0

I was surprised to see that I'm receiving lots of ssh intruders from different IP locations. Also in my server 90% of CPU is being utilized in running cron

/tmp/.txl/upd >/dev/null 2>&1

The logs from journalctl. What actually it means

Dec 14 17:33:08 svr-1004 sshd[17786]: Invalid user dovecot from 111.231.66.135 port 37596
Dec 14 17:33:08 svr-1004 sshd[17786]: input_userauth_request: invalid user dovecot [preauth]
Dec 14 17:33:08 svr-1004 sshd[17786]: pam_unix(sshd:auth): check pass; user unknown
Dec 14 17:33:08 svr-1004 sshd[17786]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=111.231.66.135
Dec 14 17:33:10 svr-1004 sshd[17786]: Failed password for invalid user dovecot from 111.231.66.135 port 37596 ssh2
Dec 14 17:33:11 svr-1004 sshd[17786]: Received disconnect from 111.231.66.135 port 37596:11: Bye Bye [preauth]
Dec 14 17:33:11 svr-1004 sshd[17786]: Disconnected from 111.231.66.135 port 37596 [preauth]
Dec 14 17:33:22 svr-1004 sshd[17802]: reverse mapping checking getaddrinfo for 234.2.125.189.static.impsat.net.br [189.125.2.234] failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 14 17:33:22 svr-1004 sshd[17802]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=189.125.2.234  user=root
Dec 14 17:33:22 svr-1004 sshd[17802]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Dec 14 17:33:24 svr-1004 sshd[17802]: Failed password for root from 189.125.2.234 port 27235 ssh2
Dec 14 17:33:25 svr-1004 sshd[17802]: Received disconnect from 189.125.2.234 port 27235:11: Bye Bye [preauth]
Dec 14 17:33:25 svr-1004 sshd[17802]: Disconnected from 189.125.2.234 port 27235 [preauth]
Dec 14 17:33:33 svr-1004 systemd[1]: firewalld.service start operation timed out. Terminating.
Dec 14 17:33:33 svr-1004 kernel: Ebtables v2.0 unregistered
Chris Davies
  • 116,213
  • 16
  • 160
  • 287
Manikandan Ram
  • 101
  • 2

0 Answers0