Today (Saturday), I booted up only once, logged in only once as my primary common user, and then a short while ago logged in to an different account with adequate privileges to view the journalctl. With over 12 hours as a common user, I hoped that searching the journalctl would be simpler. I hoped! In today's log, there were at least 148 occurrences of "authentication failure", 41 occurrences of "password check failed", 14 occurrences of "user=root", 27 occurrences of "user (root)", 270 occurrences of "invalid user", 1546 occurrences of "CRYPTO_KEY_USER", and 296 occurrences of "CRYPTO_SESSION". I saw the following "rhost=" ip addresses: 62.176.5.7 36.250.77.36 5.196.67.128 91.232.157.98 5.101.40.10 91.197.232.103 I saw the following "user=" fields: root operator ftp mysql games I saw the following "invalid user ______ " fields, most followed by "[preauth]": share user docker vsftpd arma3server nagios PlcmSpIp samba cs csgoserver ftpuser osama admin monte pi monitor debian guest ubnt osmc odroid mobile ts steam 0 0000 010101 1111 1234 api dbadmin mc default git gpadmin service support sysadmin telecomadmin telnet test ubnt user user1 jboss > Can y0u show us the full text of some representative messages (perhaps > replacing any IP addresses with placeholders for privacy purposes)? Here are a few relevant journalctl entries: Jul 01 11:49:52 xxxxxxxxxx audit[10407]: USER_AUTH pid=10407 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="root" exe="/usr/sbin/sshd" hostname=? addr=36.250.77.36 terminal=ssh res=failed' Jul 01 11:49:52 xxxxxxxxxx unix_chkpwd[10411]: password check failed for user (root) Jul 01 11:49:52 xxxxxxxxxx sshd[10407]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Jul 01 11:49:52 xxxxxxxxxx audit[10407]: USER_AUTH pid=10407 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="root" exe="/usr/sbin/sshd" hostname=36.250.77.36 addr=36.250.77.36 terminal=ssh res=failed' Jul 01 11:49:54 xxxxxxxxxx sshd[10407]: Failed password for root from 36.250.77.36 port 51702 ssh2 Jul 01 11:49:54 xxxxxxxxxx audit[10407]: USER_AUTH pid=10407 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="root" exe="/usr/sbin/sshd" hostname=? addr=36.250.77.36 terminal=ssh res=failed' Jul 01 11:49:54 xxxxxxxxxx sshd[10407]: Connection closed by 36.250.77.36 port 51702 [preauth] Jul 01 11:49:54 xxxxxxxxxx audit[10407]: CRYPTO_KEY_USER pid=10407 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:03:65:34:22:92:2c:17:22:fc:8a:b6:b5:e7:f3:ec:50:c3:62:42:73:ac:a9:70:34:88:dc:7d:a9:89:3f:5c:e9 direction=? spid=10408 suid=74 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success' Jul 01 11:49:54 xxxxxxxxxx audit[10407]: CRYPTO_KEY_USER pid=10407 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=10408 suid=74 rport=51702 laddr=xxxxxxxxxxxxxx lport=xx exe="/usr/sbin/sshd" hostname=? addr=36.250.77.36 terminal=? res=success' Jul 01 11:49:54 xxxxxxxxxx sshd[10407]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=36.250.77.36 user=root Jul 01 11:49:54 xxxxxxxxxx audit[10407]: CRYPTO_KEY_USER pid=10407 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:82:79:d0:65:d5:4a:2b:06:07:dd:ad:07:28:cc:a6:a0:e3:12:12:6a:f1:ae:64:91:d2:b1:68:42:55:f7:77:38 direction=? spid=10407 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success' Jul 01 11:49:54 xxxxxxxxxx audit[10407]: CRYPTO_KEY_USER pid=10407 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:c7:c1:32:3a:be:0f:e3:c2:4a:f3:d3:5b:46:f8:38:93:6a:b7:e1:6b:e4:a0:72:e8:ea:fd:63:89:31:5b:d4:87 direction=? spid=10407 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success' Jul 01 11:49:54 xxxxxxxxxx audit[10407]: CRYPTO_KEY_USER pid=10407 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:77:7e:93:19:a5:60:e0:fa:79:bd:e7:85:ad:e0:b5:8c:b3:fe:6d:9b:e1:a8:9b:a7:45:68:ef:76:dd:a7:f4:f2 direction=? spid=10407 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success' Jul 01 11:49:54 xxxxxxxxxx audit[10407]: CRYPTO_KEY_USER pid=10407 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:03:65:34:22:92:2c:17:22:fc:8a:b6:b5:e7:f3:ec:50:c3:62:42:73:ac:a9:70:34:88:dc:7d:a9:89:3f:5c:e9 direction=? spid=10407 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success' Jul 01 11:49:54 xxxxxxxxxx audit[10407]: USER_LOGIN pid=10407 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="root" exe="/usr/sbin/sshd" hostname=? addr=36.250.77.36 terminal=ssh res=failed' Jul 01 11:49:55 xxxxxxxxxx audit[10413]: CRYPTO_KEY_USER pid=10413 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:82:79:d0:65:d5:4a:2b:06:07:dd:ad:07:28:cc:a6:a0:e3:12:12:6a:f1:ae:64:91:d2:b1:68:42:55:f7:77:38 direction=? spid=10413 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success' Jul 