How to Set Up and Use SSH
Monitoring Attacks As They Happen

How to See the Password Guesses

Let's say that you see a long series of guesses for your root password. The password guesses aren't logged, but you want to see what guesses they are trying.

First, find the PID of the listening SSH daemon process:

$ ps axuww | egrep 'PID|sshd'

You will have to find the one that is listening for new connections, and not the server processes handling current connections.

Here is a better way to find the relevant PID:

$ su
Password:
# lsof -i tcp:ssh | egrep 'PID|LISTEN'

Now become root and attach to the running daemon with strace, changing the PID as appropriate:

$ su -
# strace -f -e 'read,write' -p 12345

There will be a lot of output, but you will see the password guesses.

When you press ^C, the strace process detaches and the SSH daemon keeps running.

Here is a detailed analysis of SSH attack patterns, including the login and password sequences observed in real attacks.