年末年始の三日間の間に、(まだ、設定中のサーバへの)rootの接続要求が数千回に達していた。たった三日のログが30000行。
まだ、sshはデフォルトポートのまま動作させていた。
但し、暗号認証の設定は済ませている。
最後に、ログの一部を掲載します。(我がサイトに関する情報は、伏字にしてます。)
接続要求があった相手のlocationは、以下の通り。(最後に、一覧を添付します。)
Vietnam, United States, France, China, -(Amsterdam), Germany
【簡単な傾向分析】
1. 中国からの接続要求は、三日間に5000回以上。ポート番号を変えながら、一貫して root での接続を試みている。
Jiangsu, Nanjingからの接続要求と、Jiangsu, Wuhanからの接続要求は同時には来ていない。(その双方を、切り替えながらアクセスが続いている。)
→ rootで接続可能なポートを探しに来ている。
これで、もしポートが見つかったなら、次は、rootのパスワードを変えながら接続を試すんだろうと思う。
全く諦める気配がなく、延々と接続要求を繰り返している。
2. Franceからの接続要求は、ユーザ名piで繋いできて、数回失敗した後、次を試していない。
→ IOTで使われている Raspberry Piが、デフォルトのままネットに繋がれているものを、探しに来ているように見える。
3. ベトナムからと、オランダからの接続要求は、ユーザ名そのものを、root, admin,11111などと変えながらリトライして、一通り試したら諦めている。
4. アメリカからの接続要求は、たった1行、 connection closedの記録があるだけ。何しに来たんだろう?pingを打つとこのログが残るの?
5. ドイツからの接続要求は、アクセスがある間は中国からの接続要求が止まっている。どういうことなんだろうか?
———————
こういう情報を、分析機関なんかに寄せていくと、ネット犯罪の抑止に使えるんじゃないかと思った。
中国からの侵入の試みが、とにかくしつこい。
ポート番号をデフォルトから変えたとしても、これだけしつこく変えて接続を試みてきたら、いつかはポート番号が見つかる。
ただ、rootのユーザ名をrootで接続しに来ているから(うちのrootの名前は、rootではないし、adminでもないけれど、あまり凝ってはいないから、第三段階くらいで破られるかも知れない、)rootユーザの名称を、思いっきり凝ったものにするのも対策の一つかも知れない。
ただ、パスワード自体は、かなり破りにくいパスワード(チェッカーで見ると、最高難度になってた)だから、当面は、この程度の侵入試みなら、ブロックできている気がする。でも、油断はできないなぁ。なんせ、ずっと、延々と破りに来ているから、どこかで「偶然」があるかも知れない。
それ以前に、rootでのログインを禁止して、sudoersの設定で、2段階のログインを要求するようにすべきなんだろう。
うちは、まだ設定していないけれども、パスワード入力要求も停止すべきで、全て暗号鍵だけの接続認証にすべきなのかも知れない。
IOTのRaspberry Piにしても、ちょっとしたサーバにしても、これ、対策しないと、どこかで破られる気がした。デフォルト設定のRaspberry Piなんて、丸裸だろうなぁ。
接続を認めるIPアドレスに制限をかける、とかしないと、ならないけれど、どこかでちょっと「うっかり」があると、自分たちでも繋げなくなっちゃうものなぁ。
嫌な世の中だ。
以下、分析材料の生ログの抜粋です。
三日間に接続要求のあったIPアドレス
IP Address 27.78.14.83, 27.78.12.22 IP Reputation Check abuses from 27.78.14.83 NetRange 27.64.0.0 - 27.79.255.255 Organization Viettel Group Name VIETTEL-VN Geolocation Vietnam, An Giang, Hanoi --------------- IP Address 159.203.193.44 IP Reputation Check abuses from 159.203.193.44 NetRange 159.203.0.0 - 159.203.255.255 Organization DigitalOcean, LLC Name DIGITALOCEAN-12 Geolocation United States, California, San Francisco --------------- IP Address 90.93.167.228 IP Reputation Check abuses from 90.93.167.228 NetRange 90.93.160.0 - 90.93.167.255 Organization POP Nantes Name IP2000-ADSL-BAS Geolocation France, Rhone-Alpes, La Roche --------------- IP Address 218.92.0.205 IP Reputation Check abuses from 218.92.0.205 NetRange 218.90.0.0 - 218.94.255.255 Organization CHINANET jiangsu province network Name CHINANET-JS Geolocation China, Jiangsu, Nanjing --------------- IP Address 112.85.42.195 IP Reputation Check abuses from 112.85.42.195 NetRange 112.80.0.0 - 112.87.255.255 Organization China Unicom Jiangsu province network Name UNICOM-JS Geolocation China, Jiangsu, Wuhan --------------- IP Address 45.141.84.25 IP Reputation Check abuses from 45.141.84.25 NetRange 45.128.0.0 - 45.159.255.255 Organization RIPE Network Coordination Centre Name RIPE Geolocation OrgId: RIPE Address: P.O. Box 10096 City: Amsterdam --------------- IP Address 178.6.196.33 IP Reputation Check abuses from 178.6.196.33 NetRange 178.6.0.0 - 178.6.255.255 Organization Vodafone D2 GmbH Name VFDE-DSL-NET20 Geolocation Germany, Nordrhein-Westfalen, Übach-palenberg ---------------
アクセスログ(生データ)の抜粋
