$ Linux One Liners
Back to lessons

Cybersecurity Triage

Show Failed SSH Public-Key Users

You need to extract users and source IPs from failed SSH public-key attempts.

Command

awk '/Failed publickey/ {print $9, $11}' logs/auth.log | sort | uniq -c | sort -nr

What changed

Nothing changes. The command reads auth.log and counts failed public-key attempts by user and source IP.

Danger

safe

When to use it

Use when a key-based SSH login fails and you need to separate stale-key failures from password guessing.

When not to use it

Do not rotate or remove keys based on this count alone; inspect key fingerprints and account ownership first.

Undo or recovery

No undo needed because this command is read-only.

Expected output

Counted failed public-key attempts grouped by username and source IP.

demo script

Disposable terminal steps

  1. grep 'Failed publickey' logs/auth.log
  2. awk '/Failed publickey/ {print $9, $11}' logs/auth.log | sort | uniq -c | sort -nr
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ grep 'Failed publickey' logs/auth.log
Jun 25 10:03:09 vps sshd[118]: Failed publickey for deploy from 198.51.100.40 port 60210 ssh2: RSA SHA256:olddeploy
::exit-code::0
$ awk '/Failed publickey/ {print $9, $11}' logs/auth.log | sort | uniq -c | sort -nr
      1 deploy 198.51.100.40
::exit-code::0

YouTube Short

Find failed SSH keys.

Filter failed public-key events to see which account and source are trying a key that does not work.

LinkedIn hook

A failed public-key attempt often points to stale keys or the wrong account.

Question: Do you separate failed public-key SSH attempts from password guessing?

experiments

A/B tests to run

Metric: completion_rate

A: Stale key attempt.

B: Public-key failure, not password noise.