How to tell if hackers are trying to SSH into my Linux box?
Nov 09, 2020
asked by anonymous
Question / Issue:
I have configured my firewall to open up port 22 and route traffic to my Linux box. How can I tell if hackers are trying to log in?
Responses:
Date: Nov. 9, 2020
Author: Mind Chasers
Comment:
On Ubuntu, you can see failed login attempts at /var/log/auth.log
$ tail /var/log/auth.log
...
Nov 9 11:40:44 server1 sshd[32766]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=159.203.219.38 user=root
Nov 9 11:40:46 server1 sshd[32766]: Failed password for root from 159.203.219.38 port 49802 ssh2
Nov 9 11:40:46 server1 sshd[32766]: Received disconnect from 159.203.219.38 port 49802:11: Bye Bye [preauth]
Nov 9 11:40:46 server1 sshd[32766]: Disconnected from authenticating user root 159.203.219.38 port 49802 [preauth]
Consider moving your SSH server to another port. Also, if your machine is local, then disable logging in with a password.
See Automate Your SSH Login with Public Key Authentication