Changed SSH port but still see login attempts in auth.log on Ubuntu 14.04.6
by nachtmsk from LinuxQuestions.org on (#5BR46)
Hi,
I changed my ssh port (/etc/ssh/sshd_config) to an obscure number and confirmed it's working.
I am still seeing login attempts (and fails) in my /var/log/auth.log.
1. Is that normal or should those attempts no longer generate log traffic for auth.log?
2. Second question. I see in the log entries a mention of various ports ( ....from 49.234.100.133 port 59898 ssh2.....). Does this mean users are trying to log into the system on port 59898). If so, I guess I answered my first question.
Thanks
Nacht
----
Dec 16 20:03:51 jrpno sshd[20534]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=181.30.28.73
Dec 16 20:03:53 jrpno sshd[20534]: Failed password for invalid user securityagent from 181.30.28.73 port 43308 ssh2
Dec 16 20:03:53 jrpno sshd[20534]: Received disconnect from 181.30.28.73: 11: Bye Bye [preauth]
Dec 16 20:03:56 jrpno sshd[20536]: Invalid user mine from 49.234.100.133
Dec 16 20:03:56 jrpno sshd[20536]: input_userauth_request: invalid user mine [preauth]
Dec 16 20:03:56 jrpno sshd[20536]: pam_unix(sshd:auth): check pass; user unknown
Dec 16 20:03:56 jrpno sshd[20536]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.234.100.133
Dec 16 20:03:57 jrpno sshd[20536]: Failed password for invalid user mine from 49.234.100.133 port 59898 ssh2
Dec 16 20:03:58 jrpno sshd[20536]: Received disconnect from 49.234.100.133: 11: Bye Bye [preauth]
-------
I changed my ssh port (/etc/ssh/sshd_config) to an obscure number and confirmed it's working.
I am still seeing login attempts (and fails) in my /var/log/auth.log.
1. Is that normal or should those attempts no longer generate log traffic for auth.log?
2. Second question. I see in the log entries a mention of various ports ( ....from 49.234.100.133 port 59898 ssh2.....). Does this mean users are trying to log into the system on port 59898). If so, I guess I answered my first question.
Thanks
Nacht
----
Dec 16 20:03:51 jrpno sshd[20534]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=181.30.28.73
Dec 16 20:03:53 jrpno sshd[20534]: Failed password for invalid user securityagent from 181.30.28.73 port 43308 ssh2
Dec 16 20:03:53 jrpno sshd[20534]: Received disconnect from 181.30.28.73: 11: Bye Bye [preauth]
Dec 16 20:03:56 jrpno sshd[20536]: Invalid user mine from 49.234.100.133
Dec 16 20:03:56 jrpno sshd[20536]: input_userauth_request: invalid user mine [preauth]
Dec 16 20:03:56 jrpno sshd[20536]: pam_unix(sshd:auth): check pass; user unknown
Dec 16 20:03:56 jrpno sshd[20536]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.234.100.133
Dec 16 20:03:57 jrpno sshd[20536]: Failed password for invalid user mine from 49.234.100.133 port 59898 ssh2
Dec 16 20:03:58 jrpno sshd[20536]: Received disconnect from 49.234.100.133: 11: Bye Bye [preauth]
-------