The sshd service on my Ubuntu server is under constant attack for various IP and user id.
According to /var/log/auth.log
file, there are three different types of fails from unknown id and IP address:
Disconnected from invalid user...
Connection closed by invalid user...
Connection closed by xxx.xxx.xxx.xxx
What is the difference among the three? Do any of these suggest a successful (unauthorized) login? especially the last one...
I'm assuming all of these are failed attempts, on the basis that I've configured the SSH server to require pubkey from non-LAN IP and restricted login to only one, non-root, user ID.
But, in truth, I don't know how to verify that these security precautions are set properly, if my pub-key has not been compromised or if my servers password auth mechanism has not been compromised. So I can't say for sure that these are all failed attempts.
I tried to use fail2ban
to block repeat attacks from certain IP, but this was major fail. First, no quicker than 24hr later, did attacker(s) switch to rotating thru hundreds of unique IP addresses. Second (and more worryingly) fail2ban
doesn't seem to acknowledge the repeat attempts that result in Connection closed by xxx.xxx.xxx.xxx
.