$ Linux One Liners
Back to lessons

Cybersecurity Triage

Summarize SSH Auth Outcomes

You need a quick count of successful and failed SSH authentication methods from an auth log.

Command

awk '/sshd/ && /Accepted/ {print "accepted", $7} /sshd/ && /Failed password/ {print "failed", "password"} /sshd/ && /Failed publickey/ {print "failed", "publickey"}' logs/auth.log | sort | uniq -c | sort -nr

What changed

Nothing changes. The command reads the auth log and counts matching SSH authentication outcomes.

Danger

safe

When to use it

Use during SSH access triage when you need a fast read on whether noise is password guessing, stale keys, or real accepted access.

When not to use it

Do not treat this as a full incident timeline; review the matching source lines before making account or firewall changes.

Undo or recovery

No undo needed because this command is read-only.

Expected output

A count-sorted summary of accepted public-key logins and failed SSH authentication methods.

demo script

Disposable terminal steps

  1. grep 'sshd' logs/auth.log
  2. awk '/sshd/ && /Accepted/ {print "accepted", $7} /sshd/ && /Failed password/ {print "failed", "password"} /sshd/ && /Failed publickey/ {print "failed", "publickey"}' logs/auth.log | sort | uniq -c | sort -nr
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ grep 'sshd' logs/auth.log
Jun 25 09:58:12 vps sshd[101]: Failed password for invalid user admin from 203.0.113.44 port 50122 ssh2
Jun 25 09:58:18 vps sshd[102]: Failed password for root from 203.0.113.44 port 50124 ssh2
Jun 25 10:01:41 vps sshd[111]: Accepted publickey for alice from 198.51.100.20 port 61422 ssh2: ED25519 SHA256:alicekey
Jun 25 10:03:09 vps sshd[118]: Failed publickey for deploy from 198.51.100.40 port 60210 ssh2: RSA SHA256:olddeploy
Jun 25 10:04:22 vps sshd[121]: Accepted publickey for deploy from 198.51.100.21 port 60444 ssh2: ED25519 SHA256:deploykey
Jun 25 10:05:01 vps sshd[130]: Failed password for bob from 198.51.100.55 port 61200 ssh2
Jun 25 10:05:03 vps sshd[130]: Connection closed by authenticating user bob 198.51.100.55 port 61200 [preauth]
::exit-code::0
$ awk '/sshd/ && /Accepted/ {print "accepted", $7} /sshd/ && /Failed password/ {print "failed", "password"} /sshd/ && /Failed publickey/ {print "failed", "publickey"}' logs/auth.log | sort | uniq -c | sort -nr
      3 failed password
      2 accepted publickey
      1 failed publickey
::exit-code::0

YouTube Short

Count SSH auth outcomes.

Before reading every SSH line, count accepted and failed authentication methods so the access pattern is visible.

LinkedIn hook

SSH logs get easier to read once accepted and failed methods are counted.

Question: Do you summarize SSH authentication outcomes before reading every auth log line?

experiments

A/B tests to run

Metric: save_rate

A: Count SSH outcomes first.

B: Password noise or accepted access?