ban script such as fail2ban.