Failed SSHD Login Attempts (15,000 per day) - Is that a lot compared to your server? Post: 303039259

Sponsored Content

Special Forums Cybersecurity Failed SSHD Login Attempts (15,000 per day) - Is that a lot compared to your server? Post 303039259 by stomp on Friday 27th of September 2019 10:45:52 AM

09-27-2019

Registered User

@Neo: Thanks for rephrasing and clarifying your request!

Here's a script which calculates the FLAPM value:

Code:

#!/bin/bash

exit_with_message() { echo "$*" ; exit 1 ;}

type lastb >/dev/null 2>&1  || exit_with_message "error: no lastb"
type awk   >/dev/null 2>&1  || exit_with_message "error: no awk"

evaluate() {
   awk '

        function epoch(date,d) { "date -d \""date"\" +%s" | getline d; return d; }

        $10 != ""       { mydate=$4" "$5" "$6" "$7;count++; }
        NR==1           { last=epoch(mydate); }

        END { printf "%9.4f FLAPM\n",count/((last-epoch(mydate))/60)}
        '
}

lastb | evaluate

Here are some results for servers I manage, which provide services within the internet, partly with fail2ban and changed ssh ports in place:

Code:

  0.07 FLAPM
  0.07 FLAPM
  0.10 FLAPM
  0.10 FLAPM
  0.10 FLAPM
  0.11 FLAPM
  0.11 FLAPM
  0.11 FLAPM
  0.12 FLAPM
  0.20 FLAPM
  0.88 FLAPM
  1.12 FLAPM
  1.27 FLAPM
  1.36 FLAPM
  1.61 FLAPM
  1.74 FLAPM
  1.79 FLAPM
  1.92 FLAPM
  1.94 FLAPM
  2.88 FLAPM
  2.95 FLAPM
  3.20 FLAPM
  3.22 FLAPM
  3.35 FLAPM
  3.51 FLAPM
  3.53 FLAPM
  3.62 FLAPM
  3.63 FLAPM
  4.12 FLAPM
  4.75 FLAPM
  4.78 FLAPM
  4.82 FLAPM
  4.92 FLAPM
  4.96 FLAPM
  4.99 FLAPM
  5.07 FLAPM
  5.29 FLAPM
  5.29 FLAPM
  5.35 FLAPM
  5.44 FLAPM
  5.46 FLAPM
  5.54 FLAPM
  5.56 FLAPM
  5.62 FLAPM
  5.79 FLAPM
  5.80 FLAPM
  5.82 FLAPM
  5.85 FLAPM
  5.86 FLAPM
  5.86 FLAPM
  5.91 FLAPM
  6.01 FLAPM
  6.04 FLAPM
  6.25 FLAPM
  6.34 FLAPM
  6.92 FLAPM
  7.54 FLAPM
  8.72 FLAPM
  9.20 FLAPM
 11.01 FLAPM
 11.93 FLAPM
 12.57 FLAPM
 12.90 FLAPM
 13.08 FLAPM
 13.09 FLAPM
 13.35 FLAPM
 13.52 FLAPM
 14.09 FLAPM
 14.58 FLAPM
 14.76 FLAPM
 14.78 FLAPM
 14.80 FLAPM
 15.18 FLAPM
 16.97 FLAPM
 17.18 FLAPM
 17.22 FLAPM
 20.70 FLAPM
 23.57 FLAPM
 40.46 FLAPM

Last edited by stomp; 09-27-2019 at 11:51 AM..

These 2 Users Gave Thanks to stomp For This Post:

stomp

View Public Profile for stomp

Find all posts by stomp

9 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Maximum 3 login attempts

Hi, I notice in my Sun Solaris 8 sparc workstation, if I failed my login in the 5th time, I will be closed the connection from the host. I want to make 3 times. That is, if user fails to login with 3 attempts, he will be closed the connection. How to do it? Of course I am the admin of the...

2. Solaris

invalid login attempts...

I am wondering if solaris captures id's associated w/invalid login attempts? when I try to login as "test1" several (3-5) times, I do not find any userID info under "/var/adm" files: utmpx wtmpx messages lastlog Is there another location/log I should be checking? Is it necessary for...

3. AIX

Denying IPaddress for Multiple Failed Login Attempts

Hi. I would like to be able to deny IP address for too many failed login attemps (either from ssh, sftp, ftp, etc). The system I wish this to work on is an AIX 5.1 system. I'm new to AIX but I'm a linux user. There is a program for linux called fail2ban which reads from the log files and see if...

