How to Log and Monitor Failed Login Attempts in Debian 12 Bookworm System

Learn how to track and analyze failed login attempts on a Debian 12 system.
by İbrahim Korucuoğlu (@siberoloji) |
Tags:
Categories:

  4 minute read  

Ensuring the security of your Debian 12 Bookworm system is crucial, and one of the fundamental steps is monitoring failed login attempts. Unauthorized login attempts can indicate brute-force attacks or unauthorized access attempts. By logging and monitoring failed login attempts, you can take necessary action before a security breach occurs. This article will guide you through the process of tracking and analyzing failed login attempts on a Debian 12 system.

1. Understanding Login Logging in Debian

Debian systems use various log files to track login activity. The most relevant logs for monitoring failed login attempts are:

  • /var/log/auth.log: Contains authentication logs, including SSH and local login attempts.
  • /var/log/faillog: Stores records of failed login attempts.
  • /var/log/btmp: Logs all failed login attempts (binary file, requires special commands to read).
  • /var/log/wtmp: Logs successful logins, logouts, and system reboots.

2. Checking Failed Login Attempts

2.1 Using the journalctl Command

journalctl is used to query logs from systemd.

sudo journalctl -xe | grep 'Failed password'

This command filters the logs to display only failed authentication attempts.

2.2 Checking the Authentication Log

You can manually check /var/log/auth.log for failed attempts:

sudo grep 'Failed' /var/log/auth.log

This command shows all failed login attempts recorded in the authentication log.

2.3 Viewing the btmp Log

Since /var/log/btmp is a binary file, it must be read with lastb:

sudo lastb

This will show all failed login attempts, including usernames and IP addresses.

3. Monitoring Failed SSH Login Attempts

Most brute-force attacks target SSH. To check failed SSH login attempts:

sudo grep 'Failed password' /var/log/auth.log

To count failed attempts:

sudo grep 'Failed password' /var/log/auth.log | wc -l

To check the top IPs attempting failed logins:

sudo grep 'Failed password' /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -nr | head -10

This helps identify potential attackers.

4. Enabling Real-Time Monitoring with tail

To continuously monitor failed login attempts in real-time:

sudo tail -f /var/log/auth.log | grep 'Failed'

This is useful for detecting suspicious activities as they happen.

5. Using fail2ban to Prevent Brute-Force Attacks

fail2ban automatically bans IP addresses with multiple failed login attempts.

5.1 Installing fail2ban

sudo apt update && sudo apt install fail2ban -y

5.2 Configuring fail2ban

Create a local jail configuration:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit the configuration:

sudo nano /etc/fail2ban/jail.local

Modify or add the following settings under [sshd]:

enabled = true
bantime = 600
findtime = 600
maxretry = 5
  • bantime: Time (in seconds) an IP is banned.
  • findtime: Time window to count failed attempts.
  • maxretry: Number of allowed failures before banning.

Restart fail2ban:

sudo systemctl restart fail2ban

5.3 Checking Banned IPs

To check which IPs are banned:

sudo fail2ban-client status sshd

To manually ban an IP:

sudo fail2ban-client set sshd banip 192.168.1.100

To unban an IP:

sudo fail2ban-client set sshd unbanip 192.168.1.100

6. Setting Up Email Alerts for Failed Logins

To receive email alerts, you can use logwatch or a custom script.

6.1 Installing logwatch

sudo apt install logwatch -y

Run logwatch manually:

sudo logwatch --detail high --service sshd --range today

Configure it to send daily reports by editing /etc/cron.daily/00logwatch.

6.2 Creating a Custom Alert Script

Create a script to monitor failed logins and send email alerts:

sudo nano /usr/local/bin/failed_login_alert.sh

Add the following script:

#!/bin/bash
LOGFILE="/var/log/auth.log"
EMAIL="admin@example.com"
THRESHOLD=5
FAILED_ATTEMPTS=$(grep "Failed password" $LOGFILE | wc -l)

if [ "$FAILED_ATTEMPTS" -ge "$THRESHOLD" ]; then
    echo "Alert: $FAILED_ATTEMPTS failed login attempts detected" | mail -s "Security Alert" $EMAIL
fi

Make the script executable:

sudo chmod +x /usr/local/bin/failed_login_alert.sh

Schedule it with cron:

sudo crontab -e

Add the following line:

*/10 * * * * /usr/local/bin/failed_login_alert.sh

This will run every 10 minutes to check for failed login attempts.

7. Best Practices for Securing Logins

  • Disable Root Login: Edit /etc/ssh/sshd_config and set PermitRootLogin no.
  • Use Key-Based Authentication: Disable password authentication and use SSH keys.
  • Use a Non-Standard SSH Port: Change the default SSH port (22) to reduce automated attacks.
  • Limit Login Attempts with PAM: Configure PAM to restrict login attempts.

Conclusion

Monitoring and logging failed login attempts is crucial for securing your Debian 12 Bookworm system. By using tools like journalctl, fail2ban, and logwatch, you can efficiently track unauthorized access attempts and take preventive actions. Implementing additional security measures such as key-based authentication and SSH hardening further strengthens system security. By following this guide, you can significantly reduce the risk of unauthorized access to your system.


<  How to Configure Security Updates to Install Automatically in Debian 12 Bookworm How to Secure System Backups in Debian 12 Bookworm  >