The lastb
command can be used to list failed login attempts. By default it displays a nice table of all failed attempts including the username, time and host the attempt had originated from.
sudo lastb -w | cut -d " " -f 1 | sort | uniq | less
The -w
tells lastb
to display full username. The cut
, sort
and uniq
turn the output of lastb
to sorted list that contains each user name only once.
When I ran it recently on my server I found some interesting results. Nobody tried in the last fortnight to login with root
but they did try with r00t
, root2
, root3
, roottest
, rootuser
and a bunch of similar ones. There were a bunch of generic users such as admin
, support
, test
, user
, sales
and surprising number of software related ones: wordpress
, wp
, stunnel
, mysql
, moodle
, mongodb
, minecraft
etc.
Another useful command is
$ sudo lastb -f /var/log/btmp.1 -w -i | awk '{print $3}' | sort | uniq --count | sort -nr | less
which lists hosts sorted by the number of failed attempts originated from each host.
Overall in the last two weeks my server experienced more that 3300 failed login attempts using more than 800 unique usernames. Fortunately, as my server only allows public-key authentication via ssh all those attempts are pretty futile.