4. AIX

ftp check for failed attempts

Hi, I have created the below ftp script to put files over to our capacity server, the check at the end works if ftp fails to run however if the script cannot login or the transfer itself failed there is no warnings. Does anyone know the syntax to trap the erorr codes or to put a check within...

5. Solaris

Number of login attempts on solaris 10

Hi, I want to sent number of login attempts ,so that after that much attempts user account should be locked on solaris 10

6. AIX

Invalid login attempts

How can I see the number of invalid login attempts of a user? Thanks,

7. Shell Programming and Scripting

Shell script in tracking both the passed and failed login in a unix server

Can you help me in providing the following output or a quite similar to this from a shell script ? *** Logins Summary Information ***** ---------------------------------- Failed Login Attempts for Invalid Accounts Date Time IP-ADD Account ...

8. UNIX for Dummies Questions & Answers

TCP failed connection attempts from netstat -s

Dear experts, I am seeing a lot of TCP failed connection attempts from "netstat -s" on one of our servers. How can I pin point what connection failed and what are the ports involved? Any tools/commands I can dig in deeper to diag. what went wrong on these "failed connection attempts"? ...

9. Solaris

Solaris logs - Tracking failed attempts from my host

Hey all I'm having a big problem here. Someone is attempting an SSH to a destination host on which an account resides and locking the account. I'm trying to determine who is performing the SSH attempts from my host. For instance they're logged in as their standard account but then (I'm assuming)...

LEARN ABOUT SUSE

convdate

CONVDATE(1)						    InterNetNews Documentation						       CONVDATE(1)

NAME

       convdate - Convert to/from RFC 5322 dates and seconds since epoch

SYNOPSIS

       convdate [-dhl] [-c | -n | -s] [date ...]

DESCRIPTION

       convdate translates the date/time strings given on the command line, outputting the results one to a line.  The input can either be a date
       in RFC 5322 format (accepting the variations on that format that innd(8) is willing to accept), or the number of seconds since epoch (if -c
       is given).  The output is either ctime(3) results, the number of seconds since epoch, or a Usenet Date: header, depending on the options
       given.

       If date is not given, convdate outputs the current date.

OPTIONS

       -c  Each argument is taken to be the number of seconds since epoch (a time_t) rather than a date.

       -d  Output a valid Usenet Date: header instead of the results of ctime(3) for each date given on the command line.  This is useful for
	   testing the algorithm used to generate Date: headers for local posts.  Normally, the date will be in UTC, but see the -l option.

       -h  Print usage information and exit.

       -l  Only makes sense in combination with -d.  If given, Date: headers generated will use the local time zone instead of UTC.

       -n  Rather than outputting the results of ctime(3) or a Date: header, output each date given as the number of seconds since epoch (a
	   time_t).  This option doesn't make sense in combination with -d.

       -s  Pass each given date to the RFC 5322 date parser and print the results of ctime(3) (or a Date: header if -d is given).  This is the
	   default behavior.

EXAMPLES

       Most of these examples are taken, with modifications from the original man page dating from 1991 and were run in the EST/EDT time zone.

	   % convdate '10 Feb 1991 10:00:00 -0500'
	   Sun Feb 10 10:00:00 1991

	   % convdate '13 Dec 91 12:00 EST' '04 May 1990 0:0:0'
	   Fri Dec 13 12:00:00 1991
	   Fri May  4 00:00:00 1990

	   % convdate -n '10 feb 1991 10:00' '4 May 90 12:00'
	   666198000
	   641880000

	   % convdate -c 666198000
	   Sun Feb 10 10:00:00 1991

       ctime(3) results are in the local time zone.  Compare to:

	   % convdate -dc 666198000
	   Sun, 10 Feb 1991 15:00:00 +0000 (UTC)

	   % env TZ=PST8PDT convdate -dlc 666198000
	   Sun, 10 Feb 1991 07:00:00 -0800 (PST)

	   % env TZ=EST5EDT convdate -dlc 666198000
	   Sun, 10 Feb 1991 10:00:00 -0500 (EST)

       The system library functions generally use the environment variable TZ to determine (or at least override) the local time zone.

HISTORY

       Written by Rich $alz <rsalz@uunet.uu.net>, rewritten and updated by Russ Allbery <rra@stanford.edu> for the -d and -l flags.

       $Id: convdate.pod 8894 2010-01-17 13:04:04Z iulius $

SEE ALSO

       active.times(5).

INN 2.5.2							    2010-02-08							       CONVDATE(1)