Q&A: Log Failed SSH Log-In Attempts

Q) I have a brand new Ubuntu Server installation with port 22(SSH) facing the Internet, while looking at the logs I noticed that no information such as failed log-in attempts are being logged. What file and parameter do I need to change in order to start logging failed attempts?.

A) by default OpenSSH on Ubuntu is not set to log failed log-in attempts, I guess the logic behind this decision is to reduce the amount of logs being generated. The risk associated with not logging failed attempts is that you will never know if your server is being targeted by the bad guys, pretty much anything exposed to the Internet is bound to be a target of some sort.


In order to start logging failed attempts you need root, a text editor, and access to the sshd_config file.

Open the file /etc/ssh/sshd_config with your favorite editor.

nano /etc/ssh/sshd_config

And look for the line starting with #Logging and change the parameter from LogLevel INFO to LogLevel VERBOSE.

# Logging
SyslogFacility AUTH
LogLevel INFO

The new configuration should look like this:

# Logging
SyslogFacility AUTH

From now on the system will log all failed attempts to /var/log/auth.log. Just don’t be surprised about your popularity with the bad guys!.

  • Peter


    I need to actually see the password in plaintext, for troubleshooting.
    I know all about the dangers of storing passwords in plaintext on my server, but I will delete the logs imeediately after the troubleshoot.
    So my question: IS there a way to log the authentication attempts in plain-text?

    Kind regards,