Detecting Unauthorized Access with Linux Security Logs

laptop with code

Linux security logs play a vital role in detecting and blocking unauthorized access threats, which can lead to data breaches or compromised systems. This article will provide an overview of how to detect and combat unauthorized threats using Linux security logs.

Understanding Linux Security Logs

Linux security logs are records of events that occur on your server. They are an essential tool for both detecting and preventing unauthorized access. To locate and interpret the data within these logs, users should become familiar with Linux logging conventions, common log files, and their locations.

In Ubuntu and other Debian-based distributions, key log files include:

  • /var/log/auth.log: Records authentication attempts, including successful and failed logins, sudo usage, and other security-related events.
  • /var/log/syslog: General system log file containing messages from various system services and kernel events.
  • /var/log/kern.log: Contains kernel-related messages and activities, which can be helpful in identifying hardware issues or kernel exploits.

In Red Hat Enterprise Linux (RHEL) and other RHEL-based distributions, the key log files are:

  • /var/log/secure: Similar to /var/log/auth.log in Debian-based systems, it records authentication attempts, sudo usage, and other security-related events.
  • /var/log/messages: Equivalent to /var/log/syslog in Debian-based systems, this file contains general system messages and events from various services.
  • /var/log/dmesg: Stores kernel-related messages and activities, similar to /var/log/kern.log in Debian-based systems

In subsequent examples, we’ll assume you’re using a Debian-based system, but the same techniques work on other distributions with appropriate modifications. 

Detecting Unauthorized Access

Monitoring your Linux security logs in real time will help you to detect unauthorized access quickly. Tools such as the Logwatch log analyzer and the Snort intrusion detection system can help identify patterns that may suggest unauthorized access, including repeated failed login attempts. 

Alternatively, to manually check for failed login attempts, you can filter the relevant log by entering the following command:

grep 'Failed password' /var/log/auth.log

This command searches for the phrase “Failed password” in the /var/log/auth.log file, which records authentication attempts. Analyzing this output can help determine if there are unauthorized access attempts.

You may also want to check for suspicious root access. You can inspect the log files for unauthorized root access with the following command:

grep 'Accepted password' /var/log/auth.log | grep 'root'

Here, we’re using grep to filter /var/log/auth.log for instances of successful root logins. If you see unfamiliar IP addresses or login times, it could indicate unauthorized access.

Blocking Unauthorized Access

Linux distributions include several tools to automatically block undesired access attempts. One popular tool is Fail2Ban, which automatically blocks suspicious IP addresses based on predefined rules.

To install Fail2Ban, run the following command:

sudo apt-get install fail2ban

Once installed, create a configuration file to set up rules by copying the default configuration file:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit the configuration file to define rules for blocking unauthorized access, such as limiting the number of failed login attempts:

sudo nano /etc/fail2ban/jail.local

Add the following lines to specify the maximum number of failed login attempts before blocking the IP address:


enabled = true

port = 22

action = iptables-multiport

logpath = /var/log/auth.log

maxretry = 3

bantime = 3600

These settings configure Fail2Ban to monitor the SSH service (sshd) on port 22. If three failed login attempts occur within an hour, the IP address will be banned for 3600 seconds (1 hour). You can adjust these settings according to your security needs.

Proper configuration of firewall rules, user permissions, and password policies are also critical to prevent unauthorized access. For instance, using the ufw utility, you can block a specific IP address:

sudo ufw deny from

This command blocks incoming traffic from the IP address You can use a similar approach to block multiple IP addresses, including blocks of addresses. 

You can also block access to specific ports and allow only approved IPs to connect. For instance, to restrict access to port 22 (SSH) and allow only the IP address to connect, run the following commands:

sudo ufw deny 22

sudo ufw allow from to any port 22

With these commands, you first block all incoming traffic on port 22, and then allow incoming traffic from the IP address to port 22. You can adjust the IP address and port numbers according to your security requirements.

Applying these techniques to automate the blocking of suspicious IP addresses will strengthen your system’s security and help prevent unauthorized access attempts that may lead to security breaches and data theft.