We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

Why is my server constantly logging failed ssh login attempts from some unknown IP?


sweharris
2016-05-30, 02:17 PM
58.218.204.215 is in China, according to 'whois' data.

Two obvious possibilities; 1) the previous owner of that IP address had some automation running and didn't disable it; 2) automated scan doing a dictionary attack.

There's a number of things you can do to improve security (eg ensure that root logins can only be done via ssh keys; eg use something like fail2ban) but I don't think you've broken anything.

warpio
2016-05-30, 11:19 AM
I've just had my dedicated server set up and installed with ubuntu less than a day ago... I logged in with the temporary root password and then changed the password. All seems good so far. But when I look in /var/log/auth.log I see a that some automated system keeps trying to log in as root and failing. Did I actually break something by changing the temporary root password that I was given?

Here's a small part of the auth.log file.
Code:
May 30 14:19:36 ns###### sshd[4412]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.215  user=root
May 30 14:19:38 ns###### sshd[4412]: Failed password for root from 58.218.204.215 port 33965 ssh2
May 30 14:19:44 ns###### sshd[4412]: message repeated 2 times: [ Failed password for root from 58.218.204.215 port 33965 ssh2]
May 30 14:19:44 ns###### sshd[4412]: Received disconnect from 58.218.204.215 port 33965:11:  [preauth]
May 30 14:19:44 ns###### sshd[4412]: Disconnected from 58.218.204.215 port 33965 [preauth]
May 30 14:19:44 ns###### sshd[4412]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.215  user=root
May 30 14:19:47 ns###### sshd[4414]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.215  user=root
May 30 14:19:49 ns###### sshd[4414]: Failed password for root from 58.218.204.215 port 42564 ssh2
May 30 14:19:54 ns###### sshd[4414]: message repeated 2 times: [ Failed password for root from 58.218.204.215 port 42564 ssh2]
May 30 14:19:54 ns###### sshd[4414]: Received disconnect from 58.218.204.215 port 42564:11:  [preauth]
May 30 14:19:54 ns###### sshd[4414]: Disconnected from 58.218.204.215 port 42564 [preauth]
May 30 14:19:54 ns###### sshd[4414]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.215  user=root
May 30 14:19:56 ns###### sshd[4416]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.215  user=root
May 30 14:19:58 ns###### sshd[4416]: Failed password for root from 58.218.204.215 port 52853 ssh2
May 30 14:20:01 ns###### sshd[4416]: Failed password for root from 58.218.204.215 port 52853 ssh2
May 30 14:20:01 ns###### CRON[4418]: pam_unix(cron:session): session opened for user root by (uid=0)
May 30 14:20:01 ns###### CRON[4419]: pam_unix(cron:session): session opened for user smmsp by (uid=0)
May 30 14:20:01 ns###### CRON[4419]: pam_unix(cron:session): session closed for user smmsp
May 30 14:20:01 ns###### CRON[4418]: pam_unix(cron:session): session closed for user root
May 30 14:20:03 ns###### sshd[4416]: Failed password for root from 58.218.204.215 port 52853 ssh2
May 30 14:20:04 ns###### sshd[4416]: Received disconnect from 58.218.204.215 port 52853:11:  [preauth]
May 30 14:20:04 ns###### sshd[4416]: Disconnected from 58.218.204.215 port 52853 [preauth]
May 30 14:20:04 ns###### sshd[4416]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.215  user=root
May 30 14:20:06 ns###### sshd[4487]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.215  user=root
May 30 14:20:08 ns###### sshd[4487]: Failed password for root from 58.218.204.215 port 60374 ssh2
May 30 14:20:12 ns###### sshd[4487]: message repeated 2 times: [ Failed password for root from 58.218.204.215 port 60374 ssh2]
May 30 14:20:12 ns###### sshd[4487]: Received disconnect from 58.218.204.215 port 60374:11:  [preauth]
May 30 14:20:12 ns###### sshd[4487]: Disconnected from 58.218.204.215 port 60374 [preauth]
May 30 14:20:12 ns###### sshd[4487]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.215  user=root
May 30 14:20:14 ns###### sshd[4489]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.215  user=root
May 30 14:20:17 ns###### sshd[4489]: Failed password for root from 58.218.204.215 port 36842 ssh2
May 30 14:20:22 ns###### sshd[4489]: message repeated 2 times: [ Failed password for root from 58.218.204.215 port 36842 ssh2]
May 30 14:20:23 ns###### sshd[4489]: Received disconnect from 58.218.204.215 port 36842:11:  [preauth]
May 30 14:20:23 ns###### sshd[4489]: Disconnected from 58.218.204.215 port 36842 [preauth]
May 30 14:20:23 ns###### sshd[4489]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.215  user=root
May 30 14:20:25 ns###### sshd[4491]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.215  user=root
May 30 14:20:27 ns###### sshd[4491]: Failed password for root from 58.218.204.215 port 47586 ssh2
May 30 14:20:32 ns###### sshd[4491]: message repeated 2 times: [ Failed password for root from 58.218.204.215 port 47586 ssh2]
May 30 14:20:32 ns###### sshd[4491]: Received disconnect from 58.218.204.215 port 47586:11:  [preauth]
May 30 14:20:32 ns###### sshd[4491]: Disconnected from 58.218.204.215 port 47586 [preauth]
May 30 14:20:32 ns###### sshd[4491]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.215  user=root
May 30 14:20:34 ns###### sshd[4493]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.215  user=root
May 30 14:20:36 ns###### sshd[4493]: Failed password for root from 58.218.204.215 port 55445 ssh2
May 30 14:20:42 ns###### sshd[4493]: message repeated 2 times: [ Failed password for root from 58.218.204.215 port 55445 ssh2]
May 30 14:20:42 ns###### sshd[4493]: Received disconnect from 58.218.204.215 port 55445:11:  [preauth]
May 30 14:20:42 ns###### sshd[4493]: Disconnected from 58.218.204.215 port 55445 [preauth]
May 30 14:20:42 ns###### sshd[4493]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.215  user=root
May 30 14:20:44 ns###### sshd[4496]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.215  user=root
May 30 14:20:47 ns###### sshd[4496]: Failed password for root from 58.218.204.215 port 37080 ssh2
May 30 14:20:52 ns###### sshd[4496]: message repeated 2 times: [ Failed password for root from 58.218.204.215 port 37080 ssh2]
May 30 14:20:52 ns###### sshd[4496]: Received disconnect from 58.218.204.215 port 37080:11:  [preauth]
May 30 14:20:52 ns###### sshd[4496]: Disconnected from 58.218.204.215 port 37080 [preauth]
May 30 14:20:52 ns###### sshd[4496]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.215  user=root
May 30 14:20:56 ns###### sshd[4498]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.215  user=root
May 30 14:20:58 ns###### sshd[4498]: Failed password for root from 58.218.204.215 port 47169 ssh2
May 30 14:21:01 ns###### CRON[4500]: pam_unix(cron:session): session opened for user root by (uid=0)
May 30 14:21:01 ns###### CRON[4500]: pam_unix(cron:session): session closed for user root
May 30 14:21:01 ns###### sshd[4498]: Failed password for root from 58.218.204.215 port 47169 ssh2
May 30 14:21:04 ns###### sshd[4498]: Failed password for root from 58.218.204.215 port 47169 ssh2
May 30 14:21:05 ns###### sshd[4498]: Received disconnect from 58.218.204.215 port 47169:11:  [preauth]
May 30 14:21:05 ns###### sshd[4498]: Disconnected from 58.218.204.215 port 47169 [preauth]
May 30 14:21:05 ns###### sshd[4498]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.215  user=root