Find the answer to your Linux question:
Results 1 to 6 of 6
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Need help understanding "secure" log sshd hack attempts


    Below I have listed 6 lines from the "secure" log. I have several questions about reading these lines:

    1) The 1st line mentions port 50184. Has the intruder requested this port or has my machine opened this port based on the sshd attempt from the intruder?
    Note: port 50184 is not open on my machine, it is stealth per grc.com port checker service.
    2) What is line #3 (check pass; user unknown) actually telling me?
    3) Why is line #5 saying "failed password" when the user is invalid? If the user is invalid why is it allowing a password to be entered?

    Any assistance will be most helpful.

    I am trying to understand why I am getting hundreds of sshd attempts (my ssh port is an unusual high number) but each IP attempting to ssh into my machine is making only one attempt. I would expect a single IP to make several attempts if not hundreds, but not just one attempt.

    >>secure log lines<<
    Jul 2 13:29:58 localhost sshd[32019]: Invalid user demo from 45.252.248.108 port 50184
    Jul 2 13:29:58 localhost sshd[32019]: input_userauth_request: invalid user demo [preauth]
    Jul 2 13:29:58 localhost sshd[32019]: pam_unix(sshd:auth): check pass; user unknown
    Jul 2 13:29:58 localhost sshd[32019]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=45.252.248.108
    Jul 2 13:30:00 localhost sshd[32019]: Failed password for invalid user demo from 45.252.248.108 port 50184 ssh2
    Jul 2 13:30:00 localhost sshd[32019]: Connection closed by 45.252.248.108 port 50184 [preauth]

    Lines like these appear hundreds of times, each IP only making one attempt, and all using different user names, and different ports.

  2. #2
    Quote Originally Posted by switcher1 View Post
    Below I have listed 6 lines from the "secure" log. I have several questions about reading these lines:

    1) The 1st line mentions port 50184. Has the intruder requested this port or has my machine opened this port based on the sshd attempt from the intruder?
    Note: port 50184 is not open on my machine, it is stealth per grc.com port checker service.
    not sure what's not clear: its telling you that someone tried the user id demo on that port.
    2) What is line #3 (check pass; user unknown) actually telling me?
    aside from the bleedingly-obvious 'user unknown"? dunno, maybe its saying THE USER IS UNKNOWN?
    3) Why is line #5 saying "failed password" when the user is invalid? If the user is invalid why is it allowing a password to be entered?
    because itll prompt for a password regardless. since the user isnt there the password sure isnt either, is it?
    Any assistance will be most helpful.

    I am trying to understand why I am getting hundreds of sshd attempts (my ssh port is an unusual high number) but each IP attempting to ssh into my machine is making only one attempt. I would expect a single IP to make several attempts if not hundreds, but not just one attempt.

    >>secure log lines<<
    Jul 2 13:29:58 localhost sshd[32019]: Invalid user demo from 45.252.248.108 port 50184
    Jul 2 13:29:58 localhost sshd[32019]: input_userauth_request: invalid user demo [preauth]
    Jul 2 13:29:58 localhost sshd[32019]: pam_unix(sshd:auth): check pass; user unknown
    Jul 2 13:29:58 localhost sshd[32019]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=45.252.248.108
    Jul 2 13:30:00 localhost sshd[32019]: Failed password for invalid user demo from 45.252.248.108 port 50184 ssh2
    Jul 2 13:30:00 localhost sshd[32019]: Connection closed by 45.252.248.108 port 50184 [preauth]

    Lines like these appear hundreds of times, each IP only making one attempt, and all using different user names, and different ports.
    right, because thats what a hack attempt is. try different generic user ids like demo, test and other crap, with generic passwords, to try to gain a foothold. did you look up where that address is from? lots of geoip databases tell you its from Vietnam. know anyone there?

    dont run/expose ssh to the outside world period. thats why vpns were invented.

