We have a self hosted JIRA install. On the admin page I noticed failed login attempts for a user who's left the company and had his account disabled:
Last Failed Login: Today 6:05 PM
Current Failed Login Count: 8
Total Failed Login Count: 11
How I can I see what IP these attempts came from?
I read this question: https://answers.atlassian.com/questions/203776
And it said:
You can view the information from the user sessions under the Security on the JIRA Administration page.
From there you are able to tell who is trying to establish the session and which session is still active. Failed session will have no session ID and no user, but it will track which ip is the request from.
When I went there I saw a session that had a session ID, and under user it said 'Not available' But there were no entries with no session ID.
Hey Larry,
Go to JIRA_HOME/log/atlassian-jira-security.log and search for the text
The user '<insert username here>' has FAILED authentication
That should give you the IP address
A small perl script that extracts failing usernames and IPs from atlassian-jira-security.log:
cat $JIRA_HOME/atlassian-jira-security.log | perl -lane "print \$1 . ' ' . \$F[6] if (/The user '([^']+)' has FAILED authentication/)"
jsmith 10.1.1.104
jsmith 10.1.1.104
testsvc 10.1.1.102
...
To get the top failing username/IPs:
cat $JIRA_HOME/atlassian-jira-security.log | perl -lane "print \$1 . ' ' . \$F[6] if (/The user '([^']+)' has FAILED authentication/)"| sort | uniq -c | sort -nr | head
4546 jsmith 10.1.1.104
4332 seportal 10.1.1.99
148 testsvc 10.1.1.102
...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.