Identify and Report Not authorized SSH Login Attempts

OneFirewall Alliance
3 min readAug 17, 2023

How to identify an Not authorized user accessing our server over SSH

Let’s break down the code step by step:

journalctl -u ssh - since -5m | grep 'Invalid user.*' | awk '{ print $10 }'

1. journalctl: This command is used to query and display logs managed by the `systemd` journal on Linux systems.

2. -u ssh: The `-u flag specifies a unit (service) to filter the logs. In this case, it’s used to filter logs related to the SSH service (`sshd`), which is the SSH daemon responsible for handling incoming SSH connections.

3. — since -5m: The ` — since` flag specifies the time range from which you want to retrieve logs. In this case, it’s set to retrieve logs from the last 5 minutes (`-5m`).

4. grep ‘Invalid user.*’: The `grep` command is used to search for lines in the output that match a specific pattern. Here, it searches for lines that contain the phrase “Invalid user” followed by anything (`.*`). This is likely used to identify failed login attempts with invalid usernames.

5. awk ‘{ print $10 }’: The `awk` command is used to manipulate and process text data. In this context, it’s used to extract specific fields from the input. The `{ print $10 }` part instructs `awk` to print the 10th field (column) of each line.

Putting it all together, this command sequence is designed to accomplish the following:

1. Retrieve logs from the SSH service in the last 5 minutes.
2. Search for lines containing “Invalid user,” which could indicate failed login attempts with invalid usernames.
3. Extract and print the 10th field of each matching line. This field is likely the IP address or hostname of the remote system attempting the invalid login.

However, there’s a small issue with the code: the field number might not be accurate in all environments, especially if the log format changes. The exact field containing the IP address or hostname might vary depending on the log format. It’s a good practice to review your logs’ structure and adapt the `awk` command accordingly to extract the correct information.

Report it to OneFirewall

OneFirewall serves as a comprehensive global database meticulously cataloging an extensive array of malevolent entities, including malicious IPs, domains, and malware strains. This resource plays a pivotal role in amassing insightful reports detailing a spectrum of nefarious cyber events. By aggregating and curating information on these threats, OneFirewall provides a vital platform for the cybersecurity community to collaborate, analyze trends, and fortify their defense strategies. Through its comprehensive repository, OneFirewall empowers security professionals worldwide to stay ahead of emerging risks, thwart potential attacks, and ensure a safer digital landscape for individuals, organizations, and institutions.

This script is designed to identify and report unauthorized SSH login attempts to the OneFirewall platform using its API. Let’s break down the code step by step:

for value in $(journalctl -u ssh --since -5m | grep 'Invalid user.*' | awk '{ print $10 }')
echo $value
curl -H 'Content-Type: application/json' \
-H 'Authorization: '$OneFirewall_Token'' \
-d '{ "ip":"'$value'", "lid":"<EventID>", "notes": "SSH Login", "confidence": 0.8}' \

let’s break down this code snippet step by step:

This script processes unauthorized SSH login attempts from the past 5 minutes and reports them to the OneFirewall platform using its API. Let’s go through it step by step:

1. `for value in $(…)`: This loop iterates over each IP address extracted from the SSH logs. The command within the parentheses does the following:
— `journalctl -u ssh — since -5m`: Retrieves SSH-related logs from the last 5 minutes.
— `grep ‘Invalid user.*’`: Filters the logs to lines containing “Invalid user,” indicating unauthorized login attempts.
— `awk ‘{ print $10 }’`: Extracts the 10th field (column) from each line, which likely contains the IP address of the source.

2. `do`: Marks the beginning of the loop’s body.

3. `echo $value`: Prints the current IP address to the terminal, providing feedback on which IP address is being processed.

4. `curl …`: Sends an HTTP POST request to the OneFirewall API’s endpoint for reporting malicious IPs. The various options and arguments in the `curl` command include:
— `-H ‘Content-Type: application/json’`: Sets the content type of the request to JSON

More information about OneFirewall API here



OneFirewall Alliance

Our solution, through its Threats Info Sharing Platform and IP Reputation Score Engine, will increase security while decreasing its cost.