$ Linux One Liners
Back to commands

Cybersecurity Triage

Read-only, sensitive output

Count Failed SSH Login IPs

You need to rank source IPs from failed SSH login attempts.

Command

sed -n 's/.*Failed password .* from \([0-9.]*\) port.*/\1/p' logs/auth.log | sort | uniq -c | sort -nr

Before you run this

System impact: Read-only. Output may expose users, paths, tokens, keys, IPs, process arguments, or log details.

When not to use it: Do not block IPs from this output alone without considering NATs, allowlists, and policy.

Expected output

A count-sorted list of source IP addresses from failed SSH attempts.

System impact

Read-only, sensitive output. Nothing changes. The command extracts source IPs and counts repeats.

Recovery / rollback: no state is changed.

When to use it

Use when deciding whether one source is causing most SSH noise.

When not to use it

Do not block IPs from this output alone without considering NATs, allowlists, and policy.

Watch this command run

Command transcript

This sanitized transcript shows the commands and output shape without exposing host details.

demo@lab:~$

$ grep 'Failed password' logs/auth.log

Jun 25 12:00:01 vps sshd[1001]: Failed password for invalid user admin from 203.0.113.44 port 51122 ssh2
Jun 25 12:00:03 vps sshd[1002]: Failed password for root from 203.0.113.44 port 51124 ssh2
Jun 25 12:01:10 vps sshd[1003]: Failed password for deploy from 198.51.100.77 port 41002 ssh2

$ sed -n 's/.*Failed password .* from \([0-9.]*\) port.*/\1/p' logs/auth.log | sort | uniq -c | sort -nr

      2 203.0.113.44
      1 198.51.100.77
View commands shown

These are the commands shown in the sanitized transcript.

Commands shown

  1. grep 'Failed password' logs/auth.log
  2. sed -n 's/.*Failed password .* from \([0-9.]*\) port.*/\1/p' logs/auth.log | sort | uniq -c | sort -nr

next steps

Related commands

Cybersecurity Triage Sensitive output

Count Failed SSH Login Users

Failed SSH attempts are noisy; grouping users makes the pattern readable.

sed -n 's/.*Failed password for \(invalid user \)\?\([^ ]*\) from .*/\2/p' logs/auth.log | sort | uniq -c | sort -nr
Cybersecurity Triage Sensitive output

Summarize SSH Auth Outcomes

SSH logs get easier to read once accepted and failed methods are counted.

awk '/sshd/ && /Accepted/ {print "accepted", $7} /sshd/ && /Failed password/ {print "failed", "password"} /sshd/ && /Failed publickey/ {print "failed", "publickey"}' logs/auth.log | sort | uniq -c | sort -nr
Cybersecurity Triage Sensitive output

Show Failed SSH Public-Key Users

A failed public-key attempt often points to stale keys or the wrong account.

awk '/Failed publickey/ {print $9, $11}' logs/auth.log | sort | uniq -c | sort -nr
Cybersecurity Triage Sensitive output

Summarize sudo Commands by User

Privilege history is easier to review when users and commands are separated.

sed -n 's/.*sudo: *\([^: ]*\).*COMMAND=\(.*\)$/\1 -> \2/p' fixtures/user-access-audit/logs/auth.log | sort
Cybersecurity Triage Sensitive output

Summarize SSH Authorized Key Types

Key inventory gets more useful when old key types stand out.

find home -path '*/.ssh/authorized_keys' -exec awk '{print $1}' {} + | sort | uniq -c | sort -nr
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:103-gnu-unix-commands
  • lpic1:109-networking
  • lpic1:110-security
  • lfcs:essential-commands
  • lfcs:networking
  • lfcs:security-hygiene
  • linuxplus:automation-scripting
  • linuxplus:provisional
  • linuxplus:security
  • risk:read-only
  • risk:security-sensitive

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.