On a CentOS Stream 9 server you receive several fail2ban alerts about repeated invalid SSH logins. The host still forwards journald output to rsyslog, which stores traditional text logs in /var/log. To manually verify the offending IP addresses before the log files are rotated, which default log file inside /var/log should you inspect?
On Red Hat-based distributions (CentOS, RHEL, Fedora), rsyslog routes messages that use the authpriv facility-including all sshd authentication successes and failures-to /var/log/secure. Each failed SSH attempt is recorded there with a "Failed password" line that includes the source IP, user name, and timestamp.
Debian-based systems record the same information in /var/log/auth.log, /var/log/messages intentionally excludes authpriv entries, and /var/log/cron is dedicated to cron-related events. Therefore, reviewing /var/log/secure is the correct way to confirm the failed SSH logins on a CentOS Stream 9 host.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is fail2ban and how does it help with SSH security?
Open an interactive chat with Bash
What is the purpose of the *authpriv* facility in rsyslog?
Open an interactive chat with Bash
How does journald differ from rsyslog in logging system events?
Open an interactive chat with Bash
CompTIA Linux+ XK0-006 (V8)
Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access