Hello,
How would I interpret the following messages in my /var/log/auth.log file?
Mar 29 23:07:30 mail sshd[28268]: Invalid user admin from 122.190.148.29
Mar 29 23:07:30 mail sshd[28268]: input_userauth_request: invalid user admin [preauth]
Mar 29 23:07:31 mail sshd[28268]: error: maximum authentication attempts exceeded for invalid user admin from 122.190.148.29 port 43251$
Mar 29 23:07:31 mail sshd[28268]: Disconnecting: Too many authentication failures for admin [preauth]
Mar 30 00:03:21 mail sshd[476]: Did not receive identification string from 116.7.243.198
Mar 30 00:03:21 mail sshd[474]: Invalid user support from 116.7.243.198
Mar 30 00:03:21 mail sshd[474]: input_userauth_request: invalid user support [preauth]
Mar 30 00:03:21 mail sshd[474]: fatal: Write failed: Connection reset by peer [preauth]
Mar 30 00:05:01 mail CRON[491]: pam_unix(cron:session): session opened for user munin by (uid=0)
Mar 30 00:05:01 mail CRON[492]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 30 00:05:01 mail CRON[492]: pam_unix(cron:session): session closed for user root
Mar 30 00:05:08 mail CRON[491]: pam_unix(cron:session): session closed for user munin
Mar 30 00:06:53 mail sshd[922]: Invalid user admin from 123.96.241.97
Mar 30 00:06:53 mail sshd[922]: input_userauth_request: invalid user admin [preauth]
Mar 30 00:06:54 mail sshd[922]: error: maximum authentication attempts exceeded for invalid user admin from 123.96.241.97 port 45888 ss$
Mar 30 00:06:54 mail sshd[922]: Disconnecting: Too many authentication failures for admin [preauth]
This looks like you have a username “admin” that you are trying to log in with. Since this appears to be an ssh log, I can say that unless you actually have a user named “admin” that is your issue. Since we are talking Ubuntu here, there is no root account, so just normal users, that happen to get sudo access.
If I am missing the point here, please clarify.
The thing is, I was asleep during this period. Are you saying an actual person tried to SSH in as admin, or that a process was running?
Yes.
I can see from this and other posts you are familiar a wee bit with how valuable logs are with linux. The nice thing is the way Ubuntu is, most of the stock admin account names aren’t there so ssh will block them. If you are truly paranoid (as I am) I would look into fail2ban and set it up for ssh. I would also reccomend setting up ssh to require ssh keys, and thus only use an ssh key to gain access to the system.
I do both on all internet exposed systems. Makes life real easy.
Yes, aws requires a key to ssh into the instance. That’s why I am so confused. It appears that the person was eventually successful.
But if someone can guess the url for the mail site, they could just keep entering passwords…
Ahh yes, amazon. I have one Lightsail instance. I would have more if they were more friendly to RHEL/CentOS. Otherwise quite happy with the service.
I am not sure they got in. Based off what you posted I don’t see any evidence that they actually did.
Ok, good to know.
I am going to install fail2ban. Many, many thanks for your help!
No problem. I needed alot of help back in the day for everything Linux related. Then again, in 1999 things were alot different, and harder overall. Its always nice to get a useful answer, which I try to provide.
Fail2ban is installed by the miab setup.