How to Monitor Login Attempts on Your VPS Print

Monitoring login attempts is crucial for securing your VPS against unauthorized access. This guide shows how to view, track, and analyze SSH login attempts using built-in Linux tools and optional security utilities.

Why Monitor Login Activity?

• Detect brute-force attacks

• Identify unauthorized access attempts

• Audit successful and failed logins

• Strengthen overall server security

Method 1: View SSH Login Logs with journalctl

If your system uses systemd, you can use journalctl to monitor SSH login attempts.

View all SSH login activity:

journalctl -u ssh

View recent failed logins:

journalctl -u ssh -p err

View login attempts in real time:

journalctl -u ssh -f

Method 2: Use the last Command to View Successful Logins

The last command shows a history of successful logins:

last

Example output:

root     pts/0        192.168.1.100    Mon Mar 25 14:02   still logged in

Method 3: Use the lastb Command to View Failed Logins

The lastb command (requires btmp logging) shows failed login attempts:

lastb

If lastb is not available, install the util-linux package:

apt install util-linux       # Debian/Ubuntu  
yum install util-linux       # CentOS/RHEL

Method 4: Check /var/log/auth.log or /var/log/secure

On Debian/Ubuntu:

grep "sshd" /var/log/auth.log

On CentOS/RHEL/AlmaLinux:

grep "sshd" /var/log/secure

This shows both successful and failed SSH attempts.

To filter failed attempts:

grep "Failed password" /var/log/auth.log

Or for IP-specific search:

grep "192.168.1.100" /var/log/auth.log

Method 5: Use who or w to See Logged-In Users

• Show who is currently logged in:

who

• Show active sessions and what users are doing:

w

Optional: Set Up fail2ban to Block Repeated Failed Attempts

You can install fail2ban to automatically block IPs after too many failed login attempts.

Install fail2ban:

apt install fail2ban        # Debian/Ubuntu  
yum install fail2ban        # CentOS/RHEL

Start and enable it:

systemctl enable fail2ban --now

It will monitor /var/log/auth.log or /var/log/secure and block IPs with repeated failures.

Conclusion

Monitoring login attempts is essential for keeping your VPS secure. Use these tools regularly to detect unusual activity and consider adding automated protection like fail2ban.

If you suspect unauthorized access or need help securing your VPS, contact Hosteons Support or access your server using https://vps.hosteons.com.