View Failed Login Attempts – lastb

The lastb command can be used to list failed login attempts. By default it displays a nice table of all failed attempts including the username, time and host the attempt had originated from.

sudo lastb -w | cut -d " " -f 1 | sort | uniq | less

The -w tells lastb to display full username. The cut, sort and uniq turn the output of lastb to sorted list that contains each user name only once.

When I ran it recently on my server I found some interesting results. Nobody tried in the last fortnight to login with root but they did try with r00t, root2, root3, roottest, rootuser and a bunch of similar ones. There were a bunch of generic users such as admin, support, test, user, sales and surprising number of software related ones: wordpress, wp, stunnel, mysql, moodle, mongodb, minecraft etc.

Another useful command is

$ sudo lastb -f /var/log/btmp.1 -w -i | awk '{print $3}' | sort | uniq --count | sort -nr | less

which lists hosts sorted by the number of failed attempts originated from each host.

Overall in the last two weeks my server experienced more that 3300 failed login attempts using more than 800 unique usernames. Fortunately, as my server only allows public-key authentication via ssh all those attempts are pretty futile.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.