What can be learned about a user from a failed SSH attempt?

Solution 1:

Well, an item that you haven’t mentioned is the fingerprints of the private keys they tried before entering a password. With openssh, if you set LogLevel VERBOSE in /etc/sshd_config, you get them in the log files. You can check them against the collection of public keys your users have authorized in their profiles, to see if they have been compromised. In the case that an attacker has got hold of a user’s private key and is looking for the login name, knowing that the key is compromised could prevent the intrusion. Admittedly, it’s rare: who owns a private key has probably found out the login name too...

Solution 2:

Going little bit further into the LogLevel DEBUG, you can also find out the client software/version in format

Client protocol version %d.%d; client software version %.100s

It will also print the key exchange, ciphers, MACs and compression methods available during the key exchange.


Solution 3:

If the login attempts are very frequent or happen at all hours of the day, then you could suspect that the login is performed by a bot.

You might be able to deduce the user's habits from the time of day that they log in or other activity on the server, i.e. the logins are always N seconds after an Apache hit from the same IP address, or a POP3 request, or a git pull.