$ Linux One Liners
Back to lessons

Cybersecurity Triage

Count Failed SSH Login Users

You need to count which usernames are being targeted in SSH failures.

Command

sed -n 's/.*Failed password for \(invalid user \)\?\([^ ]*\) from .*/\2/p' logs/auth.log | sort | uniq -c | sort -nr

What changed

Nothing changes. The command extracts usernames and counts repeats.

Danger

safe

When to use it

Use during SSH brute-force triage or when checking which accounts are being probed.

When not to use it

Do not treat it as a complete incident timeline; it only summarizes matching log lines.

Undo or recovery

No undo needed because this command is read-only.

Expected output

A count-sorted list of usernames from failed SSH attempts.

demo script

Disposable terminal steps

  1. grep 'Failed password' logs/auth.log
  2. sed -n 's/.*Failed password for \(invalid user \)\?\([^ ]*\) from .*/\2/p' logs/auth.log | sort | uniq -c | sort -nr
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ grep 'Failed password' logs/auth.log
Jun 25 12:00:01 vps sshd[1001]: Failed password for invalid user admin from 203.0.113.44 port 51122 ssh2
Jun 25 12:00:03 vps sshd[1002]: Failed password for root from 203.0.113.44 port 51124 ssh2
Jun 25 12:01:10 vps sshd[1003]: Failed password for deploy from 198.51.100.77 port 41002 ssh2
::exit-code::0
$ sed -n 's/.*Failed password for \(invalid user \)\?\([^ ]*\) from .*/\2/p' logs/auth.log | sort | uniq -c | sort -nr
      1 root
      1 deploy
      1 admin
::exit-code::0

YouTube Short

Count failed SSH users.

Instead of reading every auth line, extract the failed usernames and count which accounts are being targeted.

LinkedIn hook

Failed SSH attempts are noisy; grouping users makes the pattern readable.

Question: Do you group failed SSH attempts by username during first response?

experiments

A/B tests to run

Metric: save_rate

A: Group by username.

B: Which accounts are probed?