Page Banner

ssh – failed login attempts on centOS

Though SSH is secured protocol, but opening the SSH Port without a firewall/VPN or whitelisting the allowed hosts can be cause security vulnerabilities and you will find hackers scanning or open ports, using Brute-force username and password and get into your network. A machine when ssh port is not secured, when login via SSH, upon successful authentication, you will see the following message:


Last login: Sat Sep 17 22:19:04 EDT 2016 on pts/1
Last failed login: Mon Sep 26 16:10:54 EDT 2016 from xxx.xxx.xxx.xxx on ssh:notty
There were 55922 failed login attempts since the last successful login.

Here is how you can identify who is attempting to login and from which IP address(source) the request is coming from. The following command is executed on CentOS:


[root@bigbox ~]# cat /var/log/secure | grep 'sshd.*Invalid'

Here is the sample output. IP addresses are masked with xxx.xxx.xxx.xxx in the below output:


[root@bigbox ~]# cat /var/log/secure | grep 'sshd.*Invalid'
Sep 26 03:58:24 bigbox sshd[1677]: Invalid user admin from 115.239.248.35
Sep 26 03:58:26 bigbox sshd[1680]: Invalid user admin from 115.239.248.35
Sep 26 04:24:11 bigbox sshd[2583]: Invalid user support from 113.22.34.206
Sep 26 05:51:28 bigbox sshd[5057]: Invalid user admin from xxx.xxx.xxx.xxx
Sep 26 05:51:33 bigbox sshd[5059]: Invalid user support from xxx.xxx.xxx.xxx
Sep 26 05:52:02 bigbox sshd[5084]: Invalid user guest from xxx.xxx.xxx.xxx
Sep 26 05:52:07 bigbox sshd[5086]: Invalid user PlcmSpIp from xxx.xxx.xxx.xxx
Sep 26 06:22:19 bigbox sshd[5990]: Invalid user admin from xxx.xxx.xxx.xxx
Sep 26 06:22:25 bigbox sshd[5992]: Invalid user ubnt from xxx.xxx.xxx.xxx
Sep 26 06:22:31 bigbox sshd[5995]: Invalid user user from xxx.xxx.xxx.xxx
Sep 26 06:22:36 bigbox sshd[5997]: Invalid user user from xxx.xxx.xxx.xxx
Sep 26 06:22:47 bigbox sshd[5999]: Invalid user admin from xxx.xxx.xxx.xxx
Sep 26 06:22:50 bigbox sshd[6003]: Invalid user support from xxx.xxx.xxx.xxx
Sep 26 06:23:11 bigbox sshd[6008]: Invalid user pi from xxx.xxx.xxx.xxx
Sep 26 06:49:36 bigbox sshd[6614]: Invalid user root2 from xxx.xxx.xxx.xxx
Sep 26 07:21:01 bigbox sshd[9064]: Invalid user syslog from xxx.xxx.xxx.xxx
Sep 26 07:21:14 bigbox sshd[9073]: Invalid user eth0 from xxx.xxx.xxx.xxx
Sep 26 07:21:52 bigbox sshd[9106]: Invalid user ahmed from xxx.xxx.xxx.xxx
Sep 26 07:30:51 bigbox sshd[9724]: Invalid user kevin_lin from xxx.xxx.xxx.xxx
Sep 26 07:30:55 bigbox sshd[9727]: Invalid user avis from xxx.xxx.xxx.xxx
Sep 26 07:30:59 bigbox sshd[9730]: Invalid user cron from xxx.xxx.xxx.xxx
Sep 26 07:31:03 bigbox sshd[9732]: Invalid user ucpss from xxx.xxx.xxx.xxx
Sep 26 07:31:07 bigbox sshd[9734]: Invalid user last from xxx.xxx.xxx.xxx
Sep 26 07:31:20 bigbox sshd[9742]: Invalid user ucpss from xxx.xxx.xxx.xxx
Sep 26 07:31:25 bigbox sshd[9744]: Invalid user ucpss from xxx.xxx.xxx.xxx
Sep 26 07:31:37 bigbox sshd[9752]: Invalid user last from xxx.xxx.xxx.xxx
Sep 26 07:35:31 bigbox sshd[9957]: Invalid user r00t from xxx.xxx.xxx.xxx
Sep 26 07:36:09 bigbox sshd[9986]: Invalid user phper from xxx.xxx.xxx.xxx
Sep 26 07:36:13 bigbox sshd[9990]: Invalid user phper from xxx.xxx.xxx.xxx
Sep 26 07:36:17 bigbox sshd[9992]: Invalid user damnpoet from xxx.xxx.xxx.xxx
Sep 26 07:36:21 bigbox sshd[9994]: Invalid user wordpress from xxx.xxx.xxx.xxx
Sep 26 07:36:25 bigbox sshd[9996]: Invalid user jenkins from xxx.xxx.xxx.xxx
Sep 26 07:36:29 bigbox sshd[9998]: Invalid user minecraft from xxx.xxx.xxx.xxx
Sep 26 07:36:34 bigbox sshd[10000]: Invalid user wuryanto from xxx.xxx.xxx.xxx
Sep 26 07:36:38 bigbox sshd[10002]: Invalid user damriftp from xxx.xxx.xxx.xxx
Sep 26 07:36:42 bigbox sshd[10004]: Invalid user userftp from xxx.xxx.xxx.xxx
Sep 26 07:36:46 bigbox sshd[10006]: Invalid user damri from xxx.xxx.xxx.xxx
Sep 26 07:36:51 bigbox sshd[10011]: Invalid user veeambackup from xxx.xxx.xxx.xxx
Sep 26 07:36:55 bigbox sshd[10015]: Invalid user kenny from xxx.xxx.xxx.xxx
Sep 26 07:36:59 bigbox sshd[10017]: Invalid user www from xxx.xxx.xxx.xxx
Sep 26 07:37:03 bigbox sshd[10019]: Invalid user fedora from xxx.xxx.xxx.xxx
Sep 26 07:37:07 bigbox sshd[10021]: Invalid user ubuntu from xxx.xxx.xxx.xxx
Sep 26 07:37:11 bigbox sshd[10023]: Invalid user wwwuser from xxx.xxx.xxx.xxx

You can secure your Linux Server by configuring the firewall, securing it by allowing via VPN or by white listing the allowed IP addresses using the ssh hosts.allow:

/etc/hosts.allow /etc/hosts.deny

Most important, do not leave SSH port open without securing.