Failed SSHD Login Attempts (15,000 per day) - Is that a lot compared to your server?

The purpose of this thread is for everyone to follow the same methodology so we can create a future table, for the benefit of all, that shows how many failed login attempts (hacking) per day per server (and per minute) are happening.

This is not a thread on writing scripts or creating different methods to get the same data; nor it this a thread on how to prevent brute force logins; This thread has a a very simple (not elegant, not interesting) method that everyone can follow and by using the same very simple method, the results will be easy to compare, apples to apples, as follows:

lastb | wc -l
330466

lastb | head -1
root     ssh:notty    222.186.180.19   Thu Sep 26 00:50 - 00:50  (00:00)

lastb | tail -1
btmp begins Wed Sep  4 06:52:54 2019

Days Total (approx): 22

330466 / 22 = 15K ssh login attempts which failed each day, or about 10.4 per minute.

Is that a lot compared to your server?

Please post back your results using the same method:



lastb | head -1

lastb | tail -1

Then take the totals days by comparing the dates in the head and tail, and divide that (the days) into the total number from the lastb | wc -l command and post back (just like I did above)

Thanks.

PS: If all replies use the same method, it will be easy to compare the results in a table or chart later. Please do not use any other method than the very simple one above.

Thanks!

If we get enough replies, I will do a video on the results later.

Here is another ubuntu server on the net:

ubuntu2:~# lastb | wc -l; lastb | head -1 ; lastb | tail -1
364528
tomcat   ssh:notty    134.175.151.40   Thu Sep 26 05:13 - 05:13  (00:00)
btmp begins Sun Sep  1 06:25:30 2019

Results:

364528 / 25 = 14,581 per day or 10.1 failed login attempts per minute.

Ubuntu 3:

root@localhost:~# lastb | wc -l; lastb | head -1 ; lastb | tail -1
351459
root     ssh:notty    111.198.54.173   Thu Sep 26 10:17 - 10:17  (00:00)
btmp begins Sun Sep  1 06:25:10 2019
351459 / 25 = 14,038 per day or 9.7 failed login attempts per minute.

So, far this is pretty interesting.

Three different public servers on the Internet (in the US) with the following "failed login attempts per minute" (FLA/m) or maybe (FLAPM):

  • 10.4
  • 10.1
  • 9.7

That's fairly interesting how three distinct public servers on the net are converging close to 10 FLA/m or 10 FLAPM .

Anyone else care to follow the same methodology so we can compare for the benefit of all readers?

Difficult to follow precisely without lastb , but grepping ' authentication failure ' in log files, one of my servers has 66,000 failed logins since Sep 22, which is awfully close to your 15,000 a day. Another's log files are too short to be useful for this...

1 Like

Thanks Corona688,

Yes, I find it interesting that when we check for different servers with public Internet access, the number of failed ssh login attempts per minute (FLAPM) converges toward ten per minute.

This is why I think it would be useful to document this using, at least on Linux at the beginning, the same method, which is the simple lastb method I posted, since all major Linux systems use lastb to parse and display the auth log for failed login attempts.

If we use the same methodology, the numbers have more meaning, and if it turns out that there is some convergence to, for example, 10 FLAPM, then it would be interesting to try to understand why.

@Neo: Thanks for rephrasing and clarifying your request!

Here's a script which calculates the FLAPM value:

#!/bin/bash

exit_with_message() { echo "$*" ; exit 1 ;}

type lastb >/dev/null 2>&1  || exit_with_message "error: no lastb"
type awk   >/dev/null 2>&1  || exit_with_message "error: no awk"

evaluate() {
   awk '

        function epoch(date,d) { "date -d \""date"\" +%s" | getline d; return d; }

        $10 != ""       { mydate=$4" "$5" "$6" "$7;count++; }
        NR==1           { last=epoch(mydate); }

        END { printf "%9.4f FLAPM\n",count/((last-epoch(mydate))/60)}
        '
}

lastb | evaluate

Here are some results for servers I manage, which provide services within the internet, partly with fail2ban and changed ssh ports in place:

