[SOLVED] Need help understanding "secure" log entry re: SSH login attempt
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Need help understanding "secure" log entry re: SSH login attempt
Below are secure log entries for two IP's (I've modified the actual IP's) attempting access to my fedora core29 server. I am confused by the text strings "Bye Bye" and "Thank you for playing" that appear in the log entries. They seem to indicate that the IP has been successfully logged-in and is now disconnecting.
My fedora uses "key authentication" for login via SSHD, and passwords are disabled. I also use fail2ban, and these IP's are being banned.
I am getting about 100-150 different IP's a day in the secure log with entries identical to these. Normally each IP only appears in the log once with three entries like below. My banned list is growing out of control - - over about 400 after just 2-3 days.
My questions are:
1. If any one can help me understand what the text strings "Bye Bye" and "Thank you for playing" entries really mean I would appreciate it. Did the IP actually login at some point?
2. What exactly does the [preauth] mean at the end of each entry? From my research I think it means pre-authorization. However, does that mean the IP did not successfully log-in?
3. Is there any way to further stop these attempts, and stop the banned list from becoming so large? ( I am assuming the large banned list is consuming a lot of cpu and somewhat slowing down the server).
Thanks in advance for any help.
switcher
May 3 02:17:52 fedora-29 sshd[22769]: Invalid user aptproxy from 120.0.0.1 port 36204
May 3 02:17:52 fedora-29 sshd[22769]: Received disconnect from 120.0.0.1 port 36204:11: Bye Bye [preauth]
May 3 02:17:52 fedora-29 sshd[22769]: Disconnected from invalid user aptproxy 120.0.0.1 port 36204 [preauth]
May 3 02:12:23 fedora-29 sshd[22209]: Invalid user default from 121.0.0.2 port 54234
May 3 02:12:23 fedora-29 sshd[22209]: Received disconnect from 121.0.0.2 port 54234:11: Normal Shutdown, Thank you for playing [preauth]
May 3 02:12:23 fedora-29 sshd[22209]: Disconnected from invalid user default 121.0.0.2 port 54234 [preauth]
The other message Normal Shutdown, Thank you for playing [preauth] is also well-known.
Both messages seem to indicate brute-force password guessing attempts. I don't know if there are better mechanisms than fail2ban to get rid of them. Would the firewall work? Perhaps you can block entire subnets instead of single addresses.
Those messages come from the SSH client being used when it disconnects, and get logged by the server verbatim. They are pre-auth, so no one logged in. As noted by berndbausch these brute-force attacks are very common and there isn't much you can do about it on the open internet. You can minimize the risk by using only key-based auth and you can try to hide by configuring your SSH daemon to listen on a non-standard port. But you can't completely get rid of such attacks.
Need help understanding "secure" log entry re: SSH login attempt
My thanks to both of you for the responses.
I did follow the links provided by berndbausch and they were very helpful in understanding what these logs mean. (I did some searching via Google, but not duck, duck Go, and I guess my search string was not very good - I used a longer search string and got a bunch of stuff that did not help too much. In my search, I also did not find the post at linuxquestions that you referred me to (which proved to be very helpful) -- Lesson learned--keep search string short!) I do apologize for not finding posts that already address the question. I know that is a sensitive issue.
Two followup questions on your recommendation:
1. Regarding the sshd service version: I am running the latest release of fedora (core 29) and have the latest updates available for that core. Is there possibly a newer version of sshd for core 29 that would be available via a method other than "dnf update"? How would I do that?
2. I can put IP blocks (instead of individual ip's) in the firewall. However, do you know if putting in IP blocks will use less CPU than individual IP's? Or is CPU cycles even a valid concern regarding IP blocking in the firewall, or are the CPU cycles just too small to worry about. I am running an intel 7i7 cpu. (I ask this because in the past I put a large number of blocks of IP's in the firewall (china, Russia), and the system response slowed enough that it was noticeable). I assumed the slow down in response time was due to the large number of blocks of IP's in the firewall, but that might have been a bad assumption on my part.)
Thanknix, I appreciate your comments. They did relieve my concern about someone actually having success in logging in.
(I do currently use key authentication, and passwords are disabled. I also use a non-standard ssh port. I do appreciate the suggestions, however, because a few months ago I was still using password authentication).
1. Regarding the sshd service version: I am running the latest release of fedora (core 29) and have the latest updates available for that core. Is there possibly a newer version of sshd for core 29 that would be available via a method other than "dnf update"? How would I do that?
Possibly in rawhide, but I'm not sure it's useful to install a newer version, unless you are specifically aware of a feature in the latest version that you need.
Quote:
2. I can put IP blocks (instead of individual ip's) in the firewall. However, do you know if putting in IP blocks will use less CPU than individual IP's? Or is CPU cycles even a valid concern regarding IP blocking in the firewall, or are the CPU cycles just too small to worry about. I am running an intel 7i7 cpu. (I ask this because in the past I put a large number of blocks of IP's in the firewall (china, Russia), and the system response slowed enough that it was noticeable). I assumed the slow down in response time was due to the large number of blocks of IP's in the firewall, but that might have been a bad assumption on my part.)
I don't think it matters much unless you start getting into the thousands of rules per chain. If you want to block large swaths of IP space, the ipset extension to iptables is what you want.
Thanks a lot for the reply on my two questions. I am not aware of rawhide, but I will look into that.
Currently I am utilizing the ipset feature for the firewall, via the GUI interface. Perhaps the problem I had before was that I was trying to block huge volumes of IP's. I was trying to completely block all of china, Russia and some smaller countries. Probably too much.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.