Below are secure log entries for two IP's (I've modified the actual IP's) attempting access to my fedora core29 server. I am confused by the text strings "Bye Bye" and "Thank you for playing" that appear in the log entries. They seem to indicate that the IP has been successfully logged-in and is now disconnecting.

My fedora uses "key authentication" for login via SSHD, and passwords are disabled. I also use fail2ban, and these IP's are being banned.

I am getting about 100-150 different IP's a day in the secure log with entries identical to these. Normally each IP only appears in the log once with three entries like below. My banned list is growing out of control - - over about 400 after just 2-3 days.

My questions are:
1. If any one can help me understand what the text strings "Bye Bye" and "Thank you for playing" entries really mean I would appreciate it. Did the IP actually login at some point?
2. What exactly does the [preauth] mean at the end of each entry? From my research I think it means pre-authorization. However, does that mean the IP did not successfully log-in?
3. Is there any way to further stop these attempts, and stop the banned list from becoming so large? ( I am assuming the large banned list is consuming a lot of cpu and somewhat slowing down the server).

Thanks in advance for any help.
switcher

May 3 02:17:52 fedora-29 sshd[22769]: Invalid user aptproxy from 120.0.0.1 port 36204
May 3 02:17:52 fedora-29 sshd[22769]: Received disconnect from 120.0.0.1 port 36204:11: Bye Bye [preauth]
May 3 02:17:52 fedora-29 sshd[22769]: Disconnected from invalid user aptproxy 120.0.0.1 port 36204 [preauth]

May 3 02:12:23 fedora-29 sshd[22209]: Invalid user default from 121.0.0.2 port 54234
May 3 02:12:23 fedora-29 sshd[22209]: Received disconnect from 121.0.0.2 port 54234:11: Normal Shutdown, Thank you for playing [preauth]
May 3 02:12:23 fedora-29 sshd[22209]: Disconnected from invalid user default 121.0.0.2 port 54234 [preauth]

You get many results when searching for the string bye bye [preauth]. The question has even been asked on Linuxquestions.

The other message Normal Shutdown, Thank you for playing [preauth] is also well-known.

Both messages seem to indicate brute-force password guessing attempts. I don't know if there are better mechanisms than fail2ban to get rid of them. Would the firewall work? Perhaps you can block entire subnets instead of single addresses.

And perhaps you need to update sshd?

Those messages come from the SSH client being used when it disconnects, and get logged by the server verbatim. They are pre-auth, so no one logged in. As noted by berndbausch these brute-force attacks are very common and there isn't much you can do about it on the open internet. You can minimize the risk by using only key-based auth and you can try to hide by configuring your SSH daemon to listen on a non-standard port. But you can't completely get rid of such attacks.

My thanks to both of you for the responses.

I did follow the links provided by berndbausch and they were very helpful in understanding what these logs mean. (I did some searching via Google, but not duck, duck Go, and I guess my search string was not very good - I used a longer search string and got a bunch of stuff that did not help too much. In my search, I also did not find the post at linuxquestions that you referred me to (which proved to be very helpful) -- Lesson learned--keep search string short!) I do apologize for not finding posts that already address the question. I know that is a sensitive issue.

Two followup questions on your recommendation:

1. Regarding the sshd service version: I am running the latest release of fedora (core 29) and have the latest updates available for that core. Is there possibly a newer version of sshd for core 29 that would be available via a method other than "dnf update"? How would I do that?

2. I can put IP blocks (instead of individual ip's) in the firewall. However, do you know if putting in IP blocks will use less CPU than individual IP's? Or is CPU cycles even a valid concern regarding IP blocking in the firewall, or are the CPU cycles just too small to worry about. I am running an intel 7i7 cpu. (I ask this because in the past I put a large number of blocks of IP's in the firewall (china, Russia), and the system response slowed enough that it was noticeable). I assumed the slow down in response time was due to the large number of blocks of IP's in the firewall, but that might have been a bad assumption on my part.)

Thanknix, I appreciate your comments. They did relieve my concern about someone actually having success in logging in.
(I do currently use key authentication, and passwords are disabled. I also use a non-standard ssh port. I do appreciate the suggestions, however, because a few months ago I was still using password authentication).


Thanks again to both of you for the help.

Possibly in rawhide, but I'm not sure it's useful to install a newer version, unless you are specifically aware of a feature in the latest version that you need.

I don't think it matters much unless you start getting into the thousands of rules per chain. If you want to block large swaths of IP space, the ipset extension to iptables is what you want.

Thanks a lot for the reply on my two questions. I am not aware of rawhide, but I will look into that.
Currently I am utilizing the ipset feature for the firewall, via the GUI interface. Perhaps the problem I had before was that I was trying to block huge volumes of IP's. I was trying to completely block all of china, Russia and some smaller countries. Probably too much.

Thanks again for the tips.