Logs show lots of user attempts from unknown IP

Posted by rodling on Server Fault See other posts from Server Fault or by rodling
Published on 2013-11-08T21:07:13Z Indexed on 2013/11/08 21:57 UTC
Read the original article Hit count: 180

Filed under:
|

I lost access to my instance which I host on AWS. Keypairing stopped to work. I detached a volume and attached it to a new instance and what I found in logs was a long list of

Nov  6 20:15:32 domU-12-31-39-01-7E-8A sshd[4925]: Invalid user cyrus from 210.193.52.113
Nov  6 20:15:32 domU-12-31-39-01-7E-8A sshd[4925]: input_userauth_request: invalid user cyrus [preauth]
Nov  6 20:15:33 domU-12-31-39-01-7E-8A sshd[4925]: Received disconnect from 210.193.52.113: 11: Bye Bye [preauth]

Where "cyrus" is changed by hundreds if not thousands of common names and items. What could this be? Brute force attack or something else malicious? I traced IP to Singapore, and I have no connection to Singapore.

May thought is that this was a DoS attack since I lost access and server seemed to stop working. Im not to versed on this, but ideas and solutions for this issue are welcome.

© Server Fault or respective owner

Related posts about amazon-web-services

Related posts about Cloud