Hello,
I recently logged in to my server machine and found a login record I cannot account for. I have the logs of the login, but they seem strange to me.
I see an authentication failure that says failed password and then it comes up with a accepted password and session opened.
Does this essentially mean that someone connected, typed in the wrong password and then on the second attempt got it right - without reconnecting?
I did a quick look up of the remote host. Seattle seems to have been the origin and not being in Seattle makes me think that I wasn't the one to log in - I don't remember loging in on that day at all.
I have already changed my passwords for my system and moved my ssh port. Any other suggestions?
(I have been planning to do an upgrade to my system recently - so potentially I will be reinstalling the whole system.)
Log:
Code:
Jun 4 23:48:10 Server sshd[9659]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxxxxx6d0.tmxxxx.net user=xxxxxxxx
Jun 4 23:48:12 Server sshd[9659]: Failed password for xxxxxxxx from 208.54.14.91 port 41459 ssh2
Jun 4 23:48:16 Server sshd[9659]: Accepted password for xxxxxxxx from 208.54.14.91 port 41459 ssh2
Jun 4 23:48:16 Server sshd[9663]: pam_unix(sshd:session): session opened for user xxxxxxxx by (uid=0)
Jun 4 23:49:44 Server sshd[9663]: pam_unix(sshd:session): session closed for user xxxxxxxx
Thank you for any responses,
Yevgeniy