How to tell if hackers are trying to SSH into my Linux box?
Nov 09, 2020 asked by anonymous
Question / Issue:
I have configured my firewall to open up port 22 and route traffic to my Linux box. How can I tell if hackers are trying to log in?
Date: Nov. 9, 2020
Author: Mind Chasers
On Ubuntu, you can see failed login attempts at /var/log/auth.log $ tail /var/log/auth.log ... Nov 9 11:40:44 server1 sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=184.108.40.206 user=root Nov 9 11:40:46 server1 sshd: Failed password for root from 220.127.116.11 port 49802 ssh2 Nov 9 11:40:46 server1 sshd: Received disconnect from 18.104.22.168 port 49802:11: Bye Bye [preauth] Nov 9 11:40:46 server1 sshd: Disconnected from authenticating user root 22.214.171.124 port 49802 [preauth] Consider moving your SSH server to another port. Also, if your machine is local, then disable logging in with a password. See Automate Your SSH Login with Public Key Authentication