How To Check Failed Login Attempts In Rhel 7

Operating Systems

In this article, I will guide you through the steps to check failed login attempts in RHEL 7. As an experienced system administrator, I understand the importance of monitoring and analyzing failed login attempts to ensure the security of your system. Let’s dive into the details!

Why is it important to check failed login attempts?

Failed login attempts can be an indication of unauthorized access attempts or brute force attacks on your system. By monitoring and reviewing these failed attempts, you can identify potential security risks and take appropriate actions to protect your system.

Step 1: Checking the secure log file

The first step to check failed login attempts in RHEL 7 is to examine the secure log file. This log file contains detailed information about login attempts, including successful and failed attempts.

To view the secure log file, open a terminal and run the following command:

sudo tail -f /var/log/secure

This command will display the latest entries in the secure log file in real-time. Look for lines that indicate failed login attempts. These lines usually contain phrases like “authentication failure” or “failed password”.

Step 2: Analyzing the failed login attempts

Once you have identified the failed login attempts in the secure log file, it’s time to analyze them. Pay attention to the following details:

  • Timestamp: Note the date and time of each failed attempt.
  • Username: Identify the username used in the failed login attempt.
  • Source IP: Determine the IP address from where the login attempt originated.

By analyzing these details, you can identify patterns, such as repeated failed attempts from the same IP address or multiple failed attempts for a specific user.

Step 3: Taking necessary actions

Based on your analysis of the failed login attempts, you can take the following actions to enhance the security of your system:

  • Block IP addresses: If you notice repeated failed attempts from a particular IP address, you can block that IP address to prevent further unauthorized access attempts.
  • Password reset: If a specific user’s account is repeatedly targeted, it might be wise to prompt them for a password reset or enforce stronger password policies.
  • Implement multi-factor authentication: To add an extra layer of security, consider implementing multi-factor authentication for user logins.


Checking failed login attempts in RHEL 7 is an essential step in ensuring the security of your system. By monitoring and analyzing these attempts, you can identify potential security risks and take prompt actions to protect your system. Remember to regularly review the secure log file and implement necessary security measures to safeguard your system from unauthorized access.