Finding latest successful logins and failed attempts to a CentOS server

In Linux, the last command shows successful login attempts and displays session information (pts, source, date and length).

The lastb command records all bad login attempts. Both share the same man page, but the difference is that last reads the binary /var/log/wtmp file, and lastb reads the /var/log/btmp file by default.

The range of these files depends on your log rotation schedule, but it should span a few weeks. Most distributions will rotate /var/log/wtmp monthly, so you can read a previous record, usually listed as /var/log/wtmp.1 by specifying the file with the -f parameter... last -f /var/log/wtmp.1

The question is here offtopic, but a very short answer: maybe you should just check /var/log/secure (e.g. grep for "failed").

This is a old thread but I got similar task like this,so in my case this is a log entry

Nov 15 17:14:47 megatron sshd[4768]: Failed password for git from 192.168.122.1 port 49227 ssh2

So we can do it like this,if we are sure user is static

#!/bin/bash
LOG=/var/log/secure
MESSAGE="Failed password for git"
grep -i "$MESSAGE" "$LOG

In case if we know on the per user basis

#!/bin/bash
LOG=/var/log/secure
if [ -n "$1" ]
then
NEWUSER="$1"
else
NEWUSER="root"
fi
MESSAGE="Failed password for $NEWUSER"
grep -i "$MESSAGE" "$LOG"

So script should execute like

[root@megatron bash1]# ./failedlogin.sh git

OR more easier approach

#!/bin/bash
LOG=/var/log/secure
MESSAGE="Failed password for"
grep -i "$MESSAGE" "$LOG"