Page Banner

ssh – failed login attempts on centOS

Though SSH is secured protocol, but opening the SSH Port without a firewall/VPN or whitelisting the allowed hosts can be cause security vulnerabilities and you will find hackers scanning or open ports, using Brute-force username and password and get into your network. A machine when ssh port is not secured, when login via SSH, upon successful authentication, you will see the following message:

Last login: Sat Sep 17 22:19:04 EDT 2016 on pts/1
Last failed login: Mon Sep 26 16:10:54 EDT 2016 from on ssh:notty
There were 55922 failed login attempts since the last successful login.

Here is how you can identify who is attempting to login and from which IP address(source) the request is coming from. The following command is executed on CentOS:

[root@bigbox ~]# cat /var/log/secure | grep 'sshd.*Invalid'

Here is the sample output. IP addresses are masked with in the below output:

[root@bigbox ~]# cat /var/log/secure | grep 'sshd.*Invalid'
Sep 26 03:58:24 bigbox sshd[1677]: Invalid user admin from
Sep 26 03:58:26 bigbox sshd[1680]: Invalid user admin from
Sep 26 04:24:11 bigbox sshd[2583]: Invalid user support from
Sep 26 05:51:28 bigbox sshd[5057]: Invalid user admin from
Sep 26 05:51:33 bigbox sshd[5059]: Invalid user support from
Sep 26 05:52:02 bigbox sshd[5084]: Invalid user guest from
Sep 26 05:52:07 bigbox sshd[5086]: Invalid user PlcmSpIp from
Sep 26 06:22:19 bigbox sshd[5990]: Invalid user admin from
Sep 26 06:22:25 bigbox sshd[5992]: Invalid user ubnt from
Sep 26 06:22:31 bigbox sshd[5995]: Invalid user user from
Sep 26 06:22:36 bigbox sshd[5997]: Invalid user user from
Sep 26 06:22:47 bigbox sshd[5999]: Invalid user admin from
Sep 26 06:22:50 bigbox sshd[6003]: Invalid user support from
Sep 26 06:23:11 bigbox sshd[6008]: Invalid user pi from
Sep 26 06:49:36 bigbox sshd[6614]: Invalid user root2 from
Sep 26 07:21:01 bigbox sshd[9064]: Invalid user syslog from
Sep 26 07:21:14 bigbox sshd[9073]: Invalid user eth0 from
Sep 26 07:21:52 bigbox sshd[9106]: Invalid user ahmed from
Sep 26 07:30:51 bigbox sshd[9724]: Invalid user kevin_lin from
Sep 26 07:30:55 bigbox sshd[9727]: Invalid user avis from
Sep 26 07:30:59 bigbox sshd[9730]: Invalid user cron from
Sep 26 07:31:03 bigbox sshd[9732]: Invalid user ucpss from
Sep 26 07:31:07 bigbox sshd[9734]: Invalid user last from
Sep 26 07:31:20 bigbox sshd[9742]: Invalid user ucpss from
Sep 26 07:31:25 bigbox sshd[9744]: Invalid user ucpss from
Sep 26 07:31:37 bigbox sshd[9752]: Invalid user last from
Sep 26 07:35:31 bigbox sshd[9957]: Invalid user r00t from
Sep 26 07:36:09 bigbox sshd[9986]: Invalid user phper from
Sep 26 07:36:13 bigbox sshd[9990]: Invalid user phper from
Sep 26 07:36:17 bigbox sshd[9992]: Invalid user damnpoet from
Sep 26 07:36:21 bigbox sshd[9994]: Invalid user wordpress from
Sep 26 07:36:25 bigbox sshd[9996]: Invalid user jenkins from
Sep 26 07:36:29 bigbox sshd[9998]: Invalid user minecraft from
Sep 26 07:36:34 bigbox sshd[10000]: Invalid user wuryanto from
Sep 26 07:36:38 bigbox sshd[10002]: Invalid user damriftp from
Sep 26 07:36:42 bigbox sshd[10004]: Invalid user userftp from
Sep 26 07:36:46 bigbox sshd[10006]: Invalid user damri from
Sep 26 07:36:51 bigbox sshd[10011]: Invalid user veeambackup from
Sep 26 07:36:55 bigbox sshd[10015]: Invalid user kenny from
Sep 26 07:36:59 bigbox sshd[10017]: Invalid user www from
Sep 26 07:37:03 bigbox sshd[10019]: Invalid user fedora from
Sep 26 07:37:07 bigbox sshd[10021]: Invalid user ubuntu from
Sep 26 07:37:11 bigbox sshd[10023]: Invalid user wwwuser from

You can secure your Linux Server by configuring the firewall, securing it by allowing via VPN or by white listing the allowed IP addresses using the ssh hosts.allow:

/etc/hosts.allow /etc/hosts.deny

Most important, do not leave SSH port open without securing.