Preface¶
In Ubuntu systems, you can check for malicious login attempts in the following ways, mainly by examining system logs and related record files:
1. View Login History¶
# View login history for all users
last
# View failed login attempts
lastb
# View more detailed login information, including IP addresses
last -i
2. Check System Log Files¶
# View auth.log, which records authentication-related events
sudo grep "Failed password" /var/log/auth.log
sudo grep "Accepted password" /var/log/auth.log
# For newer Ubuntu versions, journalctl may be needed
sudo journalctl -u ssh -g "Failed password"
sudo journalctl -u ssh -g "Accepted password"
3. View Recently Logged-in Users¶
# Display currently logged-in users
who
# Display user login history
w
# Show the last logged-in user
lastlog
4. Check SSH Login Records¶
# View SSH service login records
sudo grep sshd /var/log/auth.log | grep -i "session opened for user"
sudo grep sshd /var/log/auth.log | grep -i "authentication failure"
If suspicious login records are found (e.g., unfamiliar IP addresses, multiple failed login attempts, etc.), it is recommended to immediately take security measures such as changing passwords, restricting SSH access, and enabling firewall rules.