The /var/log/btmp* files store failed login attempts. In other words they store IP addresses of people/bots that have tried to sneak into a server. To list such IPs, ordered by number of requests, use good ol’ Unix pipes:

for f in /var/log/btmp*; do
    sudo lastb -f $f
done | awk '{print $3}' \
     | grep '[0-9.]' \
     | sort -V  \
     | uniq -c \
     | sort -n \
     > lastb

A few interesting insights from this script:

  • Most failed login attempts come from China.
  • There are 144K failed login attempts since January 1st, 2020.
  • Most login attempts try to login as root.

Lesson of the day: pick a strong password