Dec 30 10:01:18 xxxx sshd[6520]: Invalid user Management from 27.78.14.83 port 36986 Dec 30 10:01:18 xxxx sshd[6520]: pam_unix(sshd:auth): check pass; user unknown Dec 30 10:01:18 xxxx sshd[6520]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=27.78.14.83 Dec 30 10:01:20 xxxx sshd[6520]: Failed password for invalid user Management from 27.78.14.83 port 36986 ssh2 Dec 30 10:01:21 xxxx sshd[6520]: Connection closed by invalid user Management 27.78.14.83 port 36986 [preauth] Dec 30 10:02:26 xxxx sshd[6524]: Invalid user ftpuser from 27.78.12.22 port 53194 Dec 30 10:02:26 xxxx sshd[6524]: pam_unix(sshd:auth): check pass; user unknown Dec 30 10:02:26 xxxx sshd[6524]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=27.78.12.22 Dec 30 10:02:28 xxxx sshd[6524]: Failed password for invalid user ftpuser from 27.78.12.22 port 53194 ssh2 Dec 30 10:02:29 xxxx sshd[6524]: Connection closed by invalid user ftpuser 27.78.12.22 port 53194 [preauth] Dec 30 10:03:22 xxxx sshd[6531]: Invalid user admin from 27.78.14.83 port 48942 Dec 30 10:03:22 xxxx sshd[6531]: pam_unix(sshd:auth): check pass; user unknown Dec 30 10:03:22 xxxx sshd[6531]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=27.78.14.83 Dec 30 10:03:24 xxxx sshd[6531]: Failed password for invalid user admin from 27.78.14.83 port 48942 ssh2 Dec 30 10:03:25 xxxx sshd[6531]: Connection closed by invalid user admin 27.78.14.83 port 48942 [preauth] Dec 30 10:03:35 xxxx sshd[6533]: Invalid user user1 from 27.78.12.22 port 46296 Dec 30 10:03:35 xxxx sshd[6533]: pam_unix(sshd:auth): check pass; user unknown Dec 30 10:03:35 xxxx sshd[6533]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=27.78.12.22 Dec 30 10:03:38 xxxx sshd[6533]: Failed password for invalid user user1 from 27.78.12.22 port 46296 ssh2 Dec 30 10:03:40 xxxx sshd[6533]: Connection closed by invalid user user1 27.78.12.22 port 46296 [preauth] Dec 30 10:04:02 xxxx sshd[6537]: Invalid user admin from 27.78.14.83 port 34470 Dec 30 10:04:04 xxxx sshd[6537]: pam_unix(sshd:auth): check pass; user unknown Dec 30 10:04:04 xxxx sshd[6537]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=27.78.14.83 Dec 30 10:04:05 xxxx sshd[6537]: Failed password for invalid user admin from 27.78.14.83 port 34470 ssh2 Dec 30 10:04:07 xxxx sshd[6537]: Connection closed by invalid user admin 27.78.14.83 port 34470 [preauth] Dec 30 10:04:32 xxxx sshd[6540]: Invalid user admin from 27.78.12.22 port 45022 Dec 30 10:04:32 xxxx sshd[6540]: pam_unix(sshd:auth): check pass; user unknown Dec 30 10:04:32 xxxx sshd[6540]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=27.78.12.22 Dec 30 10:04:34 xxxx sshd[6540]: Failed password for invalid user admin from 27.78.12.22 port 45022 ssh2 Dec 30 10:04:35 xxxx sshd[6540]: Connection closed by invalid user admin 27.78.12.22 port 45022 [preauth]
Dec 30 12:34:45 xxxx sshd[7097]: Connection closed by 159.203.193.44 port 32906 [preauth]
Dec 30 13:05:38 xxxx sshd[7203]: Invalid user pi from 90.93.167.228 port 49800 Dec 30 13:05:38 xxxx sshd[7204]: Invalid user pi from 90.93.167.228 port 49816 Dec 30 13:05:38 xxxx sshd[7203]: pam_unix(sshd:auth): check pass; user unknown Dec 30 13:05:38 xxxx sshd[7203]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=90.93.167.228 Dec 30 13:05:38 xxxx sshd[7204]: pam_unix(sshd:auth): check pass; user unknown Dec 30 13:05:38 xxxx sshd[7204]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=90.93.167.228 Dec 30 13:05:40 xxxx sshd[7203]: Failed password for invalid user pi from 90.93.167.228 port 49800 ssh2 Dec 30 13:05:40 xxxx sshd[7204]: Failed password for invalid user pi from 90.93.167.228 port 49816 ssh2 Dec 30 13:05:40 xxxx sshd[7203]: Connection closed by invalid user pi 90.93.167.228 port 49800 [preauth] Dec 30 13:05:40 xxxx sshd[7204]: Connection closed by invalid user pi 90.93.167.228 port 49816 [preauth]
