Keep track of weird logins with Howler
Howler is a small utility I wrote to be notified when my users were logging in from unusual locations. I wanted to know if someone who normally logs in from Canada was suddenly logging in from Korea -- and especially if they were suddenly rapidly hopping between two different locations. It's a red flag when someone logs in from Seattle, then from Barcelona, then from Seattle again, all within the same 4 hours, because it's a good indicator that their credentials got stolen (though usually it's because they are using Tor or their corporate VPN).
At either rate, Howler will keep a watchful eye on where your users are coming from and alert you if they change locations:
This user logged in from a new location: User : mricon IP Addr : x.x.x.x Location: Portland, Oregon, US Hostname: myhost.kernel.org Daemon : sshd Previously seen locations for this user: 2017-04-08: Montréal, Quebec, CA
or when they start hopping:
Hopping detected for user mricon! Locations seen in the past 12 hours (UTC): 15:04:09: Montréal, Quebec, CA 14:58:31: Vancouver, Washington, US 14:51:42: Montréal, Quebec, CA 14:44:58: Vancouver, Washington, US
It's best used on your central syslog aggregator with the help of SEC, which is a handy tool used to poll your logs and trigger actions based on matching regexes. I provide a few sample sec rules for sshd, openvpn, and gitolite.