0

I have a web application that I'm hosting on an Amazon Ubuntu server, and it has a public IP address - and very little traffic.

I was observing the authorization logs in /var/log, and noticed several like the following, typically 15-30 times/day, and all with a different username.

Sep  9 01:15:37 ip-xx-xxx-xx-xxx sshd[24944]: Invalid user zabbix from 192.69.90.218<br>
Sep  9 01:15:37 ip-xx-xxx-xx-xxx sshd[24944]: input_userauth_request: invalid user zabbix [preauth]<br>
Sep  9 01:15:37 ip-xx-xxx-xx-xxx sshd[24944]: Received disconnect from 192.69.90.218: 11: Bye Bye [preauth]

Most of these come from Vietnam and China. I assume this is typical, that somebody has programmed a bot to trawl the web and attempt logins. There are similar threads about understanding logs, but my question is this:

Is this volume normal, and how do I establish a baseline for normal activity levels?

If I'm assured about security - and I am, I use locally saved SSH keys - is there any harm to these failed requests, even as they grow in number over time?

dmc7z
  • 105
  • 1

2 Answers2

2

Difficult to say whether or not the rate is normal. I won't be too surprised anyway on SSH default port, this is really frequent to see such bots trying to get in.

There is absolutely nothing harmful to be requested like this; as long as you follow basic security rules such as only authentication with SSH keys, forbid access with root account.

What you can do to lower the number of requests is to change the default SSH port to something higher than 1024.

Finally, you can also add an iptable rule to reset access at a TCP level if number of tries exceed a level, or even better using fail2ban. Anyway, the only risk is having succeed connection, I won't be too worried about the rate of unsuccessful tries.

philippe
  • 2,131
  • 4
  • 30
  • 53
1

Yes, unfortunately these are normal. We see requests like this day in, day out, across pretty much every public facing service we provide.

If you are using public key auth, and actually have password auth disabled, then it shouldn't really cause a problem.

You may want to use something like fail2ban to monitor the logs and automatically firewall addresses that are trying too much. You can also move the port which is no safer security wise but may cut out a decent proportion of the random login attempts.

Ideally of course, you shouldn't expose SSH (or any other service that doesn't need to be accessed globally) openly to the Internet. I would generally lock down SSH to specific IP addresses or provision some sort of VPN if I knew access was required from any location or locations without fixed addresses.

USD Matt
  • 5,321
  • 14
  • 23