I just created my digitalocean account a few days ago, and I just found that there are a very big number of Root log in fail logged in my /var/log/secure. It shows 67374 lines in that file. For instance, I only logged in once today but it shows lots of logs in. The login attempts are performed by my own user. These are a few lines:
67366 Jul 3 22:33:59 lingvi sshd[28849]: Failed password for root from 43.255.188.145 port 55580 ssh2
67367 Jul 3 22:33:59 lingvi sshd[28849]: Received disconnect from 43.255.188.145: 11: [preauth]
67368 Jul 3 22:33:59 lingvi sshd[28849]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.145 user=root
67369 Jul 3 22:33:59 lingvi sshd[28851]: pamunix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.255.188.145 user=root
67370 Jul 3 22:33:59 lingvi sshd[28851]: pam
succeedif(sshd:auth): requirement “uid >= 1000” not met by user “root”
67371 Jul 3 22:34:01 lingvi sshd[28851]: Failed password for root from 43.255.188.145 port 42254 ssh2
67372 Jul 3 22:34:01 lingvi sshd[28851]: pam
succeedif(sshd:auth): requirement “uid >= 1000” not met by user “root”
67373 Jul 3 22:34:03 lingvi sshd[28851]: Failed password for root from 43.255.188.145 port 42254 ssh2
67374 Jul 3 22:34:04 lingvi sshd[28851]: pam
succeed_if(sshd:auth): requirement “uid >= 1000” not met by user “root”
:set number

The logs are constantly increasing in an automated way. What could cause this?

1 comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
2 answers

Hi,
they’re attempts to login to SSH using brute-force attacks. Changing the port is not effective because an attacker can actually perform a port scan to see which service is listening on a given port. You can simply modify the SSH configuration file to block the root user, thus allowing only a user of your choice already added to the sudoers list. If attacks come from the same IP, you can block that IP with a simple rule of your firewall. If they come from a range of IPs, you can block that range as mentioned above. Usually this kind of intrusion attempts are all due to botnets, but they can also come from a single host. If you have a control panel on your droplet and you don’t use SSH regularly, you can disable it by stopping the associated service. This also applies to other services, such as FTP.

  • “lingvi” is my own user name. What does this mean? Does that mean the attack is from 43.255.188.145 port 42254? Where to modify SSH configuration file?

    Every time I logs in, I have to use ssh, right?

You can block the IP Address of the attacker using the UFW firewall for example:
sudo ufw deny from <ip address>

However It would also be safe to follow some security measures that you’ll find In this article:
https://www.digitalocean.com/community/tutorials/7-security-measures-to-protect-your-servers

Submit an Answer