  3. #3
    Your sarcasm is un-matched, and you've missed the point several times. (i.e., I certainly understand what "unknown user " means, but when combined with "check pass", I was a bit confused. Also, the port in the first question is the hacker's port on their machine, not mine. You should have known that. I found that out from another "more helpful" source.
    You would be advised to stop replying to posts if you cannot be civil.
    Was there never a time when you needed help with Linux cryptic messages?
    I do know how to check the the source IP, and often reply with logs to the owner of the IP's. Of course you should know that finding the source country is not relevant in solving this particular issue.
    In this case you failed to read that each IP appears once and only once in the log. So they are not trying with different user names and passwords, but only try one user name and password, then quit.
    When an IP repeats attempts I do know how to block it in the firewall. I am simply not familiar with hundreds of single IP attempts. So excuse my ignorance - and I really care not if you don't.
    As far as VPN, I have my own vpn, both server and client at my location and use both. I use them constantly. Your comments are made with no knowledge of everything I do with my systems, and the capabilities I utilize. You are ignorant.
    I post in Newbie not because I am a Linux newbie, but because I do not use this forum very much.
    Trust, I will NEVER post here again!!!!!!!!!!!!!!!!!!!!!!!!!!!!! I will not return for any replies. If I am banned for an honest response, it will be no loss.
    I thought the forum was to help the inexperienced without such sarcasm!!

  4. $spacer_open
    $spacer_close
  5. #4
    I forgot to mention, that the other "more helpful" source brought to my attention the use of key authorization instead of password. With that tip, after some research, I have now implemented key authorization, eliminated passwords, and resolved my entire issue.
    That's was quality help, not just sarcasm.

  6. #5
    Linux User
    Join Date
    Dec 2017
    Location
    Argentina
    Posts
    271
    I don't think you'll get banned. Or him. There is no one moderating the forum.

    Think of this pace as a nuclear wasteland. Maybe you'll find something valuable, but most of the time it's just raiders and horribly mutated animals.

  7. #6
    -->
    Quote Originally Posted by switcher1 View Post
    Your sarcasm is un-matched, and you've missed the point several times. (i.e., I certainly understand what "unknown user " means, but when combined with "check pass", I was a bit confused. Also, the port in the first question is the hacker's port on their machine, not mine. You should have known that. I found that out from another "more helpful" source.
    You would be advised to stop replying to posts if you cannot be civil.
    love it or shove it.
    Was there never a time when you needed help with Linux cryptic messages?
    not much 'cryptic" about those. plain english isnt hard to read.
    I do know how to check the the source IP, and often reply with logs to the owner of the IP's. Of course you should know that finding the source country is not relevant in solving this particular issue.
    since you didnt understand what plain english meant in those log messages why would we think youd know that?
    In this case you failed to read that each IP appears once and only once in the log. So they are not trying with different user names and passwords, but only try one user name and password, then quit.
    right; basic hacking, since most systems will start to flag ips and auto deny if theyre setup right. spoof ip address = more tries.
    When an IP repeats attempts I do know how to block it in the firewall. I am simply not familiar with hundreds of single IP attempts. So excuse my ignorance - and I really care not if you don't.
    would you understand it better if it was 1000 attempts from the same address, instead of 1 tried from 1000 addresses?
    As far as VPN, I have my own vpn, both server and client at my location and use both. I use them constantly. Your comments are made with no knowledge of everything I do with my systems, and the capabilities I utilize. You are ignorant.
    I post in Newbie not because I am a Linux newbie, but because I do not use this forum very much.
    Trust, I will NEVER post here again!!!!!!!!!!!!!!!!!!!!!!!!!!!!! I will not return for any replies. If I am banned for an honest response, it will be no loss.
    I thought the forum was to help the inexperienced without such sarcasm!!
    yea your not a newbie but you cant understand a plain english log message? sure. you have a vpn, but keep ssh open to the outside? sure. and you 'implemented key authorization", and you ACTUALLY BELIEVE that your issue is resolved? sure.

    thanks for playing.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •