Failed SSHD Login Attempts (15,000 per day) - Is that a lot compared to your server? Post: 303039259

Sponsored Content

Special Forums Cybersecurity Failed SSHD Login Attempts (15,000 per day) - Is that a lot compared to your server? Post 303039259 by stomp on Friday 27th of September 2019 10:45:52 AM

09-27-2019

Registered User

@Neo: Thanks for rephrasing and clarifying your request!

Here's a script which calculates the FLAPM value:

Code:

#!/bin/bash

exit_with_message() { echo "$*" ; exit 1 ;}

type lastb >/dev/null 2>&1  || exit_with_message "error: no lastb"
type awk   >/dev/null 2>&1  || exit_with_message "error: no awk"

evaluate() {
   awk '

        function epoch(date,d) { "date -d \""date"\" +%s" | getline d; return d; }

        $10 != ""       { mydate=$4" "$5" "$6" "$7;count++; }
        NR==1           { last=epoch(mydate); }

        END { printf "%9.4f FLAPM\n",count/((last-epoch(mydate))/60)}
        '
}

lastb | evaluate

Here are some results for servers I manage, which provide services within the internet, partly with fail2ban and changed ssh ports in place:

Code:

  0.07 FLAPM
  0.07 FLAPM
  0.10 FLAPM
  0.10 FLAPM
  0.10 FLAPM
  0.11 FLAPM
  0.11 FLAPM
  0.11 FLAPM
  0.12 FLAPM
  0.20 FLAPM
  0.88 FLAPM
  1.12 FLAPM
  1.27 FLAPM
  1.36 FLAPM
  1.61 FLAPM
  1.74 FLAPM
  1.79 FLAPM
  1.92 FLAPM
  1.94 FLAPM
  2.88 FLAPM
  2.95 FLAPM
  3.20 FLAPM
  3.22 FLAPM
  3.35 FLAPM
  3.51 FLAPM
  3.53 FLAPM
  3.62 FLAPM
  3.63 FLAPM
  4.12 FLAPM
  4.75 FLAPM
  4.78 FLAPM
  4.82 FLAPM
  4.92 FLAPM
  4.96 FLAPM
  4.99 FLAPM
  5.07 FLAPM
  5.29 FLAPM
  5.29 FLAPM
  5.35 FLAPM
  5.44 FLAPM
  5.46 FLAPM
  5.54 FLAPM
  5.56 FLAPM
  5.62 FLAPM
  5.79 FLAPM
  5.80 FLAPM
  5.82 FLAPM
  5.85 FLAPM
  5.86 FLAPM
  5.86 FLAPM
  5.91 FLAPM
  6.01 FLAPM
  6.04 FLAPM
  6.25 FLAPM
  6.34 FLAPM
  6.92 FLAPM
  7.54 FLAPM
  8.72 FLAPM
  9.20 FLAPM
 11.01 FLAPM
 11.93 FLAPM
 12.57 FLAPM
 12.90 FLAPM
 13.08 FLAPM
 13.09 FLAPM
 13.35 FLAPM
 13.52 FLAPM
 14.09 FLAPM
 14.58 FLAPM
 14.76 FLAPM
 14.78 FLAPM
 14.80 FLAPM
 15.18 FLAPM
 16.97 FLAPM
 17.18 FLAPM
 17.22 FLAPM
 20.70 FLAPM
 23.57 FLAPM
 40.46 FLAPM

Last edited by stomp; 09-27-2019 at 11:51 AM..

These 2 Users Gave Thanks to stomp For This Post:

stomp

View Public Profile for stomp

Find all posts by stomp

9 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Maximum 3 login attempts

Hi, I notice in my Sun Solaris 8 sparc workstation, if I failed my login in the 5th time, I will be closed the connection from the host. I want to make 3 times. That is, if user fails to login with 3 attempts, he will be closed the connection. How to do it? Of course I am the admin of the...

2. Solaris

invalid login attempts...

I am wondering if solaris captures id's associated w/invalid login attempts? when I try to login as "test1" several (3-5) times, I do not find any userID info under "/var/adm" files: utmpx wtmpx messages lastlog Is there another location/log I should be checking? Is it necessary for...

3. AIX

Denying IPaddress for Multiple Failed Login Attempts

Hi. I would like to be able to deny IP address for too many failed login attemps (either from ssh, sftp, ftp, etc). The system I wish this to work on is an AIX 5.1 system. I'm new to AIX but I'm a linux user. There is a program for linux called fail2ban which reads from the log files and see if...

4. AIX

ftp check for failed attempts

Hi, I have created the below ftp script to put files over to our capacity server, the check at the end works if ftp fails to run however if the script cannot login or the transfer itself failed there is no warnings. Does anyone know the syntax to trap the erorr codes or to put a check within...

5. Solaris

Number of login attempts on solaris 10

Hi, I want to sent number of login attempts ,so that after that much attempts user account should be locked on solaris 10

6. AIX

Invalid login attempts

How can I see the number of invalid login attempts of a user? Thanks,

7. Shell Programming and Scripting

Shell script in tracking both the passed and failed login in a unix server

Can you help me in providing the following output or a quite similar to this from a shell script ? *** Logins Summary Information ***** ---------------------------------- Failed Login Attempts for Invalid Accounts Date Time IP-ADD Account ...

8. UNIX for Dummies Questions & Answers

TCP failed connection attempts from netstat -s

Dear experts, I am seeing a lot of TCP failed connection attempts from "netstat -s" on one of our servers. How can I pin point what connection failed and what are the ports involved? Any tools/commands I can dig in deeper to diag. what went wrong on these "failed connection attempts"? ...

9. Solaris

Solaris logs - Tracking failed attempts from my host

Hey all I'm having a big problem here. Someone is attempting an SSH to a destination host on which an account resides and locking the account. I'm trying to determine who is performing the SSH attempts from my host. For instance they're logged in as their standard account but then (I'm assuming)...

LEARN ABOUT CENTOS

function::ctime

FUNCTION::CTIME(3stap)					      Time utility functions					    FUNCTION::CTIME(3stap)

NAME

       function::ctime - Convert seconds since epoch into human readable date/time string

SYNOPSIS

	   ctime:string(epochsecs:long)

ARGUMENTS

       epochsecs
	   Number of seconds since epoch (as returned by gettimeofday_s)

DESCRIPTION

       Takes an argument of seconds since the epoch as returned by gettimeofday_s. Returns a string of the form

       "Wed Jun 30 21:49:08 1993"

       The string will always be exactly 24 characters. If the time would be unreasonable far in the past (before what can be represented with a
       32 bit offset in seconds from the epoch) an error will occur (which can be avoided with try/catch). If the time would be unreasonable far
       in the future, an error will also occur.

       Note that the epoch (zero) corresponds to

       "Thu Jan 1 00:00:00 1970"

       The earliest full date given by ctime, corresponding to epochsecs -2147483648 is "Fri Dec 13 20:45:52 1901". The latest full date given by
       ctime, corresponding to epochsecs 2147483647 is "Tue Jan 19 03:14:07 2038".

       The abbreviations for the days of the week are 'Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', and 'Sat'. The abbreviations for the months are
       'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', and 'Dec'.

       Note that the real C library ctime function puts a newline ('
') character at the end of the string that this function does not. Also note
       that since the kernel has no concept of timezones, the returned time is always in GMT.

SystemTap Tapset Reference					     June 2014						    FUNCTION::CTIME(3stap)