Question

Are repeated and continuous login attempts from unauthorised sources normal?

Three days ago I created my very first droplet. I have been long impressed by the quality of tutorials presented by the digitalocean community and so when I was looking for a new VPS I checked out digital ocean and saw that their prices were very competitive. So I created a droplet and began working to install groupserver for a local not-for-profit community I’m part of.

Today I happened to check the auth.log and discovered that there have been continuous unauthorised attempts to login to my droplet since the very moment of it’s creation!!

How is this possible? Is it normal for digital ocean droplets to be the target of such a sustained attack? And what can I do about it?

Below is the START of the auth.log from the moment I created the droplet and the server came online.

Aug 2 14:35:48 systemd-logind[1288]: Watching system buttons on /dev/input/event0 (Power Button) Aug 2 14:35:48 systemd-logind[1288]: New seat seat0. Aug 2 14:35:50 sshd[1507]: Server listening on 0.0.0.0 port 22. Aug 2 14:35:50 sshd[1507]: Server listening on :: port 22. Aug 2 14:35:52 sshd[1507]: Received signal 15; terminating. Aug 2 14:35:52 sshd[1525]: Server listening on 0.0.0.0 port 22. Aug 2 14:35:52 sshd[1525]: Server listening on :: port 22. Aug 2 14:37:05 sshd[1567]: Connection closed by 59.110.243.0 port 58206 [preauth] Aug 2 14:38:48 sshd[1569]: Invalid user upload from 107.170.61.156 Aug 2 14:38:48 sshd[1569]: input_userauth_request: invalid user upload [preauth] Aug 2 14:38:48 sshd[1569]: Received disconnect from 107.170.61.156 port 49708:11: Normal Shutdown, Thank you for playing [preauth] Aug 2 14:38:48 sshd[1569]: Disconnected from 107.170.61.156 port 49708 [preauth] Aug 2 14:41:38 sshd[1572]: Connection closed by 59.110.243.0 port 34524 [preauth] Aug 2 14:42:02 sshd[1574]: Connection closed by 101.200.52.128 port 41304 [preauth] Aug 2 14:43:13 sshd[1576]: Invalid user upload from 107.170.61.156 Aug 2 14:43:13 sshd[1576]: input_userauth_request: invalid user upload [preauth] Aug 2 14:43:14 sshd[1576]: Received disconnect from 107.170.61.156 port 54282:11: Normal Shutdown, Thank you for playing [preauth] Aug 2 14:43:14 sshd[1576]: Disconnected from 107.170.61.156 port 54282 [preauth] Aug 2 14:46:10 sshd[1578]: Connection closed by 59.110.243.0 port 39074 [preauth] Aug 2 14:46:51 sshd[1580]: Connection closed by 139.219.224.129 port 1200 [preauth] Aug 2 14:47:35 sshd[1582]: Invalid user deploy from 107.170.61.156 Aug 2 14:47:35 sshd[1582]: input_userauth_request: invalid user deploy [preauth] Aug 2 14:47:36 sshd[1582]: Received disconnect from 107.170.61.156 port 58842:11: Normal Shutdown, Thank you for playing [preauth] Aug 2 14:47:36 sshd[1582]: Disconnected from 107.170.61.156 port 58842 [preauth] Aug 2 14:48:48 login[1410]: pam_unix(login:auth): check pass; user unknown Aug 2 14:48:48 login[1410]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= Aug 2 14:48:51 login[1410]: FAILED LOGIN (1) on ‘/dev/tty1’ FOR ‘UNKNOWN’, Authentication failure

Similar login attempts have been repeated continuously from this time and are still occurring. There are 123 different offending IP addresses and I’m wondering if this is ‘normal’ or if it is caused by some misconfiguration on my part?

There have been no successful logins from unauthorised sources.


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

It’s normal, as long as you use a strong password (or even better, public key) you’ll be fine.