LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
Reload this Page People trying to break into my linux server?
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 08-25-2015, 05:12 AM   #1
waseland
LQ Newbie
 
Registered: Aug 2015
Posts: 3

Rep: Reputation: Disabled
People trying to break into my linux server?

My linux server keeps disconnecting for a few seconds every so often so I was looking through the logs for any weird things and I found this:

Quote:
Aug 25 04:04:40 vps79313 sshd[2550]: Received disconnect from 123.49.43.215: 11: Bye Bye [preauth]
Aug 25 04:04:43 vps79313 sshd[2552]: reverse mapping checking getaddrinfo for host215.btcl.net.bd [123.49.43.215] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 25 04:04:43 vps79313 sshd[2552]: Invalid user vyatta from 123.49.43.215
Aug 25 04:04:43 vps79313 sshd[2552]: input_userauth_request: invalid user vyatta [preauth]
Aug 25 04:04:43 vps79313 sshd[2552]: pam_unix(sshd:auth): check pass; user unknown
Aug 25 04:04:43 vps79313 sshd[2552]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.49.43.215
Aug 25 04:04:45 vps79313 sshd[2552]: Failed password for invalid user vyatta from 123.49.43.215 port 33649 ssh2
Aug 25 04:04:45 vps79313 sshd[2552]: Received disconnect from 123.49.43.215: 11: Bye Bye [preauth]
Aug 25 04:04:47 vps79313 sshd[2554]: reverse mapping checking getaddrinfo for host215.btcl.net.bd [123.49.43.215] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 25 04:04:47 vps79313 sshd[2554]: Invalid user ubnt from 123.49.43.215
Aug 25 04:04:47 vps79313 sshd[2554]: input_userauth_request: invalid user ubnt [preauth]
Aug 25 04:04:47 vps79313 sshd[2554]: pam_unix(sshd:auth): check pass; user unknown
Aug 25 04:04:47 vps79313 sshd[2554]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.49.43.215
Aug 25 04:04:49 vps79313 sshd[2554]: Failed password for invalid user ubnt from 123.49.43.215 port 33962 ssh2
Aug 25 04:04:49 vps79313 sshd[2554]: Received disconnect from 123.49.43.215: 11: Bye Bye [preauth]
Aug 25 04:04:51 vps79313 sshd[2556]: reverse mapping checking getaddrinfo for host215.btcl.net.bd [123.49.43.215] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 25 04:04:51 vps79313 sshd[2556]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.49.43.215 user=root
Aug 25 04:04:53 vps79313 sshd[2556]: Failed password for root from 123.49.43.215 port 34240 ssh2
Aug 25 04:04:54 vps79313 sshd[2556]: Received disconnect from 123.49.43.215: 11: Bye Bye [preauth]
Aug 25 04:20:01 vps79313 CRON[2561]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 25 04:20:02 vps79313 CRON[2561]: pam_unix(cron:session): session closed for user root
Aug 25 04:41:18 vps79313 sshd[2570]: Invalid user ubnt from 37.122.70.58
Aug 25 04:41:18 vps79313 sshd[2570]: input_userauth_request: invalid user ubnt [preauth]
Aug 25 04:41:18 vps79313 sshd[2570]: pam_unix(sshd:auth): check pass; user unknown
Aug 25 04:41:18 vps79313 sshd[2570]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=h37-122-70-58.dyn.bashtel.ru
Aug 25 04:41:20 vps79313 sshd[2570]: Failed password for invalid user ubnt from 37.122.70.58 port 60022 ssh2
Aug 25 04:41:20 vps79313 sshd[2570]: Connection closed by 37.122.70.58 [preauth]
Aug 25 05:20:01 vps79313 CRON[2581]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 25 05:20:01 vps79313 CRON[2581]: pam_unix(cron:session): session closed for user root
Aug 25 06:20:01 vps79313 CRON[2599]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 25 06:20:01 vps79313 CRON[2599]: pam_unix(cron:session): session closed for user root
Aug 25 07:20:01 vps79313 CRON[2617]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 25 07:20:01 vps79313 CRON[2617]: pam_unix(cron:session): session closed for user root
Aug 25 07:36:06 vps79313 sshd[2625]: reverse mapping checking getaddrinfo for hosted-by.hostway.nl [82.192.74.165] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 25 07:36:06 vps79313 sshd[2625]: Invalid user kodi from 82.192.74.165
Aug 25 07:36:06 vps79313 sshd[2625]: input_userauth_request: invalid user kodi [preauth]
Aug 25 07:36:06 vps79313 sshd[2625]: pam_unix(sshd:auth): check pass; user unknown
Aug 25 07:36:06 vps79313 sshd[2625]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.192.74.165
Aug 25 07:36:07 vps79313 sshd[2625]: Failed password for invalid user kodi from 82.192.74.165 port 46967 ssh2
Aug 25 07:36:07 vps79313 sshd[2625]: Received disconnect from 82.192.74.165: 11: Bye Bye [preauth]
Aug 25 07:36:08 vps79313 sshd[2627]: reverse mapping checking getaddrinfo for hosted-by.hostway.nl [82.192.74.165] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 25 07:36:08 vps79313 sshd[2627]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.192.74.165 user=root
Aug 25 07:36:09 vps79313 sshd[2627]: Failed password for root from 82.192.74.165 port 47240 ssh2
Aug 25 07:36:09 vps79313 sshd[2627]: Received disconnect from 82.192.74.165: 11: Bye Bye [preauth]
Aug 25 07:36:09 vps79313 sshd[2629]: reverse mapping checking getaddrinfo for hosted-by.hostway.nl [82.192.74.165] failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 25 07:36:09 vps79313 sshd[2629]: Invalid user vagrant from 82.192.74.165
Aug 25 07:36:09 vps79313 sshd[2629]: input_userauth_request: invalid user vagrant [preauth]
Aug 25 07:36:09 vps79313 sshd[2629]: pam_unix(sshd:auth): check pass; user unknown
Aug 25 07:36:09 vps79313 sshd[2629]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=82.192.74.165
Aug 25 07:36:11 vps79313 sshd[2629]: Failed password for invalid user vagrant from 82.192.74.165 port 47412 ssh2
Aug 25 07:36:11 vps79313 sshd[2629]: Received disconnect from 82.192.74.165: 11: Bye Bye [preauth]
This continues for another 7000 lines. What are those ip's trying to login to my linux server?