Dec 30 15:33:45 xxxx sshd[8214]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.6.196.33 user=root Dec 30 15:33:47 xxxx sshd[8214]: Failed password for root from 178.6.196.33 port 38120 ssh2 Dec 30 15:33:47 xxxx sshd[8214]: Connection closed by authenticating user root 178.6.196.33 port 38120 [preauth] Dec 30 15:33:49 xxxx sshd[8216]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.6.196.33 user=root Dec 30 15:33:50 xxxx sshd[8216]: Failed password for root from 178.6.196.33 port 38192 ssh2 Dec 30 15:33:50 xxxx sshd[8216]: Connection closed by authenticating user root 178.6.196.33 port 38192 [preauth] Dec 30 15:33:52 xxxx sshd[8218]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.6.196.33 user=root Dec 30 15:33:54 xxxx sshd[8218]: Failed password for root from 178.6.196.33 port 38265 ssh2 Dec 30 15:33:54 xxxx sshd[8218]: Connection closed by authenticating user root 178.6.196.33 port 38265 [preauth] Dec 30 15:33:55 xxxx sshd[8221]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.6.196.33 user=root Dec 30 15:33:57 xxxx sshd[8221]: Failed password for root from 178.6.196.33 port 38333 ssh2 Dec 30 15:33:57 xxxx sshd[8221]: Connection closed by authenticating user root 178.6.196.33 port 38333 [preauth] Dec 30 15:33:58 xxxx sshd[8223]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.6.196.33 user=root Dec 30 15:34:01 xxxx sshd[8223]: Failed password for root from 178.6.196.33 port 38412 ssh2 Dec 30 15:34:01 xxxx sshd[8223]: Connection closed by authenticating user root 178.6.196.33 port 38412 [preauth] Dec 30 15:34:02 xxxx sshd[8225]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.6.196.33 user=root Dec 30 15:34:04 xxxx sshd[8225]: Failed password for root from 178.6.196.33 port 38495 ssh2 Dec 30 15:34:04 xxxx sshd[8225]: Connection closed by authenticating user root 178.6.196.33 port 38495 [preauth] Dec 30 15:34:06 xxxx sshd[8227]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.6.196.33 user=root Dec 30 15:34:08 xxxx sshd[8227]: Failed password for root from 178.6.196.33 port 38578 ssh2 Dec 30 15:34:08 xxxx sshd[8227]: Connection closed by authenticating user root 178.6.196.33 port 38578 [preauth]
Dec 30 19:05:01 xxxx CRON[9704]: pam_unix(cron:session): session opened for user root by (uid=0) Dec 30 19:05:01 xxxx CRON[9704]: pam_unix(cron:session): session closed for user root Dec 30 19:07:35 xxxx sshd[9716]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.72 user=root Dec 30 19:07:37 xxxx sshd[9716]: Failed password for root from 112.85.42.72 port 11385 ssh2 Dec 30 19:07:41 xxxx sshd[9716]: message repeated 2 times: [ Failed password for root from 112.85.42.72 port 11385 ssh2] Dec 30 19:07:41 xxxx sshd[9716]: Received disconnect from 112.85.42.72 port 11385:11: [preauth] Dec 30 19:07:41 xxxx sshd[9716]: Disconnected from authenticating user root 112.85.42.72 port 11385 [preauth] Dec 30 19:07:41 xxxx sshd[9716]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.72 user=root Dec 30 19:08:40 xxxx sshd[9720]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.72 user=root Dec 30 19:08:42 xxxx sshd[9720]: Failed password for root from 112.85.42.72 