what is the best explanation for the following please

Mar 13 04:10:10 shell su(pam_unix)[26013]: session opened for user news by (uid=0)

Mar 13 04:10:10 shell su(pam_unix)[26013]: session closed for user news


Mar 13 22:51:38 shell sshd(pam_unix)[9364]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=hst-67-101-12-73.man-linx09.sky.net user=root

Mar 14 00:27:47 shell sshd(pam_unix)[9555]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=chem173.columbia.edu
user=nobody

Mar 15 00:34:51 shell sshd(pam_unix)[12755]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=207.188.80.171 user=root

Mar 15 12:53:37 shell sshd(pam_unix)[14402]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=61-222-184-228.fast-link.hinet.net user=root

Based on the little bit you've told us, I suspect it's probably random port scans. https://krebsonsecurity.com/2015/05/...rk-a-everyone/

1 members found this post helpful.

frankbell could be right.
I'd guess the su to news was done by a cron job, perhaps...or someone logged in as root.
The other sshd entries look like login attempts from several random places...could be bots, could be people hacking about.
Maybe fail2ban would help?

Unless you did so already you may also want to disable root login and password authentication in your sshd_config.

1 members found this post helpful.