Failed SSHD Login Attempts (15,000 per day) - Is that a lot compared to your server? Post: 303039259

Sponsored Content

Special Forums Cybersecurity Failed SSHD Login Attempts (15,000 per day) - Is that a lot compared to your server? Post 303039259 by stomp on Friday 27th of September 2019 10:45:52 AM

09-27-2019

Registered User

@Neo: Thanks for rephrasing and clarifying your request!

Here's a script which calculates the FLAPM value:

Code:

#!/bin/bash

exit_with_message() { echo "$*" ; exit 1 ;}

type lastb >/dev/null 2>&1  || exit_with_message "error: no lastb"
type awk   >/dev/null 2>&1  || exit_with_message "error: no awk"

evaluate() {
   awk '

        function epoch(date,d) { "date -d \""date"\" +%s" | getline d; return d; }

        $10 != ""       { mydate=$4" "$5" "$6" "$7;count++; }
        NR==1           { last=epoch(mydate); }

        END { printf "%9.4f FLAPM\n",count/((last-epoch(mydate))/60)}
        '
}

lastb | evaluate

Here are some results for servers I manage, which provide services within the internet, partly with fail2ban and changed ssh ports in place:

Code:

  0.07 FLAPM
  0.07 FLAPM
  0.10 FLAPM
  0.10 FLAPM
  0.10 FLAPM
  0.11 FLAPM
  0.11 FLAPM
  0.11 FLAPM
  0.12 FLAPM
  0.20 FLAPM
  0.88 FLAPM
  1.12 FLAPM
  1.27 FLAPM
  1.36 FLAPM
  1.61 FLAPM
  1.74 FLAPM
  1.79 FLAPM
  1.92 FLAPM
  1.94 FLAPM
  2.88 FLAPM
  2.95 FLAPM
  3.20 FLAPM
  3.22 FLAPM
  3.35 FLAPM
  3.51 FLAPM
  3.53 FLAPM
  3.62 FLAPM
  3.63 FLAPM
  4.12 FLAPM
  4.75 FLAPM
  4.78 FLAPM
  4.82 FLAPM
  4.92 FLAPM
  4.96 FLAPM
  4.99 FLAPM
  5.07 FLAPM
  5.29 FLAPM
  5.29 FLAPM
  5.35 FLAPM
  5.44 FLAPM
  5.46 FLAPM
  5.54 FLAPM
  5.56 FLAPM
  5.62 FLAPM
  5.79 FLAPM
  5.80 FLAPM
  5.82 FLAPM
  5.85 FLAPM
  5.86 FLAPM
  5.86 FLAPM
  5.91 FLAPM
  6.01 FLAPM
  6.04 FLAPM
  6.25 FLAPM
  6.34 FLAPM
  6.92 FLAPM
  7.54 FLAPM
  8.72 FLAPM
  9.20 FLAPM
 11.01 FLAPM
 11.93 FLAPM
 12.57 FLAPM
 12.90 FLAPM
 13.08 FLAPM
 13.09 FLAPM
 13.35 FLAPM
 13.52 FLAPM
 14.09 FLAPM
 14.58 FLAPM
 14.76 FLAPM
 14.78 FLAPM
 14.80 FLAPM
 15.18 FLAPM
 16.97 FLAPM
 17.18 FLAPM
 17.22 FLAPM
 20.70 FLAPM
 23.57 FLAPM
 40.46 FLAPM

Last edited by stomp; 09-27-2019 at 11:51 AM..

These 2 Users Gave Thanks to stomp For This Post:

stomp

View Public Profile for stomp

Find all posts by stomp

9 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Maximum 3 login attempts

Hi, I notice in my Sun Solaris 8 sparc workstation, if I failed my login in the 5th time, I will be closed the connection from the host. I want to make 3 times. That is, if user fails to login with 3 attempts, he will be closed the connection. How to do it? Of course I am the admin of the...

2. Solaris

invalid login attempts...

I am wondering if solaris captures id's associated w/invalid login attempts? when I try to login as "test1" several (3-5) times, I do not find any userID info under "/var/adm" files: utmpx wtmpx messages lastlog Is there another location/log I should be checking? Is it necessary for...

