Somebody trying to break in to my new VPS? Cause for concern?
by walterbyrd from LinuxQuestions.org on (#5C21X)
There is nothing on my site yet. I don't even have a web server working.
While trying to get my web server working, I did a Code:journal -xe. I was surprised to find this (see below). I did an nmap on myself, the ports I have open are ssh and ftp. I had ssh assigned to a random port number - not 22. I took a look at my /etc/password file, it seems to be okay.
I also did a Code:# last -20 looks like I am the only one who has ever logged in.
Anything else I should do?
All these attempted logins seemed to take place within 11 seconds. They are still trying to login. Not sure what to do about it. Maybe I should shut down ssh for a while, and bring it back up with an at command?
Code:Dec 24 19:22:42 www sshd[293795]: pam_unix(sshd:auth): check pass; user unknown
Dec 24 19:22:42 www sshd[293795]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.91.126.92
Dec 24 19:22:42 www sshd[293797]: Invalid user deployer from 158.101.12.235 port 33020
Dec 24 19:22:42 www sshd[293797]: pam_unix(sshd:auth): check pass; user unknown
Dec 24 19:22:42 www sshd[293797]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=158.101.12.235
Dec 24 19:22:44 www sshd[293795]: Failed password for invalid user halley from 125.91.126.92 port 57996 ssh2
Dec 24 19:22:44 www sshd[293795]: Received disconnect from 125.91.126.92 port 57996:11: Bye Bye [preauth]
Dec 24 19:22:44 www sshd[293795]: Disconnected from invalid user halley 125.91.126.92 port 57996 [preauth]
Dec 24 19:22:44 www sshd[293797]: Failed password for invalid user deployer from 158.101.12.235 port 33020 ssh2
Dec 24 19:22:45 www sshd[293797]: Received disconnect from 158.101.12.235 port 33020:11: Bye Bye [preauth]
Dec 24 19:22:45 www sshd[293797]: Disconnected from invalid user deployer 158.101.12.235 port 33020 [preauth]
Dec 24 19:22:48 www sshd[293799]: Invalid user shirley from 106.51.85.16 port 59938
Dec 24 19:22:48 www sshd[293799]: pam_unix(sshd:auth): check pass; user unknown
Dec 24 19:22:48 www sshd[293799]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=106.51.85.16
Dec 24 19:22:49 www sshd[293801]: Invalid user access from 81.68.216.148 port 48956
Dec 24 19:22:49 www sshd[293801]: pam_unix(sshd:auth): check pass; user unknown
Dec 24 19:22:49 www sshd[293801]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.68.216.148
Dec 24 19:22:50 www sshd[293799]: Failed password for invalid user shirley from 106.51.85.16 port 59938 ssh2
Dec 24 19:22:50 www sshd[293799]: Received disconnect from 106.51.85.16 port 59938:11: Bye Bye [preauth]
Dec 24 19:22:50 www sshd[293799]: Disconnected from invalid user shirley 106.51.85.16 port 59938 [preauth]
Dec 24 19:22:51 www sshd[293801]: Failed password for invalid user access from 81.68.216.148 port 48956 ssh2
Dec 24 19:22:53 www sshd[293801]: Received disconnect from 81.68.216.148 port 48956:11: Bye Bye [preauth]
Dec 24 19:22:53 www sshd[293801]: Disconnected from invalid user access 81.68.216.148 port 48956 [preauth]
While trying to get my web server working, I did a Code:journal -xe. I was surprised to find this (see below). I did an nmap on myself, the ports I have open are ssh and ftp. I had ssh assigned to a random port number - not 22. I took a look at my /etc/password file, it seems to be okay.
I also did a Code:# last -20 looks like I am the only one who has ever logged in.
Anything else I should do?
All these attempted logins seemed to take place within 11 seconds. They are still trying to login. Not sure what to do about it. Maybe I should shut down ssh for a while, and bring it back up with an at command?
Code:Dec 24 19:22:42 www sshd[293795]: pam_unix(sshd:auth): check pass; user unknown
Dec 24 19:22:42 www sshd[293795]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.91.126.92
Dec 24 19:22:42 www sshd[293797]: Invalid user deployer from 158.101.12.235 port 33020
Dec 24 19:22:42 www sshd[293797]: pam_unix(sshd:auth): check pass; user unknown
Dec 24 19:22:42 www sshd[293797]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=158.101.12.235
Dec 24 19:22:44 www sshd[293795]: Failed password for invalid user halley from 125.91.126.92 port 57996 ssh2
Dec 24 19:22:44 www sshd[293795]: Received disconnect from 125.91.126.92 port 57996:11: Bye Bye [preauth]
Dec 24 19:22:44 www sshd[293795]: Disconnected from invalid user halley 125.91.126.92 port 57996 [preauth]
Dec 24 19:22:44 www sshd[293797]: Failed password for invalid user deployer from 158.101.12.235 port 33020 ssh2
Dec 24 19:22:45 www sshd[293797]: Received disconnect from 158.101.12.235 port 33020:11: Bye Bye [preauth]
Dec 24 19:22:45 www sshd[293797]: Disconnected from invalid user deployer 158.101.12.235 port 33020 [preauth]
Dec 24 19:22:48 www sshd[293799]: Invalid user shirley from 106.51.85.16 port 59938
Dec 24 19:22:48 www sshd[293799]: pam_unix(sshd:auth): check pass; user unknown
Dec 24 19:22:48 www sshd[293799]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=106.51.85.16
Dec 24 19:22:49 www sshd[293801]: Invalid user access from 81.68.216.148 port 48956
Dec 24 19:22:49 www sshd[293801]: pam_unix(sshd:auth): check pass; user unknown
Dec 24 19:22:49 www sshd[293801]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.68.216.148
Dec 24 19:22:50 www sshd[293799]: Failed password for invalid user shirley from 106.51.85.16 port 59938 ssh2
Dec 24 19:22:50 www sshd[293799]: Received disconnect from 106.51.85.16 port 59938:11: Bye Bye [preauth]
Dec 24 19:22:50 www sshd[293799]: Disconnected from invalid user shirley 106.51.85.16 port 59938 [preauth]
Dec 24 19:22:51 www sshd[293801]: Failed password for invalid user access from 81.68.216.148 port 48956 ssh2
Dec 24 19:22:53 www sshd[293801]: Received disconnect from 81.68.216.148 port 48956:11: Bye Bye [preauth]
Dec 24 19:22:53 www sshd[293801]: Disconnected from invalid user access 81.68.216.148 port 48956 [preauth]