This content originally appeared on DEV Community and was authored by Faruk
Member-only story
The Linux Log Hackers Hope You Never Check
—
Share
When attackers brute-force SSH or slip in with stolen credentials, they usually leave their first footprints in one place: /var/log/auth.log (or /var/log/secure on RHEL).
/var/log/auth.log /var/log/secure
Most admins overlook it. Hackers count on that. I don’t — and it’s saved me more than once.
Why This Log Is So Critical
- Shows every SSH login attempt (success or failure)
- Records sudo privilege escalations
sudo– Logs session activity for cron, systemd, and more - Reveals unusual IPs, odd login times, and brute-force patterns
If you ignore it, you’re flying blind.
Real Breach Clues I’ve Caught
- Brute Force Bots Hundreds of Failed password for root from 45.xxx… attempts in minutes. → Blocked with fail2ban.
Failed password for root from 45.xxx…– Suspicious User Access A developer logging in at 3 AM from overseas. → Traced to a compromised laptop. - Misconfigurations PAM errors from a broken cron job spamming auth.log. → Fixed before it spiraled into outages.
How I Monitor It
Live View
tail -f /var/log/auth.log
Read Full Blog on Medium Here
This content originally appeared on DEV Community and was authored by Faruk