Hello,

I have a problem where after closing the ssh access for root I have a lot of failed login attempts. Any idea how can I find what is causing this?

[myuser@mycomputer ~ ]$ su -
Password:
Last login: Tue Sep 14 06:01:53 +03 2021 on pts/6
Last failed login: Tue Sep 14 06:03:14 +03 2021 from mycomputer on ssh:notty
There were 48 failed login attempts since the last successful login.


[myuser@mycomputer ~ ]$ su -
Password:
Last login: Tue Sep 14 06:03:16 +03 2021 on pts/4
Last failed login: Tue Sep 14 06:07:00 +03 2021 from mycomputer on ssh:notty
There were 116 failed login attempts since the last successful login.

I figured 'ps -elf|grep root', but I'm not sure if that is the only way to find out.

Appreciate your help.

Hi, and welcome here, at LQ!

I would check the network traffic.

1 members found this post helpful.

Hi, thank you.

So I should check network traffic for example with nestat -natpe? Im not rly sure what the user id refers to though.. i suppose its the one from passwd file?
And do you think the ps -elf is relevant for information?

On most systems authentication events including destination port are logged in /var/log/auth.log and you can try to find which process is accessing this port

1 members found this post helpful.

if they were all ssh access attempts you can check the logs of sshd (probably). Also you may try to change debug/verbosity to see more.

If you have allowed internet access to the computer using ssh and allow ssh passwords it is someone trying to brute force there way in. Hopefully, root ssh root login is disabled. They will eventually move on. Make sure you are using strong passwords or better yet only use keys. To slow them down some you can use fail2ban.

Just bypass the problem. Don't allow anyone to SSH in without an exchange of public keys.

You might also install fail2ban, if you have not already done so. It should be in your repos.

Thanks guys.
Ill check those things and hopefully figure it out.
Really appreciate your help!
Cheers