On 07/01/2017 09:14 PM, William Mattison wrote:
Today (Saturday), I booted up only once, logged in only once as my primary common user, and then a short while ago logged in to an different account with adequate privileges to view the journalctl. With over 12 hours as a common user, I hoped that searching the journalctl would be simpler. I hoped!
Try "journalctl -b -u sshd". That will show you all the log entries from the ssh server since you last rebooted. There are other parameters you can use to limit to a single day, etc. "journalctl -r" can be helpful as well, it shows you the log entries starting from the most recent and going back in time.
In today's log, there were at least 148 occurrences of "authentication failure", 41 occurrences of "password check failed", 14 occurrences of "user=root", 27 occurrences of "user (root)", 270 occurrences of "invalid user", 1546 occurrences of "CRYPTO_KEY_USER", and 296 occurrences of "CRYPTO_SESSION". I saw the following "rhost=" ip addresses:
A nice collection from all around the world. :-)
I saw the following "user=" fields:
These are login attempts on accounts that exist on your system.
I saw the following "invalid user ______ " fields, most followed by "[preauth]":
These are login attempts on accounts that don't exist.
Here are a few relevant journalctl entries:
That's the typical logs from the automated brute force attempts.
I did use the firewall configuration tool to turn off public ssh. We'll see what difference that makes Monday. (I'll be out most of tomorrow.)
Make sure you told it to save the runtime config to permanent or those changes will go away when you reboot.
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
