-3

I found this logs in my auth.log

Apr 21 03:36:10 mikigal sshd[18181]: Accepted password for mikigal from MY_HOME_IP_ADRESS port 51814 ssh2
Apr 21 03:36:10 mikigal sshd[18181]: pam_unix(sshd:session): session opened for user mikigal by (uid=0)
Apr 21 03:36:10 mikigal systemd-logind[682]: New session 11 of user mikigal.
Apr 21 03:36:11 mikigal sshd[18189]: Received disconnect from MY_HOME_IP_ADRESS port 51814:11: Normal Shutdown, Thank you for playing
Apr 21 03:36:11 mikigal sshd[18189]: Disconnected from MY_HOME_IP_ADRESS port 51814
Apr 21 03:36:11 mikigal sshd[18181]: pam_unix(sshd:session): session closed for user mikigal
Apr 21 03:36:11 mikigal systemd-logind[682]: Removed session 11.

These logs exist on random hour, always from my IP address. At hours of this logs my PC was turned off. I reinstalled sytem on my VPS yesterday, because i thought I have some malware on my server, but logs still exists.

last command output:

mikigal  pts/1        MY_HOME_IP_ADRESS  Sat Apr 21 12:37   still logged in
mikigal  pts/1        MY_HOME_IP_ADRESS  Sat Apr 21 11:35 - 12:15  (00:39)
mikigal  pts/1        MY_HOME_IP_ADRESS  Sat Apr 21 04:20 - 04:22  (00:01)
mikigal  pts/1        MY_HOME_IP_ADRESS  Sat Apr 21 04:04 - 04:05  (00:00)
mikigal  pts/1        MY_HOME_IP_ADRESS  Sat Apr 21 04:04 - 04:04  (00:00)
mikigal  pts/0        MY_HOME_IP_ADRESS  Sat Apr 21 03:15 - 04:16  (01:01)
root     pts/0        MY_HOME_IP_ADRESS  Sat Apr 21 03:07 - 03:14  (00:06)
reboot   system boot  4.9.0-6-amd64    Sat Apr 21 03:07   still running
root     pts/0        MY_HOME_IP_ADRESS  Sat Apr 21 03:04 - down   (00:02)
reboot   system boot  4.9.0-3-amd64    Sat Apr 21 03:04 - 03:07  (00:03)

wtmp begins Sat Apr 21 03:04:01 2018

Login at 03:36:11 from auth.log does not exists in last output. There is no info about this login in fail2ban.log. I have Debian 9. System and packets are updated to the newest version.

Is this normal? I have install fail2ban, disabled root login, custom SSH/SFTP port.

mikigal
  • 1
  • 1
  • 1

1 Answers1

1

They are probably SFTP or SCP sessions: the OpenSSH sshd doesn't recognize them as interactive sessions and won't log them into /var/log/wtmp the last commend reads. The Normal Shutdown is from sshd and the Thank you for playing is a message sent by the client on clean shutdown. There's nothing suspicious in the content of these log lines by themselves.

Fail2Ban wouldn't work here, because

  • it's not some random IP address but your IP, which could even be whitelisted
  • it's a successful connection: no fail, no ban.

Could there be some kind of automated backup on any device on your home network?

The connection uses password authentication. Have you tried changing your password?

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • Only my PC have access to this server, only I have this password. This logs exists on time, when I'm in school so my PC is always turned off. No, I'm not changed my password. Should I change it? – mikigal Apr 21 '18 at 14:54
  • It is straight because are only in the newest auth.log, there are not exists in auth.log.1.gz, auth.log.2.gz etc. – mikigal Apr 21 '18 at 15:22