How to See the Password Guesses
Let's say that you see a long series of guesses for your
The password guesses aren't logged, but you want to see
what guesses they are trying.
First, find the PID of the listening SSH daemon process:
$ ps axuww | egrep 'PID|sshd'
You will have to find the one that is listening for new connections, and not the server processes handling current connections.
Here is a better way to find the relevant PID:
$ su Password: # lsof -i tcp:ssh | egrep 'PID|LISTEN'
attach to the running daemon with
changing the PID as appropriate:
$ su - # strace -f -e 'read,write' -p 12345
There will be a lot of output, but you will see the password guesses.
When you press
process detaches and the SSH daemon keeps running.
Here is a detailed analysis of SSH attack patterns, including the login and password sequences observed in real attacks.