port 22035 ssh2 Dec 30 19:08:45 xxxx sshd[9720]: message repeated 2 times: [ Failed password for root from 112.85.42.72 port 22035 ssh2] Dec 30 19:08:46 xxxx sshd[9720]: Received disconnect from 112.85.42.72 port 22035:11: [preauth] Dec 30 19:08:46 xxxx sshd[9720]: Disconnected from authenticating user root 112.85.42.72 port 22035 [preauth] Dec 30 19:08:46 xxxx sshd[9720]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.72 user=root Dec 30 19:14:56 xxxx sshd[9740]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.72 user=root Dec 30 19:14:58 xxxx sshd[9740]: Failed password for root from 112.85.42.72 port 12264 ssh2 Dec 30 19:15:00 xxxx sshd[9740]: Failed password for root from 112.85.42.72 port 12264 ssh2 Dec 30 19:15:01 xxxx CRON[9743]: pam_unix(cron:session): session opened for user root by (uid=0) Dec 30 19:15:01 xxxx CRON[9743]: pam_unix(cron:session): session closed for user root Dec 30 19:15:02 xxxx sshd[9740]: Failed password for root from 112.85.42.72 port 12264 ssh2 Dec 30 19:15:02 xxxx sshd[9740]: Received disconnect from 112.85.42.72 port 12264:11: [preauth] Dec 30 19:15:02 xxxx sshd[9740]: Disconnected from authenticating user root 112.85.42.72 port 12264 [preauth] Dec 30 19:15:02 xxxx sshd[9740]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.72 user=root
Dec 31 02:39:17 xxxx sshd[14078]: Disconnecting invalid user admin 45.141.84.25 port 52018: Change of username or service not allowed: (admin,ssh-connection) -> (root,ssh-connection) [preauth] Dec 31 02:39:21 xxxx sshd[14080]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=45.141.84.25 user=root Dec 31 02:39:24 xxxx sshd[14080]: Failed password for root from 45.141.84.25 port 33965 ssh2 Dec 31 02:39:24 xxxx sshd[14080]: Disconnecting authenticating user root 45.141.84.25 port 33965: Change of username or service not allowed: (root,ssh-connection) -> (administrator,ssh-connection) [preauth] Dec 31 02:39:27 xxxx sshd[14082]: Invalid user administrator from 45.141.84.25 port 13531 Dec 31 02:39:27 xxxx sshd[14082]: pam_unix(sshd:auth): check pass; user unknown Dec 31 02:39:27 xxxx sshd[14082]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=45.141.84.25 Dec 31 02:39:29 xxxx sshd[14082]: Failed password for invalid user administrator from 45.141.84.25 port 13531 ssh2 Dec 31 02:39:30 xxxx sshd[14082]: Disconnecting invalid user administrator 45.141.84.25 port 13531: Change of username or service not allowed: (administrator,ssh-connection) -> (admin,ssh-connection) [preauth] Dec 31 02:39:33 xxxx sshd[14084]: Invalid user admin from 45.141.84.25 port 55688 Dec 31 02:39:33 xxxx sshd[14084]: pam_unix(sshd:auth): check pass; user unknown Dec 31 02:39:33 xxxx sshd[14084]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=45.141.84.25 Dec 31 02:39:36 xxxx sshd[14084]: Failed password for invalid user admin from 45.141.84.25 port 55688 ssh2 Dec 31 02:39:36 xxxx sshd[14084]: Disconnecting invalid user admin 45.141.84.25 port 55688: Change of username or service not allowed: (admin,ssh-connection) -> (123321,ssh-connection) [preauth] Dec 31 02:39:39 xxxx sshd[14086]: Invalid user 123321 from 45.141.84.25 port 30741 Dec 31 02:39:40 xxxx sshd[14086]: pam_unix(sshd:auth): check pass; user unknown Dec 31 02:39:40 xxxx sshd[14086]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=45.141.84.25 Dec 31 02:39:41 xxxx sshd[14086]: Failed password