New to Linux, Getting a logwatch email about Possible Break In Attempt
 

Hi everyone,
I am new to Linux and I have a dedicated server running centOS, Pleask 9.2 and I have a received a logwatch email talking about a Possible Break In Attempt.

Can anyone help me out and let me know what I can do to increase security?
I saw a post about changing the sshd port, but I don't know if this is a good idea or not.
Any tips or suggestions would be great.


Here is the logwatch

--------------------- pam_unix Begin ------------------------

sshd:
Authentication Failures:
root (186.83.37.19): 219 Time(s)
root (186.36.144.229): 216 Time(s)
root (190.218.187.184): 156 Time(s)
root (89.175.254.190): 22 Time(s)
root (gate.fly-net.ru): 2 Time(s)
unknown (gate.fly-net.ru): 2 Time(s)
unknown (89.175.254.190): 1 Time(s)
Invalid Users:
Unknown Account: 3 Time(s)


---------------------- pam_unix End -------------------------


--------------------- SSHD Begin ------------------------


Failed logins from:
89.175.254.190: 22 times
91.203.224.20 (gate.fly-net.ru): 2 times
186.36.144.229: 216 times
186.83.37.19 (Dynamic-IP-186833719.cable.net.co): 219 times
190.218.187.184 (cpe-001e3348a527.cpe.cableonda.net): 156 times

Illegal users from:
89.175.254.190: 1 time
91.203.224.20 (gate.fly-net.ru): 2 times


Received disconnect:
11: Bye Bye : 26 Time(s)
11: Goodbye : 591 Time(s)

**Unmatched Entries**
pam_succeed_if(sshd:auth): error retrieving information about user asis : 1 time(s)
reverse mapping checking getaddrinfo for dynamic-ip-186833719.cable.net.co failed - POSSIBLE BREAK-IN ATTEMPT! : 219 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user shit : 1 time(s)
Address 190.218.187.184 maps to cpe-001e3348a527.cpe.cableonda.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! : 156 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user administrador : 1 time(s)

---------------------- SSHD End -------------------------


Thank you for your help

The "Address X maps to Y, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT" means the hostname does not match with what the IP address resolves to. Seldom related to spoofing these days, more commonly bad DNS (PTR) record management.


Read the complete Failed SSH login attempts thread please.


Please note that being able to run a web-based server management panel does not make one knowledgeable or an "admin" overnight. Please invest time to learn and practice.

Thank you,
I am looking at the following from the Failed SSH link you posted.

How would I be able to access the sshd_config file if I disable the root? My user isn't able edit or modify that file?

Disabling root login over the network is a security best practice. It doesn't restrict you from doing damage working as usual. As root install sudo and then edit /etc/sudoers (using visudo, not a text editor!). After disabling root SSH login you log in as unprivileged user and then perform tasks as root using sudo.