Are repeated and continuous login attempts from unauthorised sources normal?

August 5, 2017 127 views
DigitalOcean Firewall Logging Ubuntu

Three days ago I created my very first droplet. I have been long impressed by the quality of tutorials presented by the digitalocean community and so when I was looking for a new VPS I checked out digital ocean and saw that their prices were very competitive. So I created a droplet and began working to install groupserver for a local not-for-profit community I'm part of.

Today I happened to check the auth.log and discovered that there have been continuous unauthorised attempts to login to my droplet since the very moment of it's creation!!

How is this possible? Is it normal for digital ocean droplets to be the target of such a sustained attack? And what can I do about it?

Below is the START of the auth.log from the moment I created the droplet and the server came online.

Aug 2 14:35:48 systemd-logind[1288]: Watching system buttons on /dev/input/event0 (Power Button)
Aug 2 14:35:48 systemd-logind[1288]: New seat seat0.
Aug 2 14:35:50 sshd[1507]: Server listening on 0.0.0.0 port 22.
Aug 2 14:35:50 sshd[1507]: Server listening on :: port 22.
Aug 2 14:35:52 sshd[1507]: Received signal 15; terminating.
Aug 2 14:35:52 sshd[1525]: Server listening on 0.0.0.0 port 22.
Aug 2 14:35:52 sshd[1525]: Server listening on :: port 22.
Aug 2 14:37:05 sshd[1567]: Connection closed by 59.110.243.0 port 58206 [preauth]
Aug 2 14:38:48 sshd[1569]: Invalid user upload from 107.170.61.156
Aug 2 14:38:48 sshd[1569]: inputuserauthrequest: invalid user upload [preauth]
Aug 2 14:38:48 sshd[1569]: Received disconnect from 107.170.61.156 port 49708:11: Normal Shutdown, Thank you for playing [preauth]
Aug 2 14:38:48 sshd[1569]: Disconnected from 107.170.61.156 port 49708 [preauth]
Aug 2 14:41:38 sshd[1572]: Connection closed by 59.110.243.0 port 34524 [preauth]
Aug 2 14:42:02 sshd[1574]: Connection closed by 101.200.52.128 port 41304 [preauth]
Aug 2 14:43:13 sshd[1576]: Invalid user upload from 107.170.61.156
Aug 2 14:43:13 sshd[1576]: inputuserauthrequest: invalid user upload [preauth]
Aug 2 14:43:14 sshd[1576]: Received disconnect from 107.170.61.156 port 54282:11: Normal Shutdown, Thank you for playing [preauth]
Aug 2 14:43:14 sshd[1576]: Disconnected from 107.170.61.156 port 54282 [preauth]
Aug 2 14:46:10 sshd[1578]: Connection closed by 59.110.243.0 port 39074 [preauth]
Aug 2 14:46:51 sshd[1580]: Connection closed by 139.219.224.129 port 1200 [preauth]
Aug 2 14:47:35 sshd[1582]: Invalid user deploy from 107.170.61.156
Aug 2 14:47:35 sshd[1582]: inputuserauthrequest: invalid user deploy [preauth]
Aug 2 14:47:36 sshd[1582]: Received disconnect from 107.170.61.156 port 58842:11: Normal Shutdown, Thank you for playing [preauth]
Aug 2 14:47:36 sshd[1582]: Disconnected from 107.170.61.156 port 58842 [preauth]
Aug 2 14:48:48 login[1410]: pamunix(login:auth): check pass; user unknown
Aug 2 14:48:48 login[1410]: pam
unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost=
Aug 2 14:48:51 login[1410]: FAILED LOGIN (1) on '/dev/tty1' FOR 'UNKNOWN', Authentication failure

Similar login attempts have been repeated continuously from this time and are still occurring.
There are 123 different offending IP addresses and I'm wondering if this is 'normal' or if it is caused by some misconfiguration on my part?

There have been no successful logins from unauthorised sources.

1 Answer

It's normal, as long as you use a strong password (or even better, public key) you'll be fine.

Have another answer? Share your knowledge.