You might want to look at disabling root ssh login as a precaution (should be disabled always on any exposed system), look in /etc/ssh/sshd_config (typically) for :
PermitRootLogin no Also you might want to consider using a targetted firewall approach with something like Fail2Ban which I have found very effective Martin On 18 August 2012 18:32, Stuart Bird <e_tect...@yahoo.co.uk> wrote: > Hi All > > Could anyone cast an eye over the following log entries and tell me if > this is just script kiddie stuff, or whether I should be more concerned? > > The entries are from my "auth.log" file on an Ubuntu 12.04 server (vps). > The server hosts one web site at the moment. It's been up for about three > months now, but these entries have only started over the last couple of > days. > > Aug 18 08:05:56 localhost sshd[11478]: Address 94.242.250.53 maps to > mail.smtpdestek.com, but this does not map back to the address - POSSIBLE > BREAK-IN ATTEMPT! > Aug 18 08:05:56 localhost sshd[11478]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=94.242.250.53 user=root > Aug 18 08:05:58 localhost sshd[11478]: Failed password for root from > 94.242.250.53 port 47297 ssh2 > Aug 18 08:05:58 localhost sshd[11478]: Received disconnect from > 94.242.250.53: 11: Bye Bye [preauth] > Aug 18 08:05:59 localhost sshd[11480]: Address 94.242.250.53 maps to > mail.smtpdestek.com, but this does not map back to the address - POSSIBLE > BREAK-IN ATTEMPT! > Aug 18 08:05:59 localhost sshd[11480]: Invalid user sniff from > 94.242.250.53 > Aug 18 08:05:59 localhost sshd[11480]: input_userauth_request: invalid > user sniff [preauth] > Aug 18 08:05:59 localhost sshd[11480]: pam_unix(sshd:auth): check pass; > user unknown > Aug 18 08:05:59 localhost sshd[11480]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=94.242.250.53 > Aug 18 08:06:01 localhost sshd[11480]: Failed password for invalid user > sniff from 94.242.250.53 port 47551 ssh2 > Aug 18 08:06:01 localhost sshd[11480]: Received disconnect from > 94.242.250.53: 11: Bye Bye [preauth] > Aug 18 08:06:01 localhost sshd[11482]: Address 94.242.250.53 maps to > mail.smtpdestek.com, but this does not map back to the address - POSSIBLE > BREAK-IN ATTEMPT! > Aug 18 08:06:01 localhost sshd[11482]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=94.242.250.53 user=root > Aug 18 08:06:03 localhost sshd[11482]: Failed password for root from > 94.242.250.53 port 47767 ssh2 > Aug 18 08:06:03 localhost sshd[11482]: Received disconnect from > 94.242.250.53: 11: Bye Bye [preauth] > Aug 18 08:06:03 localhost sshd[11484]: Address 94.242.250.53 maps to > mail.smtpdestek.com, but this does not map back to the address - POSSIBLE > BREAK-IN ATTEMPT! > Aug 18 08:06:03 localhost sshd[11484]: Invalid user ranger from > 94.242.250.53 > Aug 18 08:06:03 localhost sshd[11484]: input_userauth_request: invalid > user ranger [preauth] > Aug 18 08:06:03 localhost sshd[11484]: pam_unix(sshd:auth): check pass; > user unknown > Aug 18 08:06:03 localhost sshd[11484]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=94.242.250.53 > Aug 18 08:06:05 localhost sshd[11484]: Failed password for invalid user > ranger from 94.242.250.53 port 47988 ssh2 > Aug 18 08:06:05 localhost sshd[11484]: Received disconnect from > 94.242.250.53: 11: Bye Bye [preauth] > Aug 18 08:06:05 localhost sshd[11486]: Address 94.242.250.53 maps to > mail.smtpdestek.com, but this does not map back to the address - POSSIBLE > BREAK-IN ATTEMPT! > > Any advice appreciated! > > Stu > > > _______________________________________________ > Peterboro mailing list > Peterboro@mailman.lug.org.uk > https://mailman.lug.org.uk/mailman/listinfo/peterboro >
_______________________________________________ Peterboro mailing list Peterboro@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/peterboro
