Security question

I see a bunch of logs like this

Dec 16 14:22:50 plato sshd[9546]: Failed password for root from 222.173.194.34 port 18199 ssh2

Dec 16 14:22:53 plato sshd[9548]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.173.194.34 user=root

Dec 16 14:22:55 plato sshd[9548]: Failed password for root from 222.173.194.34 port 19366 ssh2

Dec 16 14:22:59 plato sshd[9550]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.173.194.34 user=root

Dec 16 14:23:01 plato sshd[9550]: Failed password for root from 222.173.194.34 port 20514 ssh2

Dec 16 14:23:04 plato sshd[9552]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.173.194.34 user=root

Dec 16 14:23:06 plato sshd[9552]: Failed password for root from 222.173.194.34 port 21697 ssh2

where it looks like someone is trying to access my server as root user and failing? and it was not me trying to connect. Would this be true and what should I do to prevent such possibility?

6 Replies

You're connected to the Internet, so other things on the Internet will try to see if they can break into your server. This is normal.

Best way to avoid it: "PermitRootLogin no" and "PasswordAuthentication no" in /etc/ssh/sshd_config (note: set up key-based authentication first), and make sure logrotate is installed so that your logs are kept to a manageable size.

I wouldn't agree it is normal and would say this is certanly something that should be treated as crime. But I should take more precaution.

I do still use root, and I heard it is not good. Now I see why. How do I create some other user that has all the access and how do I create key and use it with putty? I am a noob here, so please give me some short instructions or recommendations. Has Linode got some tutorial on this?

p.s.

I see IP trying to break in some China web http://www.apnic.net/

You may certainly treat it as a crime if you wish. You'd probably have better success enforcing turn signal laws on Boston expressways, however: there are fewer drivers in Boston than there are hijacked systems on the Internet.

This page is probably what you're after: http://library.linode.com/securing-your-server

I am just saying it shouldn't be said as "normal" but I know I can expect that. Thanx on link and this info.

nor·mal

/ˈnôrməl/

Adjective

Conforming to a standard; usual,typical, or expected.

Noun

The usual, average, or typical state or condition.

Synonyms

adjective. regular - standard - ordinary - common - usual

noun. normality - normalcy - perpendicular

It definitely is normal. Every server you put on the internet is going to get, often within a matter of minutes, various probes from people trying to compromise the system. This will occur regularly for the life of the server (in other words, forever).

If you wanted to treat it as a crime, you'd spend the rest of your life trying to investigate and file charges against the millions of such requests your server will get.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct