Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi
Today i received a complaint from one of external server that my server keep on delivering ssh attempt on there server by one of my ftp user .Any help me out how can i check number of ssh attempt made by my server
I could int find out the log of my server making ssh attempt on there at partiular schedule time 17:55.
8105 Jan 30 17:52:24 loft sshd[31609]: Failed password for root from 201.45.xxx.719 port 42959 ssh2
8106 Jan 30 17:52:24 loft sshd[31610]: Received disconnect from 201.45.xxx.71: 11: Bye Bye
8107 Jan 30 17:52:26 loft sshd[31612]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.45.xx.71 user=root
8108 Jan 30 17:52:27 loft sshd[31612]: Failed password for root from 201.45.xxx.71 port 43768 ssh2
8109 Jan 30 17:52:28 loft sshd[31613]: Received disconnect from 201.45.xxx.71: 11: Bye Bye
8110 Jan 30 18:29:23 loft sshd[32286]: Did not receive identification string from UNKNOWN
8111 Jan 30 18:46:17 loft sshd[317]: Did not receive identification string from 188.138.xxx.168
8112 Jan 30 18:46:18 loft sshd[324]: Did not receive identification string from 188.138.xx.168
8113 Jan 30 20:53:52 loft sshd[6441]: Did not receive identification string from 46.228.1xx.146
8114 Jan 30 20:58:05 loft sshd[6594]: Invalid user minecraft from 46.228.161.146
8115 Jan 30 20:58:05 loft sshd[6595]: input_userauth_request: invalid user minecraft
8116 Jan 30 20:58:05 loft sshd[6594]: pam_unix(sshd:auth): check pass; user unknown
client side i got these log of my server attempt.But when i check out the ssh log of my server i could int find out any instant of ssh hacking
Jan 30 17:55:41: Did not receive identification string from 188.138.xx.177
Jan 30 17:55:48: Did not receive identification string from 188.138.xx.177
Jan 30 17:55:48: Did not receive identification string from 188.138.xx.177
Jan 30 17:59:10: Invalid user sanjay from 188.138.xx.177
Jan 30 17:59:10: Invalid user sanjay from 188.138.xx.177
Jan 30 17:59:14: Invalid user sanjay from 188.138.xx.177
Jan 30 17:59:14: Invalid user sanjay from 188.138.xx.177
Jan 30 17:59:14: Invalid user sanjay from 188.138.xx.177
Jan 30 17:59:14: Invalid user sanjay from 188.138.xx.177
In themselves you'll never have any logs of SSH client usage. Maybe you can get a pattern of attacks from the other party, see if there is a pattern, check all cronjobs on the system for all users etc.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