for invalid user 123321 from 45.141.84.25 port 30741 ssh2 Dec 31 02:39:42 xxxx sshd[14086]: Disconnecting invalid user 123321 45.141.84.25 port 30741: Change of username or service not allowed: (123321,ssh-connection) -> (111111,ssh-connection) [preauth] Dec 31 02:39:46 xxxx sshd[14089]: Invalid user 111111 from 45.141.84.25 port 8802 Dec 31 02:39:47 xxxx sshd[14089]: pam_unix(sshd:auth): check pass; user unknown Dec 31 02:39:47 xxxx sshd[14089]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=45.141.84.25 Dec 31 02:39:49 xxxx sshd[14089]: Failed password for invalid user 111111 from 45.141.84.25 port 8802 ssh2 Dec 31 02:39:49 xxxx sshd[14089]: pam_unix(sshd:auth): check pass; user unknown Dec 31 02:39:51 xxxx sshd[14089]: Failed password for invalid user 111111 from 45.141.84.25 port 8802 ssh2 Dec 31 02:39:52 xxxx sshd[14089]: Disconnecting invalid user 111111 45.141.84.25 port 8802: Change of username or service not allowed: (111111,ssh-connection) -> (user,ssh-connection) [preauth] Dec 31 02:39:52 xxxx sshd[14089]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=45.141.84.25
Dec 31 23:35:01 xxxx CRON[20355]: pam_unix(cron:session): session opened for user root by (uid=0) Dec 31 23:35:01 xxxx CRON[20355]: pam_unix(cron:session): session closed for user root Dec 31 23:42:24 xxxx sshd[20377]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.205 user=root Dec 31 23:42:26 xxxx sshd[20377]: Failed password for root from 218.92.0.205 port 53535 ssh2 Dec 31 23:42:30 xxxx sshd[20377]: message repeated 2 times: [ Failed password for root from 218.92.0.205 port 53535 ssh2] Dec 31 23:42:30 xxxx sshd[20377]: Received disconnect from 218.92.0.205 port 53535:11: [preauth] Dec 31 23:42:30 xxxx sshd[20377]: Disconnected from authenticating user root 218.92.0.205 port 53535 [preauth] Dec 31 23:42:30 xxxx sshd[20377]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.205 user=root Dec 31 23:45:01 xxxx CRON[20385]: pam_unix(cron:session): session opened for user root by (uid=0) Dec 31 23:45:01 xxxx CRON[20385]: pam_unix(cron:session): session closed for user root Dec 31 23:47:30 xxxx sshd[20393]: Received disconnect from 218.92.0.205 port 27042:11: [preauth] Dec 31 23:47:30 xxxx sshd[20393]: Disconnected from 218.92.0.205 port 27042 [preauth] Dec 31 23:48:59 xxxx sshd[20400]: Received disconnect from 218.92.0.205 port 54788:11: [preauth] Dec 31 23:48:59 xxxx sshd[20400]: Disconnected from 218.92.0.205 port 54788 [preauth] Dec 31 23:55:01 xxxx CRON[20417]: pam_unix(cron:session): session opened for user root by (uid=0) Dec 31 23:55:01 xxxx CRON[20417]: pam_unix(cron:session): session closed for user root Dec 31 23:59:01 xxxx CRON[20432]: pam_unix(cron:session): session opened for user root by (uid=0) Dec 31 23:59:01 xxxx CRON[20432]: pam_unix(cron:session): session closed for user root
Jan 1 12:32:01 xxxx CRON[23582]: pam_unix(cron:session): session opened for user root by (uid=0) Jan 1 12:32:01 xxxx CRON[23582]: pam_unix(cron:session): session closed for user root Jan 1 12:32:25 xxxx sshd[23586]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.195 user=root Jan 1 12:32:27 xxxx sshd[23586]: Failed password for root from 112.85.42.195 port 13147 ssh2 Jan 1 12:32:33 xxxx sshd[23586]: message repeated 2 times: [ Failed password for root from 112.85.42.195 port 13147 ssh2] Jan 1 12:32:34 xxxx sshd[23586]: Received disconnect