mail at root accout / invalid user(under attack?)

O

OrTigaS

Hi!
I have a question, I hope this is the right place to post.
I have this test PC for about 5 days I do test/installing/configuring and when I login as root just today here I have 5 new mail. Now, I read it and I came along this messages hundreds of them.-->>
Code: 
"Feb 5 (time) www sshd[lookslikesportnumber]: Invalid user (user) from (lookslikeIPnumber)"
"Feb 5 (time) www sshd[3321]: input_userauth_request: invalid user (user) [preauth]"
"Feb 5 (time) www sshd[3333]: Bad Protocol version identification " from (lookslikeIPnumber)"
'GET http://www.taobao.com / HTTP/1.1' from (lookslikeIPnumber)"
"Disconnecting Too many Authentication failures for root [preauth]

The [lookslikeportnumber] is a 4 digit number, and the lookslikeIPnumber is like this one 211.60.184.138, 217.171.2.36, 82.208.124.129.

Is my box under attack?

Thanks and regards,
OrTigaS
 
OrTigaS said:
Is my box under attack?
Click to expand...

Yes, of course. Anything connected to the Internet is under constant attack.

There are several things you can do to lessen the risk of getting owned:
  • Make sure you use public key authentication for SSH (instead of password authentication).
  • Change the SSH server's port number. These login attempts are from botnets and they only check 22/TCP for SSH. Moving to another port is the most elegant way to avoid them.
 
OrTigaS said:
Hi!

[...]

Is my box under attack?

Thanks and regards,
OrTigaS
Click to expand...

Hi, @OrTigaS. What you're experiencing is a run-of-the-mill brute-force attack on your open SSH port. It's very common. Here are some simple and effective measures you can take to improve your security and reduce the deluge of unauthorized access attempts.
 
Last edited by a moderator:
OrTigaS said:
Code: 
"Feb 5 (time) www sshd[lookslikesportnumber]: Invalid user (user) from (lookslikeIPnumber)"
"Feb 5 (time) www sshd[3321]: input_userauth_request: invalid user (user) [preauth]"
"Feb 5 (time) www sshd[3333]: Bad Protocol version identification " from (lookslikeIPnumber)"
Click to expand...
Standard SSH brute-force attempts.

Code: 
'GET http://www.taobao.com / HTTP/1.1' from (lookslikeIPnumber)"
Click to expand...
Standard test to see if your web server is configured as a proxy. If it's configured as a proxy they'll abuse it to attack other systems.

As said by others, everything you connect to the internet will get attacked. It's a fact of (internet) life nowadays, unfortunately.
 
You must log in or register to reply here.
Back
Top