Forum Moderators: phranque
I get a logwatch report delivered to me and for the last few days I have been seeing these type of entries.
Can anyone tell me what this is?
Should i be worrried about this?
Is it normal?
--------------------- pam_unix Begin ------------------------
sshd:
Authentication Failures:
<snip>
Invalid Users:
Unknown Account: 2394 Time(s)
su:
Sessions Opened:
(uid=0) -> root: 1 Time(s)
--------------------------------------------------------------------------------
--------------------- SSHD Begin ------------------------
Failed logins from:
<snip>
Received disconnect:
11: Bye Bye : 2499 Time(s)
SFTP subsystem requests: 5 Time(s)
**Unmatched Entries**
<snip>
This list then runs on for quite a length.....So i'll just post this portion of it.
Any help appreciated on this.
[edited by: trillianjedi at 2:40 pm (utc) on Feb. 7, 2007]
[edit reason] Please remove any specifics, thanks.... [/edit]
Should i be worrried about this?
Yes, hackers are trying to break into your server.
Is it normal?
Unfortunately yes. Most computers exposed to the web are scanned on the SSH and other vulnerable ports like FTP several times a day. As soon as a hacker has found a port that responds he'll try to break in. Some do it manual, others with a script with a dictionary attack, but the game is the same: try combinations of usernames and passwords to login.
There are several ways to protect yourself against this:
