[SOLVED] Does anyone has tried to enter my system?

Hello.
When I see "auth.log" and "ufw.log" files, then it show me below information:

Code:

# tail auth.log
Dec 16 22:04:57 ubuntu sshd[9098]: Failed password for root from 172.20.1.254 port 55292 ssh2
Dec 16 22:05:06 ubuntu sshd[9098]: Failed password for root from 172.20.1.254 port 55292 ssh2
Dec 16 22:05:06 ubuntu sshd[9098]: error: maximum authentication attempts exceeded for root from 172.20.1.254 port 55292 ssh2 [preauth]

# tail ufw.log
Dec 16 22:05:00 ubuntu kernel: [860180.320154] [UFW BLOCK] IN=ens160 OUT= MAC=XXXX SRC=172.20.1.254 DST=172.20.100.62 LEN=40 TOS=0x00 PREC=0x00 TTL=228 ID=37021 PROTO=TCP SPT=58292 DPT=6609 WINDOW=1024 RES=0x00 SYN URGP=0 
Dec 16 22:05:26 ubuntu kernel: [860206.710710] [UFW BLOCK] IN=ens160 OUT= MAC=XXXX SRC=172.20.1.254 DST=172.20.100.62 LEN=40 TOS=0x00 PREC=0x00 TTL=226 ID=17895 PROTO=TCP SPT=55074 DPT=48000 WINDOW=1024 RES=0x00 SYN URGP=0

Can it mean someone from "172.20.1.254" IP tried to logging into "172.20.100.62" IP?

Thank you.

Yup. That’s what it means. Note that both of those IP addresses are private addresses, so whatever’s going on is happening inside your network.

Quote:

Originally Posted by scasey Yup. That’s what it means. Note that both of those IP addresses are private addresses, so whatever’s going on is happening inside your network.

Given that the source address ends in .254 this is most likely the router and it's doing inbound NAT.

Yes, The .254 IP is firewall and .62 is my server. The attacker IP is my firewall IP because someone wanted to attack to my server from outside of network?

Yes

Note that the attempt may not be directed at you.

In fact, it probably isn't directed at you. Random port scans have been a thing on the internet almost since the internet became widely available.

Quote:

Originally Posted by TenTenths Yes

For find attacker IP, must I check Firewall log?

Quote:

Originally Posted by hack3rcon For find attacker IP, must I check Firewall log?

Yes

Quote:

Originally Posted by hack3rcon For find attacker IP, must I check Firewall log?

I have to wonder why you just didn't check the firewall log to see instead of asking this question?

Quote:

Originally Posted by scasey I have to wonder why you just didn't check the firewall log to see instead of asking this question?

Because I have not access to the firewall.

Quote:

Originally Posted by hack3rcon Because I have not access to the firewall.

Interesting. If you don't have access to the firewall, who does? The sysadmin?
If you have a sysadmin for your system, you should be talking to them...

Quote:

Originally Posted by scasey Interesting. If you don't have access to the firewall, who does? The sysadmin? If you have a sysadmin for your system, you should be talking to them...

Yes.