[SOLVED] Need help understanding "secure" log sshd hack attempts.
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Need help understanding "secure" log sshd hack attempts.
Below I have listed 6 lines from the "secure" log. I have several questions about reading these lines:
1) The 1st line mentions port 50184. Has the intruder requested this port or has my machine opened this port based on the sshd attempt from the intruder?
Note: port 50184 is not open on my machine, it is stealth per grc.com port checker service.
2) What is line #3 (check pass; user unknown) actually telling me?
3) Why is line #5 saying "failed password" when the user is invalid? If the user is invalid why is it allowing a password to be entered?
Any assistance will be most helpful.
I am trying to understand why I am getting hundreds of sshd attempts (my ssh port is an unusual high number) but each IP attempting to ssh into my machine is making only one attempt. I would expect a single IP to make several attempts if not hundreds, but not just one attempt.
>>secure log lines<<
Jul 2 13:29:58 localhost sshd[32019]: Invalid user demo from 45.252.248.108 port 50184
Jul 2 13:29:58 localhost sshd[32019]: input_userauth_request: invalid user demo [preauth]
Jul 2 13:29:58 localhost sshd[32019]: pam_unix(sshd:auth): check pass; user unknown
Jul 2 13:29:58 localhost sshd[32019]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=45.252.248.108
Jul 2 13:30:00 localhost sshd[32019]: Failed password for invalid user demo from 45.252.248.108 port 50184 ssh2
Jul 2 13:30:00 localhost sshd[32019]: Connection closed by 45.252.248.108 port 50184 [preauth]
Lines like these appear hundreds of times, each IP only making one attempt, and all using different user names, and different ports.
An "invalid user" may still attempt to enter a password. Indeed, the failed password is likely (I don't know for sure) what tells the system that the user in invalid. I think most systems don't attempt to authenticate a login until both username and password have been entered.
Source ports are always random. You have 22 open but when someone connects, or attempts to, the port they originate from is typically a random, high numbered port.
1) The port is the port on the remote machine from which the connection is coming from.
2) It means that you still have password authentication enabled, instead of eliminating it in favor of key-based authentication. It also means that PAM is processing the password request as it should.
3) Probably poor wording in the error message, if I recall correctly the error applies to either an incorrect user or an incorrect password. The server tries to leak as little information to the attacker as possible but that idea also affects the log records too.
Quote:
Originally Posted by switcher1
I am trying to understand why I am getting hundreds of sshd attempts (my ssh port is an unusual high number) but each IP attempting to ssh into my machine is making only one attempt. I would expect a single IP to make several attempts if not hundreds, but not just one attempt.
Thanks everyone so much for the comments, and links on random IP's, "Hail Mary net" changes and high ports. Very helpful.
I will work on eliminating passwords and using key-based authentication - about which I currently know nothing. Great advice.
I'd add two suggestions. The first is to use Ed25519 keys when possible, unless RSA is needed for backwards compatibility. The second would be to plan for the eventuality of having more than one key pair on your client by using the -f and -C options when creating each set. The -f allows you to name the keypair something memorable so you can recognize it among the many keys you'll have on your client. The -C allows a comment in the public key so that you can keep track of it on the server, especially if you have several single-purpose keys.
Code:
ssh-keygen -f ~/.ssh/some-server_rsa -t ed25519 -C 'me from some desktop'
ssh-keygen -f ~/.ssh/some-server_ed25519 -t ed25519 -C 'me from some desktop'
See 'man ssh-keygen'
Then take advantage of the SSH client's configuration file to remember which key goes where.
Always put the more specific configurations first nearer the beginnning of the file and the more general configurations towards the end and the globals last.
The client configuration file is underappreciated. See 'man ssh_config' for details
Last edited by Turbocapitalist; 07-09-2018 at 10:39 AM.
Reason: rsa -> ed25519
Great Thanks to all for the additional links and suggestions. They all proved most valuable and informative to me. I utilized information from all of them.
I now have key authorization working and passwords turned off.
My appreciation to all who contributed to this thread.
Since I activated ssh key authorization and turned off password login for SSH, the logs are repeating as shown below.
All IP's seem to appear only once and usually with a single line entry in the log, i.e.
Jul 7 19:19:53 localhost sshd[2840]: Connection closed by 119.163.122.32 port 45991 [preauth]
However, about every 10-15 single-line log entries (like above) there is a 3-line entry as below:
Jul 7 19:17:34 localhost sshd[2059]: Invalid user ios from 106.14.202.255 port 9992
Jul 7 19:17:34 localhost sshd[2059]: input_userauth_request: invalid user ios [preauth]
Jul 7 19:17:34 localhost sshd[2059]: Connection closed by 106.14.202.255 port 9992 [preauth]
Does anyone know why the two different type log entries are appearing? I was thinking that with key authorization all the log entries would be like the single-line entry.
Secure log excerpt below:
Jul 7 19:17:34 localhost sshd[2059]: Invalid user ios from 106.14.202.255 port 9992
Jul 7 19:17:34 localhost sshd[2059]: input_userauth_request: invalid user ios [preauth]
Jul 7 19:17:34 localhost sshd[2059]: Connection closed by 106.14.202.255 port 9992 [preauth]
Jul 7 19:18:06 localhost sshd[2545]: Connection closed by 31.14.142.109 port 10761 [preauth]
Jul 7 19:19:53 localhost sshd[2840]: Connection closed by 119.163.122.32 port 45991 [preauth]
Jul 7 19:22:02 localhost sshd[4435]: Connection closed by 197.159.128.171 port 58329 [preauth]
Jul 7 19:25:17 localhost sshd[5462]: Connection closed by 120.209.139.68 port 56774 [preauth]
Jul 7 19:25:56 localhost sshd[5709]: Connection closed by 119.163.122.32 port 24797 [preauth]
Jul 7 19:27:39 localhost sshd[6479]: Connection closed by 112.65.170.186 port 50022 [preauth]
Jul 7 19:28:06 localhost sshd[6959]: Connection closed by 118.126.65.175 port 56904 [preauth]
Jul 7 19:34:23 localhost sshd[7680]: Connection closed by 197.159.128.171 port 58536 [preauth]
Jul 7 19:34:23 localhost sshd[8547]: Connection closed by 120.209.139.61 port 64688 [preauth]
Jul 7 19:34:23 localhost sshd[9405]: Connection closed by 119.163.122.32 port 50983 [preauth]
Jul 7 19:36:47 localhost sshd[10883]: Connection closed by 120.209.139.68 port 54820 [preauth]
Jul 7 19:36:47 localhost sshd[10914]: Connection closed by 112.65.170.186 port 41490 [preauth]
Jul 7 19:36:49 localhost sshd[11172]: Connection closed by 197.159.128.171 port 58738 [preauth]
Jul 7 19:38:14 localhost sshd[11811]: Invalid user xiao from 34.207.11.241 port 60169
Jul 7 19:38:14 localhost sshd[11811]: input_userauth_request: invalid user xiao [preauth]
Jul 7 19:38:14 localhost sshd[11811]: Connection closed by 34.207.11.241 port 60169 [preauth]
Jul 7 19:39:20 localhost sshd[12510]: Connection closed by 118.126.65.175 port 57764 [preauth]
Jul 7 19:41:06 localhost sshd[13733]: Connection closed by 119.163.122.32 port 58354 [preauth]
Jul 7 19:44:10 localhost sshd[16282]: Connection closed by 197.159.128.171 port 58946 [preauth]
Jul 7 19:44:50 localhost sshd[16918]: Connection closed by 112.65.170.186 port 60185 [preauth]
Jul 7 19:47:34 localhost sshd[18770]: Connection closed by 120.209.139.68 port 53064 [preauth]
Jul 7 19:48:39 localhost sshd[19661]: Connection closed by 119.163.122.32 port 34200 [preauth]
Jul 7 19:50:41 localhost sshd[20877]: Connection closed by 118.126.65.175 port 58630 [preauth]
Jul 7 19:51:35 localhost sshd[21284]: Connection closed by 197.159.128.171 port 59146 [preauth]
Jul 7 19:52:56 localhost sshd[22074]: Connection closed by 120.209.139.61 port 58537 [preauth]
Jul 7 19:53:14 localhost sshd[22293]: Connection closed by 112.65.170.186 port 49589 [preauth]
Jul 7 19:56:15 localhost sshd[25463]: Connection closed by 119.163.122.32 port 33728 [preauth]
Jul 7 19:56:20 localhost sshd[25477]: Invalid user applmgr from 120.55.186.125 port 28424
Jul 7 19:56:20 localhost sshd[25477]: input_userauth_request: invalid user applmgr [preauth]
Jul 7 19:56:20 localhost sshd[25477]: Connection closed by 120.55.186.125 port 28424 [preauth]
Does anyone know why the two different type log entries are appearing? I was thinking that with key authorization all the log entries would be like the single-line entry.
I'm not sure of the difference but can say that they do reduce or disappear over time. What I think you are seeing is the long tail as the Windows botnets figure out that your machine no longer responds to passwords. If you have a way to change the external IP easily that might speed up their reaction.
Thanks very much for the info. I use a static IP, so cannot change the IP easily.
I will just wait until the messages go away. I believe the volume is already down since removing login passwords.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.