Cybersecurity Triage
Risk: safeSummarize SSH Auth Outcomes
You need a quick count of successful and failed SSH authentication methods from an auth log.
Command
awk '/sshd/ && /Accepted/ {print "accepted", $7} /sshd/ && /Failed password/ {print "failed", "password"} /sshd/ && /Failed publickey/ {print "failed", "publickey"}' logs/auth.log | sort | uniq -c | sort -nrBefore you run this
Risk: safe. Do not treat this as a full incident timeline; review the matching source lines before making account or firewall changes.
Expected output
A count-sorted summary of accepted public-key logins and failed SSH authentication methods.
System impact
Nothing changes. The command reads the auth log and counts matching SSH authentication outcomes.
Recovery / rollback: no state is changed.
When to use it
Use during SSH access triage when you need a fast read on whether noise is password guessing, stale keys, or real accepted access.
When not to use it
Do not treat this as a full incident timeline; review the matching source lines before making account or firewall changes.
Watch this command run
Example output from a temporary Linux lab
This example uses disposable sample files and sanitized output so you can inspect the shape of the result before touching a real system.
$ grep 'sshd' logs/auth.log
Jun 25 09:58:12 vps sshd[101]: Failed password for invalid user admin from 203.0.113.44 port 50122 ssh2
Jun 25 09:58:18 vps sshd[102]: Failed password for root from 203.0.113.44 port 50124 ssh2
Jun 25 10:01:41 vps sshd[111]: Accepted publickey for alice from 198.51.100.20 port 61422 ssh2: ED25519 SHA256:alicekey
Jun 25 10:03:09 vps sshd[118]: Failed publickey for deploy from 198.51.100.40 port 60210 ssh2: RSA SHA256:olddeploy
Jun 25 10:04:22 vps sshd[121]: Accepted publickey for deploy from 198.51.100.21 port 60444 ssh2: ED25519 SHA256:deploykey
Jun 25 10:05:01 vps sshd[130]: Failed password for bob from 198.51.100.55 port 61200 ssh2
Jun 25 10:05:03 vps sshd[130]: Connection closed by authenticating user bob 198.51.100.55 port 61200 [preauth]$ awk '/sshd/ && /Accepted/ {print "accepted", $7} /sshd/ && /Failed password/ {print "failed", "password"} /sshd/ && /Failed publickey/ {print "failed", "publickey"}' logs/auth.log | sort | uniq -c | sort -nr
3 failed password
2 accepted publickey
1 failed publickeyView reproducible demo details
This page shows the sanitized shell transcript and the setup steps needed to reproduce the example.
Lab setup steps
grep 'sshd' logs/auth.logawk '/sshd/ && /Accepted/ {print "accepted", $7} /sshd/ && /Failed password/ {print "failed", "password"} /sshd/ && /Failed publickey/ {print "failed", "publickey"}' logs/auth.log | sort | uniq -c | sort -nr
next steps
Related commands
Show Failed SSH Public-Key Users
A failed public-key attempt often points to stale keys or the wrong account.
awk '/Failed publickey/ {print $9, $11}' logs/auth.log | sort | uniq -c | sort -nr
Count Failed SSH Login IPs
The loudest SSH source is usually visible with one count.
sed -n 's/.*Failed password .* from \([0-9.]*\) port.*/\1/p' logs/auth.log | sort | uniq -c | sort -nr
Count Failed SSH Login Users
Failed SSH attempts are noisy; grouping users makes the pattern readable.
sed -n 's/.*Failed password for \(invalid user \)\?\([^ ]*\) from .*/\2/p' logs/auth.log | sort | uniq -c | sort -nr
List Accepted SSH Login Sources
Successful SSH logins are the access events worth anchoring first.
awk '/Accepted publickey/ {print $1, $2, $3, $9, $11}' logs/auth.log
Summarize SSH Authorized Key Types
Key inventory gets more useful when old key types stand out.
find home -path '*/.ssh/authorized_keys' -exec awk '{print $1}' {} + | sort | uniq -c | sort -nr
Study mapping
Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.
Useful for
- LPIC-1 style command-line practice
- LFCS style performance tasks
- Linux+ style troubleshooting review
Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.