sshd^[1] secure shell daemon.

Logs: journalctl -u ssh

Dec 01 07:01:05 SERVER sshd[15647]: PAM service(sshd) ignoring max retries; 5 > 3 sshd[15647]: PAM service(sshd) ignoring max retries; 5 > 3
See: MaxAuthTries in sshd_config

Dec 11 09:29:36 SERVER sshd[5506]: Received disconnect from 103.217.11.10 port 43200:11: Bye Bye [preauth]

ssh.service: Found left-over process 30050 (sshd) in control group while starting unit. Ignoring.

Unable to negotiate with 55.xxx.455.45 port 30367: no matching cipher found. Their offer: aes256-cbc,[email protected],aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc,none [preauth]

Unsuccessful authentication attempts

journalctl -r | grep "Failed password for"

Invalid user USERNAME from 54.xxX.138.126 port 39980

error: maximum authentication attempts exceeded for root from 10.10.10.110 port 40314 ssh2 [preauth]

Jan 08 11:18:03 SERVER sshd[7429]: Failed password for invalid user USERNAME from 212.XXX.98.46 port 63474 ssh2

Jan 11 11:15:34 SERVER sshd[7024]: Failed password for USERNAME from 19x.118.XXX.62 port 41430 ssh2

Successful authentication attempts

journalctl -r | egrep "Accepted publickey for|Accepted password for"

sshd[17161]: Accepted publickey for USERNAME from

Accepted password for USERNAME from 95.14.XXX.214 port 52731 ssh2

See also

• OpenSSH (changelog): /etc/ssh/sshd_config | /etc/ssh/ssh_config | ~/.ssh/ | openSSL | sshd logs | sftp | scp | authorized_keys | ssh-keygen | ssh-keyscan | ssh-add | ssh-agent | ssh | Ssh -O stop | ssh-copy-id | CheckHostIP | UseKeychain, OpenSSF
• /var/log/auth.log
• systemd-journald: journalctl, /etc/systemd/journald.conf, journalctl logs, journalctl --list-boots, journalctl --disk-usage, journalctl -u kubelet, journalctl -u prometheus, journalctl --help
• PAM, libpam_cracklib, pam_tally2, /etc/pam.d/, /etc/pam.d/sshd, pam_oath, pam_sss, /etc/pam.d/login, pam_unix, pam_krb5
• Port knocking, fail2ban^[2] fwknop, DenyHosts
• Linux logging, Cisco IOS logging