How to Set Up and Use SSH
Monitoring Attacks As They Happen

How to See the Password Guesses

Let's say that you see a long series of guesses for your root password. The password guesses aren't logged, but you want to see what guesses they are trying.

First, find the PID of the listening SSH daemon process: 

$ ps axuww | egrep 'PID|ssh'

Now become root and attach to the running daemon with strace, changing the PID as appropriate: 

$ su -
# strace -f -e 'read,write' -p12345

There will be a lot of output, but you will see the password guesses.

When you press ^C, the strace process detaches and the SSH daemon keeps running.

Click here to see a detailed analysis of SSH attack patterns, including the login and password sequences observed in real attacks.

Back to the start

My page on hardening default installations of Linux and BSD

My general security page

Click here to inquire about advertising on this or any page on this site.
Home Unix/Linux Networking Cybersecurity Travel Technical Radio Site Map Contact


Use /bin/vi! Manipulate images with ImageMagick! Hosted on OpenBSD
Hosted on Apache This site is viewable with any browser Valid XHTML 1.0! Valid CSS!
© Bob Cromwell Feb 2012. Created with /bin/vi and ImageMagick, hosted on OpenBSD with Apache.    Root password available here, privacy policy here.