  0.07 FLAPM
  0.07 FLAPM
  0.10 FLAPM
  0.10 FLAPM
  0.10 FLAPM
  0.11 FLAPM
  0.11 FLAPM
  0.11 FLAPM
  0.12 FLAPM
  0.20 FLAPM
  0.88 FLAPM
  1.12 FLAPM
  1.27 FLAPM
  1.36 FLAPM
  1.61 FLAPM
  1.74 FLAPM
  1.79 FLAPM
  1.92 FLAPM
  1.94 FLAPM
  2.88 FLAPM
  2.95 FLAPM
  3.20 FLAPM
  3.22 FLAPM
  3.35 FLAPM
  3.51 FLAPM
  3.53 FLAPM
  3.62 FLAPM
  3.63 FLAPM
  4.12 FLAPM
  4.75 FLAPM
  4.78 FLAPM
  4.82 FLAPM
  4.92 FLAPM
  4.96 FLAPM
  4.99 FLAPM
  5.07 FLAPM
  5.29 FLAPM
  5.29 FLAPM
  5.35 FLAPM
  5.44 FLAPM
  5.46 FLAPM
  5.54 FLAPM
  5.56 FLAPM
  5.62 FLAPM
  5.79 FLAPM
  5.80 FLAPM
  5.82 FLAPM
  5.85 FLAPM
  5.86 FLAPM
  5.86 FLAPM
  5.91 FLAPM
  6.01 FLAPM
  6.04 FLAPM
  6.25 FLAPM
  6.34 FLAPM
  6.92 FLAPM
  7.54 FLAPM
  8.72 FLAPM
  9.20 FLAPM
 11.01 FLAPM
 11.93 FLAPM
 12.57 FLAPM
 12.90 FLAPM
 13.08 FLAPM
 13.09 FLAPM
 13.35 FLAPM
 13.52 FLAPM
 14.09 FLAPM
 14.58 FLAPM
 14.76 FLAPM
 14.78 FLAPM
 14.80 FLAPM
 15.18 FLAPM
 16.97 FLAPM
 17.18 FLAPM
 17.22 FLAPM
 20.70 FLAPM
 23.57 FLAPM
 40.46 FLAPM
2 Likes

THANKS!

Yes, my first post was vague and not clear, so I started over and tried to be more clear.

That's what happens when I am multi-tasking many tasks at once and just do a "quick post" without putting my full thoughts down in the post. My bad and sorry for the earlier confusion.

Your script is really great and a strong contribution.

Perhaps in the future we should add a flag each server can be identified if fail2ban is turned on?

What do you think? Is that an important metric to add, do you think?

Same from receiving side. I also only just had a very quick read on your post.

Instead of one car crashing into a wall two cars crashing frontal into each other with the same speed do square damage instead of just double. So square amount of misunderstanding here :wink:

More maybe later.

1 Like

It maybe fail2ban is configured properly, up and running. That will definitely explain a rate below average. But f2b can be running without being configured to do blocking at all or not correctly adapted to the system. It may be a weak variable.

What regards the ssh port. From my experience it will make a huge difference if it's running on default port 22 or a custom port. Most attackers are just using the easiest methods because there's still enough to harvest.

Regarding my server list:

I did a quick check and removed the results which might not be plausible(flapm <= 0). There might be a pool of servers not shown because flapm rounded down to zero.

1 Like

FYI.

Normally, I do not run automatic banning systems, but after reviewing fail2ban again, I see the ban is configured out-of-the-box to only ban for a short period.

So, am testing fail2ban on all my Linux servers.

However, I agree with you stomp, that changing the sshd port from 22 to another value is one of the best deterrents agains these bots.

The same is also true for web software, for example Word Press. The best way to stop bot registrations, bot logins and spam posts is to change the URL of the registration, log in or posting scripts.

Also, having said that, I was hoping not to quickly get into remediation and risk management; but to get more people to post their FLAPM stats; using our simple method, so we could gather more stats.

A post was split to a new topic: Using Blocklists to block harmful clients