3. AIX

Denying IPaddress for Multiple Failed Login Attempts

Hi. I would like to be able to deny IP address for too many failed login attemps (either from ssh, sftp, ftp, etc). The system I wish this to work on is an AIX 5.1 system. I'm new to AIX but I'm a linux user. There is a program for linux called fail2ban which reads from the log files and see if...

4. AIX

ftp check for failed attempts

Hi, I have created the below ftp script to put files over to our capacity server, the check at the end works if ftp fails to run however if the script cannot login or the transfer itself failed there is no warnings. Does anyone know the syntax to trap the erorr codes or to put a check within...

5. Solaris

Number of login attempts on solaris 10

Hi, I want to sent number of login attempts ,so that after that much attempts user account should be locked on solaris 10

6. AIX

Invalid login attempts

How can I see the number of invalid login attempts of a user? Thanks,

7. Shell Programming and Scripting

Shell script in tracking both the passed and failed login in a unix server

Can you help me in providing the following output or a quite similar to this from a shell script ? *** Logins Summary Information ***** ---------------------------------- Failed Login Attempts for Invalid Accounts Date Time IP-ADD Account ...

8. UNIX for Dummies Questions & Answers

TCP failed connection attempts from netstat -s

Dear experts, I am seeing a lot of TCP failed connection attempts from "netstat -s" on one of our servers. How can I pin point what connection failed and what are the ports involved? Any tools/commands I can dig in deeper to diag. what went wrong on these "failed connection attempts"? ...

9. Solaris

Solaris logs - Tracking failed attempts from my host

Hey all I'm having a big problem here. Someone is attempting an SSH to a destination host on which an account resides and locking the account. I'm trying to determine who is performing the SSH attempts from my host. For instance they're logged in as their standard account but then (I'm assuming)...

LEARN ABOUT FREEBSD

login

LOGIN(1)						    BSD General Commands Manual 						  LOGIN(1)

NAME

     login -- log into the computer

SYNOPSIS

     login [-fp] [-h hostname] [user]

DESCRIPTION

     The login utility logs users (and pseudo-users) into the computer system.

     If no user is specified, or if a user is specified and authentication of the user fails, login prompts for a user name.  Authentication of
     users is configurable via pam(8).	Password authentication is the default.

     The following options are available:

     -f      When a user name is specified, this option indicates that proper authentication has already been done and that no password need be
	     requested.  This option may only be used by the super-user or when an already logged in user is logging in as themselves.

     -h      Specify the host from which the connection was received.  It is used by various daemons such as telnetd(8).  This option may only be
	     used by the super-user.

     -p      By default, login discards any previous environment.  The -p option disables this behavior.

     Login access can be controlled via login.access(5) or the login class in login.conf(5), which provides allow and deny records based on time,
     tty and remote host name.

     If the file /etc/fbtab exists, login changes the protection and ownership of certain devices specified in this file.

     Immediately after logging a user in, login displays the system copyright notice, the date and time the user last logged in, the message of
     the day as well as other information.  If the file .hushlogin exists in the user's home directory, all of these messages are suppressed.
     This is to simplify logins for non-human users, such as uucp(1).

     The login utility enters information into the environment (see environ(7)) specifying the user's home directory (HOME), command interpreter
     (SHELL), search path (PATH), terminal type (TERM) and user name (both LOGNAME and USER).  Other environment variables may be set due to
     entries in the login class capabilities database, for the login class assigned in the user's system passwd record.  The login class also con-
     trols the maximum and current process resource limits granted to a login, process priorities and many other aspects of a user's login envi-
     ronment.

     Some shells may provide a builtin login command which is similar or identical to this utility.  Consult the builtin(1) manual page.

     The login utility will submit an audit record when login succeeds or fails.  Failure to determine the current auditing state will result in
     an error exit from login.

FILES

     /etc/fbtab 		  changes device protections
     /etc/login.conf		  login class capabilities database
     /etc/motd			  message-of-the-day
     /var/mail/user		  system mailboxes
     .hushlogin 		  makes login quieter
     /etc/pam.d/login		  pam(8) configuration file
     /etc/security/audit_user	  user flags for auditing
     /etc/security/audit_control  global flags for auditing

SEE ALSO

     builtin(1), chpass(1), csh(1), newgrp(1), passwd(1), rlogin(1), getpass(3), fbtab(5), login.access(5), login.conf(5), environ(7)

HISTORY

     A login utility appeared in Version 6 AT&T UNIX.

BSD
								September 13, 2006							       BSD