Login

u/DropMinimum1991

▲ 2 r/linuxquestions

I’m seeing some confusing activity in my SSH logs and want to make sure my server is actually secure. I’ve already taken the following hardening steps:

  • Changed the default SSH port (it is no longer 22).
  • Disabled password authentication (PasswordAuthentication no and ChallengeResponseAuthentication no are set in sshd_config).
  • Enabled SSH Key-based authentication only.
  • Set up Fail2Ban (configured to ban after 5 failed attempts).

Despite this, my logs are still showing attempts like this: Mar 03 02:00:03 root sshd[52415]: Failed password for root from 185.91.69.217 port 32958 ssh2

My questions are:

  1. Why is the SSH daemon even responding to a "password" attempt if password auth is disabled?
  2. Even if the attacker somehow guessed the "correct" password, would they be able to get in, or does the server reject the password phase entirely before checking the string?
  3. Is there a way to prevent SSH from even processing these attempts so they don't clutter my logs?

Here is the log sample

Mar 03 01:48:20 root sshd[49094]: Invalid user  from 209.38.22.99 port 41928
Mar 03 01:48:28 root sshd[49094]: Connection closed by invalid user  209.38.22.99 port 41928 [preauth]
Mar 03 01:54:14 root sshd[52269]: Invalid user admin from 185.91.69.217 port 32968
Mar 03 01:54:14 root sshd[52269]: pam_unix(sshd:auth): check pass; user unknown
Mar 03 01:54:14 root sshd[52269]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.91.69.217
Mar 03 01:54:16 root sshd[52269]: Failed password for invalid user admin from 185.91.69.217 port 32968 ssh2
Mar 03 01:54:18 root sshd[52269]: Connection closed by invalid user admin 185.91.69.217 port 32968 [preauth]
Mar 03 01:56:39 root sshd[52346]: Invalid user orangepi from 185.91.69.217 port 36228
Mar 03 01:56:39 root sshd[52346]: pam_unix(sshd:auth): check pass; user unknown
Mar 03 01:56:39 root sshd[52346]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.91.69.217
Mar 03 01:56:41 root sshd[52346]: Failed password for invalid user orangepi from 185.91.69.217 port 36228 ssh2
Mar 03 01:56:43 root sshd[52346]: Connection closed by invalid user orangepi 185.91.69.217 port 36228 [preauth]
Mar 03 02:00:02 root sshd[52415]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.91.69.217  user=r>
Mar 03 02:00:03 root sshd[52415]: Failed password for root from 185.91.69.217 port 32958 ssh2
Mar 03 02:00:04 root sshd[52415]: Connection closed by authenticating user root 185.91.69.217 port 32958 [preauth]
Mar 03 02:02:20 root sshd[52482]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.91.69.217  user=r>
Mar 03 02:02:23 root sshd[52482]: Failed password for root from 185.91.69.217 port 53780 ssh2
Mar 03 02:02:23 root sshd[52482]: Connection closed by authenticating user root 185.91.69.217 port 53780 [preauth]
Mar 03 02:04:44 root sshd[52527]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.91.69.217  user=r>
Mar 03 02:04:45 root sshd[52527]: Failed password for root from 185.91.69.217 port 53632 ssh2
Mar 03 02:04:47 root sshd[52527]: Connection closed by authenticating user root 185.91.69.217 port 53632 [preauth]
Mar 03 02:08:07 root sshd[52601]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.91.69.217  user=r>
Mar 03 02:08:08 root sshd[52601]: Failed password for root from 185.91.69.217 port 44942 ssh2
Mar 03 02:08:10 root sshd[52601]: Connection closed by authenticating user root 185.91.69.217 port 44942 [preauth]
Mar 03 02:10:29 root sshd[52668]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.91.69.217  user=r>
Mar 03 02:10:31 root sshd[52668]: Failed password for root from 185.91.69.217 port 34832 ssh2
Mar 03 02:10:32 root sshd[52668]: Connection closed by authenticating user root 185.91.69.217 port 34832 [preauth]
Mar 03 02:12:51 root sshd[52715]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.91.69.217  user=r>
Mar 03 02:12:53 root sshd[52715]: Failed password for root from 185.91.69.217 port 58576 ssh2
reddit.com
u/DropMinimum1991 — 16 days ago