from 112.85.42.195 port 13147:11: [preauth] Jan 1 12:32:34 xxxx sshd[23586]: Disconnected from authenticating user root 112.85.42.195 port 13147 [preauth] Jan 1 12:32:34 xxxx sshd[23586]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.195 user=root Jan 1 12:33:32 xxxx sshd[23590]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.195 user=root Jan 1 12:33:34 xxxx sshd[23590]: Failed password for root from 112.85.42.195 port 49188 ssh2 Jan 1 12:33:36 xxxx sshd[23590]: Failed password for root from 112.85.42.195 port 49188 ssh2 Jan 1 12:33:39 xxxx sshd[23590]: Received disconnect from 112.85.42.195 port 49188:11: [preauth] Jan 1 12:33:39 xxxx sshd[23590]: Disconnected from authenticating user root 112.85.42.195 port 49188 [preauth] Jan 1 12:33:39 xxxx sshd[23590]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.195 user=root Jan 1 12:34:35 xxxx sshd[23594]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.195 user=root Jan 1 12:34:37 xxxx sshd[23594]: Failed password for root from 112.85.42.195 port 62803 ssh2 Jan 1 12:34:43 xxxx sshd[23594]: message repeated 2 times: [ Failed password for root from 112.85.42.195 port 62803 ssh2] Jan 1 12:34:44 xxxx sshd[23594]: Received disconnect from 112.85.42.195 port 62803:11: [preauth] Jan 1 12:34:44 xxxx sshd[23594]: Disconnected from authenticating user root 112.85.42.195 port 62803 [preauth] Jan 1 12:34:44 xxxx sshd[23594]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=112.85.42.195 user=root
Jan 2 13:23:15 xxxx sshd[605]: Failed password for root from 218.92.0.206 port 28706 ssh2 Jan 2 13:23:15 xxxx sshd[608]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.206 user=root Jan 2 13:23:16 xxxx sshd[603]: Failed password for root from 218.92.0.206 port 58568 ssh2 Jan 2 13:23:16 xxxx sshd[603]: Received disconnect from 218.92.0.206 port 58568:11: [preauth] Jan 2 13:23:16 xxxx sshd[603]: Disconnected from authenticating user root 218.92.0.206 port 58568 [preauth] Jan 2 13:23:16 xxxx sshd[603]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.206 user=root Jan 2 13:23:17 xxxx sshd[608]: Failed password for root from 218.92.0.206 port 51114 ssh2 Jan 2 13:23:17 xxxx sshd[605]: Failed password for root from 218.92.0.206 port 28706 ssh2 Jan 2 13:23:19 xxxx sshd[608]: Failed password for root from 218.92.0.206 port 51114 ssh2 Jan 2 13:23:20 xxxx sshd[605]: Failed password for root from 218.92.0.206 port 28706 ssh2 Jan 2 13:23:20 xxxx sshd[605]: Received disconnect from 218.92.0.206 port 28706:11: [preauth] Jan 2 13:23:20 xxxx sshd[605]: Disconnected from authenticating user root 218.92.0.206 port 28706 [preauth] Jan 2 13:23:20 xxxx sshd[605]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.206 user=root Jan 2 13:23:20 xxxx sshd[610]: Received disconnect from 218.92.0.206 port 37686:11: [preauth] Jan 2 13:23:20 xxxx sshd[610]: Disconnected from 218.92.0.206 port 37686 [preauth] Jan 2 13:23:21 xxxx sshd[612]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.206 user=root Jan 2 13:23:21 xxxx sshd[608]: Failed password for root from 218.92.0.206 port 51114 ssh2 Jan 2 13:23:21 xxxx sshd[608]: Received disconnect from 218.92.0.206 port 51114:11: [preauth] Jan 2 13:23:21 xxxx sshd[608]: Disconnected from authenticating user root 218.92.0.206 port 51114 [preauth] Jan 2 13:23:21 xxxx sshd[608]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.206 user=root