Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Failed SSHD Login Attempts (15,000 per day) - Is that a lot compared to your server?
Special Forums Cybersecurity Failed SSHD Login Attempts (15,000 per day) - Is that a lot compared to your server? Post 303039259 by stomp on Friday 27th of September 2019 10:45:52 AM
Old 09-27-2019
@Neo: Thanks for rephrasing and clarifying your request!

Here's a script which calculates the FLAPM value:

Code:
#!/bin/bash

exit_with_message() { echo "$*" ; exit 1 ;}

type lastb >/dev/null 2>&1  || exit_with_message "error: no lastb"
type awk   >/dev/null 2>&1  || exit_with_message "error: no awk"

evaluate() {
   awk '

        function epoch(date,d) { "date -d \""date"\" +%s" | getline d; return d; }

        $10 != ""       { mydate=$4" "$5" "$6" "$7;count++; }
        NR==1           { last=epoch(mydate); }

        END { printf "%9.4f FLAPM\n",count/((last-epoch(mydate))/60)}
        '
}

lastb | evaluate

Here are some results for servers I manage, which provide services within the internet, partly with fail2ban and changed ssh ports in place:

Code:
  0.07 FLAPM
  0.07 FLAPM
  0.10 FLAPM
  0.10 FLAPM
  0.10 FLAPM
  0.11 FLAPM
  0.11 FLAPM
  0.11 FLAPM
  0.12 FLAPM
  0.20 FLAPM
  0.88 FLAPM
  1.12 FLAPM
  1.27 FLAPM
  1.36 FLAPM
  1.61 FLAPM
  1.74 FLAPM
  1.79 FLAPM
  1.92 FLAPM
  1.94 FLAPM
  2.88 FLAPM
  2.95 FLAPM
  3.20 FLAPM
  3.22 FLAPM
  3.35 FLAPM
  3.51 FLAPM
  3.53 FLAPM
  3.62 FLAPM
  3.63 FLAPM
  4.12 FLAPM
  4.75 FLAPM
  4.78 FLAPM
  4.82 FLAPM
  4.92 FLAPM
  4.96 FLAPM
  4.99 FLAPM
  5.07 FLAPM
  5.29 FLAPM
  5.29 FLAPM
  5.35 FLAPM
  5.44 FLAPM
  5.46 FLAPM
  5.54 FLAPM
  5.56 FLAPM
  5.62 FLAPM
  5.79 FLAPM
  5.80 FLAPM
  5.82 FLAPM
  5.85 FLAPM
  5.86 FLAPM
  5.86 FLAPM
  5.91 FLAPM
  6.01 FLAPM
  6.04 FLAPM
  6.25 FLAPM
  6.34 FLAPM
  6.92 FLAPM
  7.54 FLAPM
  8.72 FLAPM
  9.20 FLAPM
 11.01 FLAPM
 11.93 FLAPM
 12.57 FLAPM
 12.90 FLAPM
 13.08 FLAPM
 13.09 FLAPM
 13.35 FLAPM
 13.52 FLAPM
 14.09 FLAPM
 14.58 FLAPM
 14.76 FLAPM
 14.78 FLAPM
 14.80 FLAPM
 15.18 FLAPM
 16.97 FLAPM
 17.18 FLAPM
 17.22 FLAPM
 20.70 FLAPM
 23.57 FLAPM
 40.46 FLAPM

Last edited by stomp; 09-27-2019 at 11:51 AM..
These 2 Users Gave Thanks to stomp For This Post:
jim mcnamara Neo
 

9 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Maximum 3 login attempts

Hi, I notice in my Sun Solaris 8 sparc workstation, if I failed my login in the 5th time, I will be closed the connection from the host. I want to make 3 times. That is, if user fails to login with 3 attempts, he will be closed the connection. How to do it? Of course I am the admin of the... (2 Replies)
Discussion started by: champion
2 Replies

2. Solaris

invalid login attempts...

I am wondering if solaris captures id's associated w/invalid login attempts? when I try to login as "test1" several (3-5) times, I do not find any userID info under "/var/adm" files: utmpx wtmpx messages lastlog Is there another location/log I should be checking? Is it necessary for... (6 Replies)
Discussion started by: mr_manny
6 Replies

3. AIX

Denying IPaddress for Multiple Failed Login Attempts

Hi. I would like to be able to deny IP address for too many failed login attemps (either from ssh, sftp, ftp, etc). The system I wish this to work on is an AIX 5.1 system. I'm new to AIX but I'm a linux user. There is a program for linux called fail2ban which reads from the log files and see if... (1 Reply)
Discussion started by: metzgerh
1 Replies

4. AIX

ftp check for failed attempts

Hi, I have created the below ftp script to put files over to our capacity server, the check at the end works if ftp fails to run however if the script cannot login or the transfer itself failed there is no warnings. Does anyone know the syntax to trap the erorr codes or to put a check within... (3 Replies)
Discussion started by: chlawren
3 Replies

5. Solaris

Number of login attempts on solaris 10

Hi, I want to sent number of login attempts ,so that after that much attempts user account should be locked on solaris 10 (2 Replies)
Discussion started by: manoj.solaris
2 Replies

