$ Linux One Liners
Back to commands

Cybersecurity Triage

Read-only, sensitive output

Show Failed SSH Public-Key Users

You need to extract users and source IPs from failed SSH public-key attempts.

Command

awk '/Failed publickey/ {print $9, $11}' logs/auth.log | sort | uniq -c | sort -nr

Before you run this

System impact: Read-only. Output may expose users, paths, tokens, keys, IPs, process arguments, or log details.

When not to use it: Do not rotate or remove keys based on this count alone; inspect key fingerprints and account ownership first.

Expected output

Counted failed public-key attempts grouped by username and source IP.

System impact

Read-only, sensitive output. Nothing changes. The command reads auth.log and counts failed public-key attempts by user and source IP.

Recovery / rollback: no state is changed.

When to use it

Use when a key-based SSH login fails and you need to separate stale-key failures from password guessing.

When not to use it

Do not rotate or remove keys based on this count alone; inspect key fingerprints and account ownership first.

Watch this command run

Command transcript

This sanitized transcript shows the commands and output shape without exposing host details.

demo@lab:~$

$ grep 'Failed publickey' logs/auth.log

Jun 25 10:03:09 vps sshd[118]: Failed publickey for deploy from 198.51.100.40 port 60210 ssh2: RSA SHA256:olddeploy

$ awk '/Failed publickey/ {print $9, $11}' logs/auth.log | sort | uniq -c | sort -nr

      1 deploy 198.51.100.40
View commands shown

These are the commands shown in the sanitized transcript.

Commands shown

  1. grep 'Failed publickey' logs/auth.log
  2. awk '/Failed publickey/ {print $9, $11}' logs/auth.log | sort | uniq -c | sort -nr

next steps

Related commands

Cybersecurity Triage Sensitive output

Summarize SSH Auth Outcomes

SSH logs get easier to read once accepted and failed methods are counted.

awk '/sshd/ && /Accepted/ {print "accepted", $7} /sshd/ && /Failed password/ {print "failed", "password"} /sshd/ && /Failed publickey/ {print "failed", "publickey"}' logs/auth.log | sort | uniq -c | sort -nr
Cybersecurity Triage Sensitive output

Count Failed SSH Login IPs

The loudest SSH source is usually visible with one count.

sed -n 's/.*Failed password .* from \([0-9.]*\) port.*/\1/p' logs/auth.log | sort | uniq -c | sort -nr
Cybersecurity Triage Sensitive output

Count Failed SSH Login Users

Failed SSH attempts are noisy; grouping users makes the pattern readable.

sed -n 's/.*Failed password for \(invalid user \)\?\([^ ]*\) from .*/\2/p' logs/auth.log | sort | uniq -c | sort -nr
Cybersecurity Triage Sensitive output

List Accepted SSH Login Sources

Successful SSH logins are the access events worth anchoring first.

awk '/Accepted publickey/ {print $1, $2, $3, $9, $11}' logs/auth.log
Cybersecurity Triage Read-only

Spot Unusual HTTP Methods in Access Logs

Most site traffic is boring. The weird methods are worth a look.

awk '$6 !~ /^"(GET|POST|HEAD|OPTIONS)$/ {print $1, $6, $7, $9}' ./fixtures/nginx/access.log | sort | uniq -c | sort -nr
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:103-gnu-unix-commands
  • lpic1:109-networking
  • lpic1:110-security
  • lfcs:essential-commands
  • lfcs:networking
  • lfcs:security-hygiene
  • linuxplus:automation-scripting
  • linuxplus:provisional
  • linuxplus:security
  • risk:read-only
  • risk:security-sensitive

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.