ssh – failed login attempts on centOS

Though SSH is secured protocol, but opening the SSH Port without a firewall/VPN or whitelisting the allowed hosts can be cause security vulnerabilities and you will find hackers scanning or open ports, using Brute-force username and password and get into your network. A machine when ssh port is not secured, when login via SSH, upon successful authentication, you will see the following message:

Last login: Sat Sep 17 22:19:04 EDT 2016 on pts/1 Last failed login: Mon Sep 26 16:10:54 EDT 2016 from on ssh:notty There were 55922 failed login attempts since the last successful login.

Here is how you can identify who is attempting to login and from which IP address(source) the request is coming from. The following command is executed on CentOS:

[root@bigbox ~]# cat /var/log/secure | grep 'sshd.*Invalid'

Here is the sample output. IP addresses are masked with in the below output:

[root@bigbox ~]# cat /var/log/secure | grep 'sshd.*Invalid' Sep 26 03:58:24 bigbox sshd[1677]: Invalid user admin from Sep 26 03:58:26 bigbox sshd[1680]: Invalid user admin from Sep 26 04:24:11 bigbox sshd[2583]: Invalid user support from Sep 26 05:51:28 bigbox sshd[5057]: Invalid user admin from Sep 26 05:51:33 bigbox sshd[5059]: Invalid user support from Sep 26 05:52:02 bigbox sshd[5084]: Invalid user guest from Sep 26 05:52:07 bigbox sshd[5086]: Invalid user PlcmSpIp from Sep 26 06:22:19 bigbox sshd[5990]: Invalid user admin from Sep 26 06:22:25 bigbox sshd[5992]: Invalid user ubnt from Sep 26 06:22:31 bigbox sshd[5995]: Invalid user user from Sep 26 06:22:36 bigbox sshd[5997]: Invalid user user from Sep 26 06:22:47 bigbox sshd[5999]: Invalid user admin from Sep 26 06:22:50 bigbox sshd[6003]: Invalid user support from Sep 26 06:23:11 bigbox sshd[6008]: Invalid user pi from Sep 26 06:49:36 bigbox sshd[6614]: Invalid user root2 from Sep 26 07:21:01 bigbox sshd[9064]: Invalid user syslog from Sep 26 07:21:14 bigbox sshd[9073]: Invalid user eth0 from Sep 26 07:21:52 bigbox sshd[9106]: Invalid user ahmed from Sep 26 07:30:51 bigbox sshd[9724]: Invalid user kevin_lin from Sep 26 07:30:55 bigbox sshd[9727]: Invalid user avis from Sep 26 07:30:59 bigbox sshd[9730]: Invalid user cron from Sep 26 07:31:03 bigbox sshd[9732]: Invalid user ucpss from Sep 26 07:31:07 bigbox sshd[9734]: Invalid user last from Sep 26 07:31:20 bigbox sshd[9742]: Invalid user ucpss from Sep 26 07:31:25 bigbox sshd[9744]: Invalid user ucpss from Sep 26 07:31:37 bigbox sshd[9752]: Invalid user last from Sep 26 07:35:31 bigbox sshd[9957]: Invalid user r00t from Sep 26 07:36:09 bigbox sshd[9986]: Invalid user phper from Sep 26 07:36:13 bigbox sshd[9990]: Invalid user phper from Sep 26 07:36:17 bigbox sshd[9992]: Invalid user damnpoet from Sep 26 07:36:21 bigbox sshd[9994]: Invalid user wordpress from Sep 26 07:36:25 bigbox sshd[9996]: Invalid user jenkins from Sep 26 07:36:29 bigbox sshd[9998]: Invalid user minecraft from Sep 26 07:36:34 bigbox sshd[10000]: Invalid user wuryanto from Sep 26 07:36:38 bigbox sshd[10002]: Invalid user damriftp from Sep 26 07:36:42 bigbox sshd[10004]: Invalid user userftp from Sep 26 07:36:46 bigbox sshd[10006]: Invalid user damri from Sep 26 07:36:51 bigbox sshd[10011]: Invalid user veeambackup from Sep 26 07:36:55 bigbox sshd[10015]: Invalid user kenny from Sep 26 07:36:59 bigbox sshd[10017]: Invalid user www from Sep 26 07:37:03 bigbox sshd[10019]: Invalid user fedora from Sep 26 07:37:07 bigbox sshd[10021]: Invalid user ubuntu from Sep 26 07:37:11 bigbox sshd[10023]: Invalid user wwwuser from

You can secure your Linux Server by configuring the firewall, securing it by allowing via VPN or by white listing the allowed IP addresses using the ssh hosts.allow:

/etc/hosts.allow /etc/hosts.deny

Most important, do not leave SSH port open without securing.

Leave a Reply

Your email address will not be published. Required fields are marked *