Yours sincerely,
Waseland
 
Old 08-25-2015, 09:53 AM   #2
Spinacz
LQ Newbie
 
Registered: Aug 2015
Posts: 5

Rep: Reputation: Disabled
Ive got the same problem.
Iptables and cutting off that IPs..
Ive changed the ssh port too..
 
Old 08-25-2015, 08:57 PM   #3
frankbell
LQ Guru
Contributing Member
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 19,324
Blog Entries: 28

Rep: Reputation: 6142Reputation: 6142Reputation: 6142Reputation: 6142Reputation: 6142Reputation: 6142Reputation: 6142Reputation: 6142Reputation: 6142Reputation: 6142Reputation: 6142
Random port scans take place all the time and are nothing to be alarmed about. Unless you have reason to believe you are being targeted specifically, it's likely nothing more than that--random port scans.

Nevertheless, if you have not already done so, install fail2ban and double-check your firewall and your router settings.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How can I get people to use Linux? I'm bad at converting people over. Mr. Hill Linux - Newbie 50 07-11-2020 10:41 AM
If I change root passwd will that break a server ? teddymills1 Linux - Server 2 08-22-2014 07:41 PM
Netbeans 7.3: Program does not break at break points when debugging JavaScript OtagoHarbour Programming 0 02-22-2013 02:44 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 12:08 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration