Почему в файле auth.log множество попыток входа по SSH?
Добрый день!
На сервере в файле /var/log/auth.log содержится множество попыток входа по ssh. Это попытка атаки? Сервер работает недавно, проверил айпиши, указывают на Индию, Китай и т.д. Что посоветуете?
Apr 25 08:27:05 databaseserver sshd[356844]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=120.71.147.93
Apr 25 08:27:07 databaseserver sshd[356844]: Failed password for invalid user testuser from 120.71.147.93 port 47522 ssh2
Apr 25 08:27:09 databaseserver sshd[356844]: Received disconnect from 120.71.147.93 port 47522:11: Bye Bye [preauth]
Apr 25 08:27:09 databaseserver sshd[356844]: Disconnected from invalid user testuser 120.71.147.93 port 47522 [preauth]
Apr 25 08:27:12 databaseserver sshd[356846]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.229.240.81 user=root
Apr 25 08:27:14 databaseserver sshd[356846]: Failed password for root from 58.229.240.81 port 59512 ssh2
Apr 25 08:27:16 databaseserver sshd[356846]: Received disconnect from 58.229.240.81 port 59512:11: Bye Bye [preauth]
Apr 25 08:27:16 databaseserver sshd[356846]: Disconnected from authenticating user root 58.229.240.81 port 59512 [preauth]
Apr 25 08:27:27 databaseserver sshd[356848]: Invalid user user2 from 218.14.208.90 port 23676
Apr 25 08:27:27 databaseserver sshd[356848]: pam_unix(sshd:auth): check pass; user unknown
Apr 25 08:27:27 databaseserver sshd[356848]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.14.208.90
Apr 25 08:27:29 databaseserver sshd[356848]: Failed password for invalid user user2 from 218.14.208.90 port 23676 ssh2
Apr 25 08:27:31 databaseserver sshd[356848]: Received disconnect from 218.14.208.90 port 23676:11: Bye Bye [preauth]
Apr 25 08:27:31 databaseserver sshd[356848]: Disconnected from invalid user user2 218.14.208.90 port 23676 [preauth]
Apr 25 08:27:34 databaseserver sshd[356852]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.47.229.130 user=root
Apr 25 08:27:36 databaseserver sshd[356852]: Failed password for root from 59.47.229.130 port 19369 ssh2
Apr 25 08:27:39 databaseserver sshd[356852]: Received disconnect from 59.47.229.130 port 19369:11: Bye Bye [preauth]
Apr 25 08:27:39 databaseserver sshd[356852]: Disconnected from authenticating user root 59.47.229.130 port 19369 [preauth]
Apr 25 08:27:44 databaseserver sshd[356854]: Connection closed by 119.27.189.190 port 55860 [preauth]
Apr 25 08:27:47 databaseserver sshd[356857]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=106.13.27.156 user=root
Apr 25 08:27:49 databaseserver sshd[356857]: Failed password for root from 106.13.27.156 port 46746 ssh2
Apr 25 08:27:51 databaseserver sshd[356857]: Received disconnect from 106.13.27.156 port 46746:11: Bye Bye [preauth]
Apr 25 08:27:51 databaseserver sshd[356857]: Disconnected from authenticating user root 106.13.27.156 port 46746 [preauth]
Apr 25 08:27:58 databaseserver sshd[356859]: Invalid user webmaster from 161.97.185.33 port 56430
Apr 25 08:27:58 databaseserver sshd[356859]: pam_unix(sshd:auth): check pass; user unknown
Apr 25 08:27:58 databaseserver sshd[356859]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=161.97.185.33
Apr 25 08:28:01 databaseserver sshd[356859]: Failed password for invalid user webmaster from 161.97.185.33 port 56430 ssh2
Apr 25 08:28:03 databaseserver sshd[356859]: Received disconnect from 161.97.185.33 port 56430:11: Bye Bye [preauth]
Apr 25 08:28:03 databaseserver sshd[356859]: Disconnected from invalid user webmaster 161.97.185.33 port 56430 [preauth]
Apr 25 08:28:04 databaseserver sshd[356862]: Invalid user user from 182.208.252.91 port 48614
Apr 25 08:28:04 databaseserver sshd[356862]: pam_unix(sshd:auth): check pass; user unknown
Apr 25 08:28:04 databaseserver sshd[356862]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.208.252.91
Apr 25 08:28:06 databaseserver sshd[356862]: Failed password for invalid user user from 182.208.252.91 port 48614 ssh2
Apr 25 08:28:07 databaseserver sshd[356862]: Received disconnect from 182.208.252.91 port 48614:11: Bye Bye [preauth]
Apr 25 08:28:07 databaseserver sshd[356862]: Disconnected from invalid user user 182.208.252.91 port 48614 [preauth]
Apr 25 08:28:10 databaseserver sshd[356864]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=14.102.112.178 user=root
Почему в файле auth.log множество попыток входа по SSH?
Потому что не надо открывать SSH на весь интернет - хоть по ключу, хоть на нестандартном порту. Это изначально порочная практика, не приводящая к катастрофическим последствиям ровно до обнаружения очередной серьёзной 0-day уязвимости openssh-server.