01 11:49:55 xxxxxxxxxx audit[10413]: CRYPTO_KEY_USER pid=10413 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:c7:c1:32:3a:be:0f:e3:c2:4a:f3:d3:5b:46:f8:38:93:6a:b7:e1:6b:e4:a0:72:e8:ea:fd:63:89:31:5b:d4:87 direction=? spid=10413 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success' Jul 01 11:49:55 xxxxxxxxxx audit[10413]: CRYPTO_KEY_USER pid=10413 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:77:7e:93:19:a5:60:e0:fa:79:bd:e7:85:ad:e0:b5:8c:b3:fe:6d:9b:e1:a8:9b:a7:45:68:ef:76:dd:a7:f4:f2 direction=? spid=10413 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success' Jul 01 11:49:55 xxxxxxxxxx audit[10413]: CRYPTO_KEY_USER pid=10413 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:03:65:34:22:92:2c:17:22:fc:8a:b6:b5:e7:f3:ec:50:c3:62:42:73:ac:a9:70:34:88:dc:7d:a9:89:3f:5c:e9 direction=? spid=10413 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success' Jul 01 11:49:55 xxxxxxxxxx audit[10412]: CRYPTO_SESSION pid=10412 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 mac=hmac-sha2-256 pfs=diffie-hellman-group-exchange-sha256 spid=10413 suid=74 rport=9224 laddr=xxxxxxxxxxxxxx lport=xx exe="/usr/sbin/sshd" hostname=? addr=36.250.77.36 terminal=? res=success' Jul 01 11:49:55 xxxxxxxxxx audit[10412]: CRYPTO_SESSION pid=10412 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 mac=hmac-sha2-256 pfs=diffie-hellman-group-exchange-sha256 spid=10413 suid=74 rport=9224 laddr=xxxxxxxxxxxxxx lport=xx exe="/usr/sbin/sshd" hostname=? addr=36.250.77.36 terminal=? res=success' Jul 01 11:49:57 xxxxxxxxxx unix_chkpwd[10414]: password check failed for user (root) Jul 01 11:49:57 xxxxxxxxxx sshd[10412]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=36.250.77.36 user=root Jul 01 11:49:57 xxxxxxxxxx audit[10412]: USER_AUTH pid=10412 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="root" exe="/usr/sbin/sshd" hostname=36.250.77.36 addr=36.250.77.36 terminal=ssh res=failed' Jul 01 11:49:57 xxxxxxxxxx sshd[10412]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Jul 01 11:49:59 xxxxxxxxxx sshd[10412]: Failed password for root from 36.250.77.36 port 9224 ssh2 Jul 01 11:49:59 xxxxxxxxxx audit[10412]: USER_AUTH pid=10412 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="root" exe="/usr/sbin/sshd" hostname=? addr=36.250.77.36 terminal=ssh res=failed' Jul 01 11:50:00 xxxxxxxxxx unix_chkpwd[10415]: password check failed for user (root) Jul 01 11:50:00 xxxxxxxxxx sshd[10412]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Jul 01 11:50:00 xxxxxxxxxx audit[10412]: USER_AUTH pid=10412 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="root" exe="/usr/sbin/sshd" hostname=36.250.77.36 addr=36.250.77.36 terminal=ssh res=failed' Jul 01 11:50:02 xxxxxxxxxx sshd[10412]: Failed password for root from 36.250.77.36 port 9224 ssh2 Jul 01 11:50:02 xxxxxxxxxx audit[10412]: USER_AUTH pid=10412 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="root" exe="/usr/sbin/sshd" hostname=? addr=36.250.77.36 terminal=ssh res=failed' Jul 01 11:50:02 xxxxxxxxxx unix_chkpwd[10416]: password check failed for user (root) Jul 01 11:50:02 xxxxxxxxxx sshd[10412]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Jul 01 11:50:02 xxxxxxxxxx audit[10412]: USER_AUTH pid=10412 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="root" exe="/usr/sbin/sshd" hostname=36.250.77.36 addr=36.250.77.36 terminal=ssh res=failed' Jul 01 11:50:04 xxxxxxxxxx sshd[10412]: Failed password for root from 36.250.77.36 port 9224 ssh2 Jul 01 11:50:04 xxxxxxxxxx audit[10412]: USER_AUTH pid=10412 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="root" exe="/usr/sbin/sshd" hostname=? addr=36.250.77.36 terminal=ssh res=failed' Jul 01 11:50:04 xxxxxxxxxx sshd[10412]: Connection closed by 36.250.77.36 port 9224 [preauth] Jul 01 11:50:04 xxxxxxxxxx audit[10412]: CRYPTO_KEY_USER pid=10412 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:03:65:34:22:92:2c:17:22:fc:8a:b6:b5:e7:f3:ec:50:c3:62:42:73:ac:a9:70:34:88:dc:7d:a9:89:3f:5c:e9 direction=? spid=10413 suid=74 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success' Jul 01 11:50:04 xxxxxxxxxx audit[10412]: CRYPTO_KEY_USER pid=10412 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=10413 suid=74 rport=9224 laddr=xxxxxxxxxxxxxx lport=xx exe="/usr/sbin/sshd" hostname=? addr=36.250.77.36 terminal=? res=success' Jul 01 11:50:04 xxxxxxxxxx sshd[10412]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=36.250.77.36 user=root Anything else? I did use the firewall configuration tool to turn off public ssh. We'll see what difference that makes Monday. (I'll be out most of tomorrow.) thanks, Bill. _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx