repeated failing passwords in linux security log (/var/log/secure)

Posted by wallyk on Server Fault See other posts from Server Fault or by wallyk
Published on 2010-03-21T07:05:23Z Indexed on 2010/03/21 7:11 UTC
Read the original article Hit count: 643

Filed under:
|
|

Recently, I opened up the SSH port through my firewalls (and redirecting to my server) so I could check on the (http) server while on the road. The first week or two there was nothing different. But now, three or four weeks later, I see lots of this:

Mar 20 08:38:28 localhost sshd[21895]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.queued.net  user=root
Mar 20 08:38:31 localhost sshd[21895]: Failed password for root from 207.210.101.209 port 2854 ssh2
Mar 20 15:38:31 localhost sshd[21896]: Received disconnect from 207.210.101.209: 11: Bye Bye
Mar 20 08:38:32 localhost unix_chkpwd[21900]: password check failed for user (root)
Mar 20 08:38:32 localhost sshd[21898]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.queued.net  user=root
Mar 20 08:38:34 localhost sshd[21898]: Failed password for root from 207.210.101.209 port 3729 ssh2
Mar 20 15:38:35 localhost sshd[21899]: Received disconnect from 207.210.101.209: 11: Bye Bye
Mar 20 08:38:36 localhost unix_chkpwd[21903]: password check failed for user (root)
Mar 20 08:38:36 localhost sshd[21901]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.queued.net  user=root
Mar 20 08:38:38 localhost sshd[21901]: Failed password for root from 207.210.101.209 port 4313 ssh2
Mar 20 15:38:38 localhost sshd[21902]: Received disconnect from 207.210.101.209: 11: Bye Bye
Mar 20 08:38:40 localhost unix_chkpwd[21906]: password check failed for user (root)
Mar 20 08:38:40 localhost sshd[21904]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.queued.net  user=root
Mar 20 08:38:42 localhost sshd[21904]: Failed password for root from 207.210.101.209 port 4869 ssh2
Mar 20 15:38:43 localhost sshd[21905]: Received disconnect from 207.210.101.209: 11: Bye Bye
Mar 20 08:38:44 localhost unix_chkpwd[21909]: password check failed for user (root)
Mar 20 08:38:44 localhost sshd[21907]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mail.queued.net  user=root
Mar 20 08:38:46 localhost sshd[21907]: Failed password for root from 207.210.101.209 port 2512 ssh2
Mar 20 15:38:47 localhost sshd[21908]: Received disconnect from 207.210.101.209: 11: Bye Bye
Mar 20 15:38:57 localhost sshd[21912]: Connection closed by 207.210.101.209

There are about 1100 lines of these for March 20th, zero for the 19th, and 800 or so for the 18th—all related to the same IP.

What does it mean? What should I do? Why isn't it chronological?

© Server Fault or respective owner

Related posts about redhat

Related posts about security