Lots of IPs in /var/log/auth.log that shouldn't be able to access the system

Discussion in 'General' started by unsichtbare, Jun 12, 2020.

  1. unsichtbare

    unsichtbare Member HowtoForge Supporter

    I was posting on another topic and I came across tons of what appear to be IP addresses trying to log on. Problem is, this is a new server on a private LAN, behinf a firewall and no port forwarding or NAT is enabled. Am I mis-reading this?
    Code:
    Jun 12 14:09:44 hosting sshd[16311]: Received disconnect from 146.66.244.246 port 51704:11: Bye Bye [preauth]
    Jun 12 14:09:44 hosting sshd[16311]: Disconnected from authenticating user root 146.66.244.246 port 51704 [preauth]
    Jun 12 14:10:18 hosting sshd[16313]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.88  user=root
    Jun 12 14:10:20 hosting sshd[16313]: Failed password for root from 112.85.42.88 port 61005 ssh2
    Jun 12 14:10:26 hosting sshd[16319]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.233.202.231  user=root
    Jun 12 14:10:28 hosting sshd[16319]: Failed password for root from 49.233.202.231 port 49826 ssh2
    Jun 12 14:10:28 hosting sshd[16319]: Received disconnect from 49.233.202.231 port 49826:11: Bye Bye [preauth]
    Jun 12 14:10:28 hosting sshd[16319]: Disconnected from authenticating user root 49.233.202.231 port 49826 [preauth]
    Jun 12 14:10:35 hosting sshd[16321]: Did not receive identification string from 222.186.175.167 port 28752
    Jun 12 14:10:43 hosting sshd[16335]: Invalid user userftp from 179.191.237.172 port 44116
    Jun 12 14:10:43 hosting sshd[16335]: pam_unix(sshd:auth): check pass; user unknown
    Jun 12 14:10:43 hosting sshd[16335]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=179.191.237.172
    Jun 12 14:10:45 hosting sshd[16335]: Failed password for invalid user userftp from 179.191.237.172 port 44116 ssh2
    Jun 12 14:10:45 hosting sshd[16335]: Received disconnect from 179.191.237.172 port 44116:11: Bye Bye [preauth]
    Jun 12 14:10:45 hosting sshd[16335]: Disconnected from invalid user userftp 179.191.237.172 port 44116 [preauth]
    Jun 12 14:11:41 hosting sshd[16353]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=198.206.243.23  user=root
    Jun 12 14:11:43 hosting sshd[16353]: Failed password for root from 198.206.243.23 port 38406 ssh2
    Jun 12 14:11:43 hosting sshd[16353]: Received disconnect from 198.206.243.23 port 38406:11: Bye Bye [preauth]
    Jun 12 14:11:43 hosting sshd[16353]: Disconnected from authenticating user root 198.206.243.23 port 38406 [preauth]
    Jun 12 14:11:52 hosting sshd[16355]: Invalid user admin from 104.229.203.202 port 48416
    Jun 12 14:11:52 hosting sshd[16355]: pam_unix(sshd:auth): check pass; user unknown
    Jun 12 14:11:52 hosting sshd[16355]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=104.229.203.202
    Jun 12 14:11:54 hosting sshd[16355]: Failed password for invalid user admin from 104.229.203.202 port 48416 ssh2
    Jun 12 14:11:54 hosting sshd[16355]: Received disconnect from 104.229.203.202 port 48416:11: Bye Bye [preauth]
    Jun 12 14:11:54 hosting sshd[16355]: Disconnected from invalid user admin 104.229.203.202 port 48416 [preauth]
    Jun 12 14:12:00 hosting sshd[16357]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.31.166  user=root
    Jun 12 14:12:03 hosting sshd[16357]: Failed password for root from 222.186.31.166 port 42818 ssh2
    Jun 12 14:12:07 hosting sshd[16357]: message repeated 2 times: [ Failed password for root from 222.186.31.166 port 42818 ssh2]
    Jun 12 14:12:09 hosting sshd[16364]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.31.166  user=root
    Jun 12 14:12:10 hosting sshd[16357]: Received disconnect from 222.186.31.166 port 42818:11:  [preauth]
    Jun 12 14:12:10 hosting sshd[16357]: Disconnected from authenticating user root 222.186.31.166 port 42818 [preauth]
    Jun 12 14:12:10 hosting sshd[16357]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.31.166  user=root
    Jun 12 14:12:11 hosting sshd[16364]: Failed password for root from 222.186.31.166 port 20838 ssh2
    Jun 12 14:12:12 hosting sshd[16366]: Invalid user ubuntu from 129.204.205.231 port 47250
    Jun 12 14:12:12 hosting sshd[16366]: pam_unix(sshd:auth): check pass; user unknown
    Jun 12 14:12:12 hosting sshd[16366]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=129.204.205.231
    
    
     
  2. Th0m

    Th0m Active Member HowtoForge Supporter

    Seems like your SSH port is forwarded... You can test this by trying to connect to your public IP with port 22
     
    unsichtbare likes this.
  3. unsichtbare

    unsichtbare Member HowtoForge Supporter

    Thanks, turns out another ADMIN had done me the favor of setting up the firewall without creating a ticket. 22 was forwarded!
     

Share This Page