E
E
Evgeny Petrov2021-04-25 11:36:29
linux
Evgeny Petrov, 2021-04-25 11:36:29

Why are there so many SSH login attempts in the auth.log file?

Good afternoon!

On the server, the /var/log/auth.log file contains many ssh login attempts. Is this an attempted attack? The server has been working recently, I checked the IPs, they point to India, China, etc. What do you advise?

Apr 25 08:27:05 databaseserver sshd[356844]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=120.71.147.93
Apr 25 08:27:07 databaseserver sshd[356844]: Failed password for invalid user testuser from 120.71.147.93 port 47522 ssh2
Apr 25 08:27: 09 databaseserver sshd[356844]: Received disconnect from 120.71.147.93 port 47522:11: Bye Bye [preauth]
Apr 25 08:27:09 databaseserver sshd[356844]: Disconnected from invalid user testuser 120.71.147.93 port 47522 [preauth]
Apr 25 08:27:12 databaseserver sshd[356846]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.229.240.81 user=root
Apr 25 08:27:14 databaseserver sshd[356846]: failed password for root from 58.229.240.81 port 59512 ssh2
Apr 25 08:27 :16 databaseserver sshd[356846]: Received disconnect from 58.229.240.81 port 59512:11: Bye Bye [preauth]
Apr 25 08:27:16 databaseserver sshd[356846]: Disconnected from authenticating user root 58.229.240.81 port 59512 [preauth]
Apr 25 08:27:27 databaseserver sshd[356848]: Invalid user user2 from 218.14.208.90 port 23676
Apr 25 08:27:27 databaseserver sshd[356848]: pam_unix(sshd:auth): check pass; user unknown
Apr 25 08:27:27 databaseserver sshd[356848]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.14.208.90
Apr 25 08:27:29 databaseserver sshd[356848]: Failed password for invalid user user2 from 218.14.208.90 port 23676 ssh2
Apr 25 08:27: 31 databaseserver sshd[356848]: Received disconnect from 218.14.208.90 port 23676:11: Bye Bye [preauth] Apr
25 08:27:31
25 08:27:34 databaseserver sshd[356852]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.47.229.130 user=root
Apr 25 08:27:36 databaseserver sshd[356852]: Failed password for root from 59.47.229.130 port 19369 ssh2
Apr 25 08:27:39 databaseserver sshd[356852]: Received disconnect from 59.47.229.130 port 19369:11: Bye Bye [preauth]
Apr 25 08:27:39 databaseserver sshd[356852]: Disconnected from authenticating user root 59.47.229.130 port 19369 [preauth]
Apr 25 08:27:44 databaseserver sshd[356854]: Connection closed by 119.27.189.190 port 55860 [preauth]
Apr 25 08:27:47 databaseserver sshd[356857]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=106.13.27.156 user=root
Apr 25 08:27:49 databaseserver sshd[356857]: failed password for root from 106.13.27.156 port 46746 ssh2
Apr 25 08:27 :51 databaseserver sshd[356857]: Received disconnect from 106.13.27.156 port 46746:11: Bye Bye [preauth]
Apr 25 08:27:51 databaseserver sshd[356857]: Disconnected from authenticating user root 106.13.27.156 port 46746 [preauth]
Apr 25 08:27:58 databaseserver sshd[356859]: Invalid user webmaster from 161.97.185.33 port 56430
Apr 25 08:27:58 databaseserver sshd[356859]: pam_unix(sshd:auth): check pass; user unknown
Apr 25 08:27:58 databaseserver sshd[356859]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=161.97.185.33
Apr 25 08:28:01 databaseserver sshd[356859]: Failed password for invalid user webmaster from 161.97.185.33 port 56430 ssh2
Apr 25 08:28: 03 databaseserver sshd[356859]: Received disconnect from 161.97.185.33 port 56430:11: Bye Bye [preauth]
Apr 25 08:28:03 databaseserver sshd[356859]: Disconnected from invalid user webmaster 161.97.185.33 port 56430 [preauth]
Apr 25 08:28:04 databaseserver sshd[356862]: Invalid user user from 182.208.252.91 port 48614
Apr 25 08:28:04 databaseserver sshd[356862]: pam_unix(sshd:auth): check pass; user unknown
Apr 25 08:28:04 databaseserver sshd[356862]: pam_unix(sshd:auth): authentication failure; logname=uid=0 euid=0 tty=ssh ruser= rhost=182.208.252.91
Apr 25 08:28:06 databaseserver sshd[356862]: Failed password for invalid user user from 182.208.252.91 port 48614 ssh2
Apr 25 08:28: 07 databaseserver sshd[356862]: Received disconnect from 182.208.252.91 port 48614:11: Bye Bye [preauth]
Apr 25 08:28:07 databaseserver sshd[356862]: Disconnected from invalid user user 182.208.252.91 port 48614 [preauth]
Apr 25 08:28:10 databaseserver sshd[356864]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=14.102.112.178 user=root

Answer the question

In order to leave comments, you need to log in

1 answer(s)
V
Vladimir Korotenko, 2021-04-25
@kazsat

These are bots. Yes, they are annoying. I would set the login only by certificate, change the ssh port to 2022 and configure fail2ban

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question