On 29Jun2017 22:28, William Mattison <mattison.computer@xxxxxxxxx> wrote:
While looking at journalctl output yesterday and today for other reasons
(separate thread), I saw many "authentication failure" messages, over half
also saying "user=root". I also saw many "password check failed for user
(root)" messages. I saw many unknown user login attempts, and a few invalid
user login attempts, and some attempts using one of the valid regular user
names. Why? I am not yet good at reading journalctl output, so I don't know
if these connection attempts are coming from "outside" or within this system.
I don't know if I should be concerned or not. I do not intend anyone or
anything to be able to get in to this system except for things that I initiate
(examples: Firefox activity, Thunderbird activity, "dnf upgrade", installs,
etc.). And it doesn't make sense to me that any of those would be trying to
log in to this system to do what I want. I also don't see why anything on
this system would try to log in to this same system except me personally (su,
sudo, and actual logins). I am the only actual user.
Can y0u show us the full text of some representative messages (perhaps
replacing any IP addresses with placeholders for privacy purposes)?
Are they from ssh?
Does your machine have a publicly reachable IP address?
If both of the above are true, I would be concerned about the text "password
check failed for user", because that would suggest that your sshd is _not_
locked down. Here, we routinely lock down ssh to (a) not accept password
authentication (b) _not_ PermitRootLogin and (c) allow only a fixed set of
AllowedUsers. This applies to all our machines.
Cheers,
Cameron Simpson <cs@xxxxxxxxxx>
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
