Below I have listed 6 lines from the "secure" log. I have several questions about reading these lines:

1) The 1st line mentions port 50184. Has the intruder requested this port or has my machine opened this port based on the sshd attempt from the intruder?
Note: port 50184 is not open on my machine, it is stealth per grc.com port checker service.
2) What is line #3 (check pass; user unknown) actually telling me?
3) Why is line #5 saying "failed password" when the user is invalid? If the user is invalid why is it allowing a password to be entered?

Any assistance will be most helpful.

I am trying to understand why I am getting hundreds of sshd attempts (my ssh port is an unusual high number) but each IP attempting to ssh into my machine is making only one attempt. I would expect a single IP to make several attempts if not hundreds, but not just one attempt.

>>secure log lines<<
Jul 2 13:29:58 localhost sshd[32019]: Invalid user demo from 45.252.248.108 port 50184
Jul 2 13:29:58 localhost sshd[32019]: input_userauth_request: invalid user demo [preauth]
Jul 2 13:29:58 localhost sshd[32019]: pam_unix(sshd:auth): check pass; user unknown
Jul 2 13:29:58 localhost sshd[32019]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=45.252.248.108
Jul 2 13:30:00 localhost sshd[32019]: Failed password for invalid user demo from 45.252.248.108 port 50184 ssh2
Jul 2 13:30:00 localhost sshd[32019]: Connection closed by 45.252.248.108 port 50184 [preauth]

Lines like these appear hundreds of times, each IP only making one attempt, and all using different user names, and different ports.

I suspect they are simply random port cans. They aren't trying to break into your system; they are trying to break into any system.. https://www.digitalocean.com/communi...rom-random-ips

An "invalid user" may still attempt to enter a password. Indeed, the failed password is likely (I don't know for sure) what tells the system that the user in invalid. I think most systems don't attempt to authenticate a login until both username and password have been entered.

Just my two cents.

1 members found this post helpful.

Source ports are always random. You have 22 open but when someone connects, or attempts to, the port they originate from is typically a random, high numbered port.

1 members found this post helpful.

1) The port is the port on the remote machine from which the connection is coming from.
2) It means that you still have password authentication enabled, instead of eliminating it in favor of key-based authentication. It also means that PAM is processing the password request as it should.
3) Probably poor wording in the error message, if I recall correctly the error applies to either an incorrect user or an incorrect password. The server tries to leak as little information to the attacker as possible but that idea also affects the log records too.

That would be too easy to block¹. The botnet of compromised M$ Windows scanning your machine find your service no matter which port it is on. You can move the port around but it's no bother for the botnets to find it again. Best is to disable passwords, many botnets are now smart enough to go away and not come back if they find that password authentication has been disabled.

¹ See Peter's own links in his reference list at the end of his post for background on how the Hail Mary net has changed.

1 members found this post helpful.

Thanks everyone so much for the comments, and links on random IP's, "Hail Mary net" changes and high ports. Very helpful.
I will work on eliminating passwords and using key-based authentication - about which I currently know nothing. Great advice.

SSH keys FYI (not my own work)

http://wiki.linuxquestions.org/wiki/...reate_ssh_keys

1 members found this post helpful.

https://help.ubuntu.com/community/St...Authentication
https://help.ubuntu.com/community/St...SSH_Root_Login

1 members found this post helpful.

I'd add two suggestions. The first is to use Ed25519 keys when possible, unless RSA is needed for backwards compatibility. The second would be to plan for the eventuality of having more than one key pair on your client by using the -f and -C options when creating each set. The -f allows you to name the keypair something memorable so you can recognize it among the many keys you'll have on your client. The -C allows a comment in the public key so that you can keep track of it on the server, especially if you have several single-purpose keys.

See 'man ssh-keygen'

Then take advantage of the SSH client's configuration file to remember which key goes where.

Always put the more specific configurations first nearer the beginnning of the file and the more general configurations towards the end and the globals last.

The client configuration file is underappreciated. See 'man ssh_config' for details

1 members found this post helpful.

Great Thanks to all for the additional links and suggestions. They all proved most valuable and informative to me. I utilized information from all of them.

I now have key authorization working and passwords turned off.

My appreciation to all who contributed to this thread.

Since I activated ssh key authorization and turned off password login for SSH, the logs are repeating as shown below.

All IP's seem to appear only once and usually with a single line entry in the log, i.e.
Jul 7 19:19:53 localhost sshd[2840]: Connection closed by 119.163.122.32 port 45991 [preauth]

However, about every 10-15 single-line log entries (like above) there is a 3-line entry as below:
Jul 7 19:17:34 localhost sshd[2059]: Invalid user ios from 106.14.202.255 port 9992
Jul 7 19:17:34 localhost sshd[2059]: input_userauth_request: invalid user ios [preauth]
Jul 7 19:17:34 localhost sshd[2059]: Connection closed by 106.14.202.255 port 9992 [preauth]

Does anyone know why the two different type log entries are appearing? I was thinking that with key authorization all the log entries would be like the single-line entry.

Secure log excerpt below:

Jul 7 19:17:34 localhost sshd[2059]: Invalid user ios from 106.14.202.255 port 9992
Jul 7 19:17:34 localhost sshd[2059]: input_userauth_request: invalid user ios [preauth]
Jul 7 19:17:34 localhost sshd[2059]: Connection closed by 106.14.202.255 port 9992 [preauth]

Jul 7 19:18:06 localhost sshd[2545]: Connection closed by 31.14.142.109 port 10761 [preauth]
Jul 7 19:19:53 localhost sshd[2840]: Connection closed by 119.163.122.32 port 45991 [preauth]
Jul 7 19:22:02 localhost sshd[4435]: Connection closed by 197.159.128.171 port 58329 [preauth]
Jul 7 19:25:17 localhost sshd[5462]: Connection closed by 120.209.139.68 port 56774 [preauth]
Jul 7 19:25:56 localhost sshd[5709]: Connection closed by 119.163.122.32 port 24797 [preauth]
Jul 7 19:27:39 localhost sshd[6479]: Connection closed by 112.65.170.186 port 50022 [preauth]
Jul 7 19:28:06 localhost sshd[6959]: Connection closed by 118.126.65.175 port 56904 [preauth]
Jul 7 19:34:23 localhost sshd[7680]: Connection closed by 197.159.128.171 port 58536 [preauth]
Jul 7 19:34:23 localhost sshd[8547]: Connection closed by 120.209.139.61 port 64688 [preauth]
Jul 7 19:34:23 localhost sshd[9405]: Connection closed by 119.163.122.32 port 50983 [preauth]
Jul 7 19:36:47 localhost sshd[10883]: Connection closed by 120.209.139.68 port 54820 [preauth]
Jul 7 19:36:47 localhost sshd[10914]: Connection closed by 112.65.170.186 port 41490 [preauth]
Jul 7 19:36:49 localhost sshd[11172]: Connection closed by 197.159.128.171 port 58738 [preauth]

Jul 7 19:38:14 localhost sshd[11811]: Invalid user xiao from 34.207.11.241 port 60169
Jul 7 19:38:14 localhost sshd[11811]: input_userauth_request: invalid user xiao [preauth]
Jul 7 19:38:14 localhost sshd[11811]: Connection closed by 34.207.11.241 port 60169 [preauth]

Jul 7 19:39:20 localhost sshd[12510]: Connection closed by 118.126.65.175 port 57764 [preauth]
Jul 7 19:41:06 localhost sshd[13733]: Connection closed by 119.163.122.32 port 58354 [preauth]
Jul 7 19:44:10 localhost sshd[16282]: Connection closed by 197.159.128.171 port 58946 [preauth]
Jul 7 19:44:50 localhost sshd[16918]: Connection closed by 112.65.170.186 port 60185 [preauth]
Jul 7 19:47:34 localhost sshd[18770]: Connection closed by 120.209.139.68 port 53064 [preauth]
Jul 7 19:48:39 localhost sshd[19661]: Connection closed by 119.163.122.32 port 34200 [preauth]
Jul 7 19:50:41 localhost sshd[20877]: Connection closed by 118.126.65.175 port 58630 [preauth]
Jul 7 19:51:35 localhost sshd[21284]: Connection closed by 197.159.128.171 port 59146 [preauth]
Jul 7 19:52:56 localhost sshd[22074]: Connection closed by 120.209.139.61 port 58537 [preauth]
Jul 7 19:53:14 localhost sshd[22293]: Connection closed by 112.65.170.186 port 49589 [preauth]
Jul 7 19:56:15 localhost sshd[25463]: Connection closed by 119.163.122.32 port 33728 [preauth]

Jul 7 19:56:20 localhost sshd[25477]: Invalid user applmgr from 120.55.186.125 port 28424
Jul 7 19:56:20 localhost sshd[25477]: input_userauth_request: invalid user applmgr [preauth]
Jul 7 19:56:20 localhost sshd[25477]: Connection closed by 120.55.186.125 port 28424 [preauth]

I'm not sure of the difference but can say that they do reduce or disappear over time. What I think you are seeing is the long tail as the Windows botnets figure out that your machine no longer responds to passwords. If you have a way to change the external IP easily that might speed up their reaction.

Thanks very much for the info. I use a static IP, so cannot change the IP easily.
I will just wait until the messages go away. I believe the volume is already down since removing login passwords.

Thanks for all the help.