6. AIX

Invalid login attempts

How can I see the number of invalid login attempts of a user? Thanks, (9 Replies)
Discussion started by: agasamapetilon
9 Replies

7. Shell Programming and Scripting

Shell script in tracking both the passed and failed login in a unix server

Can you help me in providing the following output or a quite similar to this from a shell script ? *** Logins Summary Information ***** ---------------------------------- Failed Login Attempts for Invalid Accounts Date Time IP-ADD Account ... (0 Replies)
Discussion started by: linuxgeek
0 Replies

8. UNIX for Dummies Questions & Answers

TCP failed connection attempts from netstat -s

Dear experts, I am seeing a lot of TCP failed connection attempts from "netstat -s" on one of our servers. How can I pin point what connection failed and what are the ports involved? Any tools/commands I can dig in deeper to diag. what went wrong on these "failed connection attempts"? ... (2 Replies)
Discussion started by: cache51
2 Replies

9. Solaris

Solaris logs - Tracking failed attempts from my host

Hey all I'm having a big problem here. Someone is attempting an SSH to a destination host on which an account resides and locking the account. I'm trying to determine who is performing the SSH attempts from my host. For instance they're logged in as their standard account but then (I'm assuming)... (13 Replies)
Discussion started by: MaindotC
13 Replies

LEARN ABOUT DEBIAN

apsfilter-bug

APSFILTER-BUG(1)					    BSD General Commands Manual 					  APSFILTER-BUG(1)

NAME

     apsfilter-bug -- create a half-automatic bug report for apsfilter

SYNOPSIS

     apsfilter-bug

OPTIONS

     none

DESCRIPTION

     With the apsfilter-bug script you can automatically create a bug report for apsfilter(1).	A template report file is created which you can
     edit with your favourite editor ( emacs(1) by default, or whatever is entered in the environment variable EDITOR ).

     You will see a couple of lines starting with '#'; these lines will be removed before the report is sent. So if you want to use the '#' char-
     acter at the beginning of a line, just indent it with a space.

     A very important piece of the bug report is the debugging log created by aps2file(1), probably with a command like
	   aps2file -D -o /dev/null [-P...] [-Z...] [input] 2> log.txt
     Unless you don't even have a chance to create a debugging log, it is crucial for serious bug hunting.

     After you have filled in as much (useful) information as possible, you must save the file under its original name, then exit your editor.

     If you invoked apsfilter-bug by accident, or if you need some additional system information to include into the bug report, just exit your
     editor without saving the file.

NOTES

     In addition to the stuff you've edited, some more information is appended to the bug report automatically:

     apsfilter version	  7.2.6-stable
     ghostscript version  (from 'gs --version')
     system id		  (from 'uname -a')
     configure options	  --prefix=/usr --sysconfdir=/etc --mandir=/usr/share/man --with-awk=/usr/bin/awk --with-sendmail=/usr/sbin/sendmail
     shell executable	  /bin/bash
     awk executable	  /usr/bin/awk
     sendmail executable  /usr/sbin/sendmail

FILES

     /usr/bin/aps2file	script to create debugging output

SEE ALSO

     apsfilter(1), aps2file(1)

BUGS

     See apsfilter software center - http://www.apsfilter.org/ - for new versions, bugfixes and known bugs.

     Please use the new tool apsfilter-bug(1) to release bug- or problem reports. It automatically presents you a form in an editor window which
     asks you some standard questions.	If you save and quit the editor session, then this report is sent automatically via e-mail to the proper
     apsfilter mailinglist.

     If apsfilter fails to print something or prints it in a way you wouldn't expect and you want to report an apsfilter error then please save
     the debugging output of one print session using the new aps2file(1) utility by typing aps2file -D -Z options file > /dev/null 2> file.debug
     and including the debugging output in the file file.debug into the edit session of the apsfilter-bug utility, so that it is included into the
     mail to the apsfilter mailinglist.

     Please note that you need to run /bin/sh (Bourne Shell), bash or a compatible shell, so that the above mentioned output redirection works.
     Under C-shell (/bin/csh) or tcsh it would't work. If you don't know, then simply make sure you use the Bournce shell by typing /bin/sh or
     bash, then you should have no problems with redirection of stdout and stderr (> /dev/null 2> file.debug).

DOCUMENTATION

     See official apsfilter homepage
     http://www.apsfilter.org/handbook.html   Apsfilter Handbook including the Frequently Asked Questions (FAQ)

USER FORUM

     Please send questions to the official apsfilter help channel apsfilter-help@apsfilter.org.  The above section BUGS and the file
     HOWTO-BUGREPORTS tells you how to report bugs.  If you want to know how to troubleshoot your apsfilter installation, please read the manpage
     aps2file(1) and apsfilter-bug(1) as well as the Apsfilter Handbook carefully.

HISTORY

     The apsfilter-bug manpage has been written by Michael LoBin <phallobst@web.de> and first appeared in apsfilter V 7.1.0.

BSD
								   Dec 26, 2001 							       BSD
All times are GMT -4. The time now is 01:24 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy