$ Linux One Liners
Back to lessons

Cybersecurity Triage

Risk: safe

Show Failed SSH Public-Key Users

You need to extract users and source IPs from failed SSH public-key attempts.

Command

awk '/Failed publickey/ {print $9, $11}' logs/auth.log | sort | uniq -c | sort -nr

Before you run this

Risk: safe. Do not rotate or remove keys based on this count alone; inspect key fingerprints and account ownership first.

Expected output

Counted failed public-key attempts grouped by username and source IP.

System impact

Nothing changes. The command reads auth.log and counts failed public-key attempts by user and source IP.

Recovery / rollback: no state is changed.

When to use it

Use when a key-based SSH login fails and you need to separate stale-key failures from password guessing.

When not to use it

Do not rotate or remove keys based on this count alone; inspect key fingerprints and account ownership first.

Watch this command run

Example output from a temporary Linux lab

This example uses disposable sample files and sanitized output so you can inspect the shape of the result before touching a real system.

demo@lab:~$

$ grep 'Failed publickey' logs/auth.log

Jun 25 10:03:09 vps sshd[118]: Failed publickey for deploy from 198.51.100.40 port 60210 ssh2: RSA SHA256:olddeploy

$ awk '/Failed publickey/ {print $9, $11}' logs/auth.log | sort | uniq -c | sort -nr

      1 deploy 198.51.100.40
View reproducible demo details

This page shows the sanitized shell transcript and the setup steps needed to reproduce the example.

Lab setup steps

  1. grep 'Failed publickey' logs/auth.log
  2. awk '/Failed publickey/ {print $9, $11}' logs/auth.log | sort | uniq -c | sort -nr

next steps

Related commands

Cybersecurity Triage Risk: safe

Summarize SSH Auth Outcomes

SSH logs get easier to read once accepted and failed methods are counted.

awk '/sshd/ && /Accepted/ {print "accepted", $7} /sshd/ && /Failed password/ {print "failed", "password"} /sshd/ && /Failed publickey/ {print "failed", "publickey"}' logs/auth.log | sort | uniq -c | sort -nr
Cybersecurity Triage Risk: safe

Count Failed SSH Login IPs

The loudest SSH source is usually visible with one count.

sed -n 's/.*Failed password .* from \([0-9.]*\) port.*/\1/p' logs/auth.log | sort | uniq -c | sort -nr
Cybersecurity Triage Risk: safe

Count Failed SSH Login Users

Failed SSH attempts are noisy; grouping users makes the pattern readable.

sed -n 's/.*Failed password for \(invalid user \)\?\([^ ]*\) from .*/\2/p' logs/auth.log | sort | uniq -c | sort -nr
Cybersecurity Triage Risk: safe

List Accepted SSH Login Sources

Successful SSH logins are the access events worth anchoring first.

awk '/Accepted publickey/ {print $1, $2, $3, $9, $11}' logs/auth.log
Cybersecurity Triage Risk: safe

Spot Unusual HTTP Methods in Access Logs

Most site traffic is boring. The weird methods are worth a look.

awk '$6 !~ /^"(GET|POST|HEAD|OPTIONS)$/ {print $1, $6, $7, $9}' ./fixtures/nginx/access.log | sort | uniq -c | sort -nr
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:103-gnu-unix-commands
  • lpic1:109-networking
  • lpic1:110-security
  • lfcs:essential-commands
  • lfcs:networking
  • lfcs:security-hygiene
  • linuxplus:automation-scripting
  • linuxplus:provisional
  • linuxplus:security
  • risk:read-only
  • risk:security-sensitive

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.