Glorious1
Guru
- Joined
- Nov 23, 2014
- Messages
- 1,211
Just today I set up a dynamic DNS domain at DuckDNS, forwarded my port 22 from router, and set up SSH for public key authentication (disabling password login). I thought I would check in /var/log/auth.log to see if I'm starting to get breakin attempts with the port open.
I was surprised to find someone or something had been trying to get in all along, or were getting in, I'm not sure. This is typical of what was very abundant in the log:
It looks like they are repeatedly trying various ports? And what the heck is 127.0.0.1? Certainly unlike any local IP I have. And I have root login via SSH disabled, so I don't see how this could even be happening. I would really appreciate if someone could interpret this for me. It doesn't seem like the common kind of attempts I've read about.
Update: Duh, OK, I see that IP represents this machine, so apparently it is some process trying to get root status? I recently changed the root (webGUI) password to something tougher, so is there some way to tell the rest of the computer that? Or what's going on?
I was surprised to find someone or something had been trying to get in all along, or were getting in, I'm not sure. This is typical of what was very abundant in the log:
Code:
Jan 16 08:45:32 Tabernacle sshd[47276]: Accepted publickey for root from 127.0.0.1 port 17378 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c Jan 16 08:45:32 Tabernacle sshd[47276]: Received disconnect from 127.0.0.1: 11: disconnected by user Jan 16 08:45:32 Tabernacle sshd[47288]: Accepted publickey for root from 127.0.0.1 port 58125 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c Jan 16 08:45:33 Tabernacle sshd[47288]: Received disconnect from 127.0.0.1: 11: disconnected by user Jan 16 08:45:33 Tabernacle sshd[47294]: Accepted publickey for root from 127.0.0.1 port 17207 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c Jan 16 08:45:33 Tabernacle sshd[47294]: Received disconnect from 127.0.0.1: 11: disconnected by user Jan 16 08:45:33 Tabernacle sshd[47303]: Accepted publickey for root from 127.0.0.1 port 37246 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c Jan 16 08:45:33 Tabernacle sshd[47303]: Received disconnect from 127.0.0.1: 11: disconnected by user Jan 16 08:45:34 Tabernacle sshd[47320]: Accepted publickey for root from 127.0.0.1 port 27105 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c Jan 16 08:45:34 Tabernacle sshd[47320]: Received disconnect from 127.0.0.1: 11: disconnected by user Jan 16 08:45:34 Tabernacle sshd[47332]: Accepted publickey for root from 127.0.0.1 port 22497 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c Jan 16 08:45:34 Tabernacle sshd[47332]: Received disconnect from 127.0.0.1: 11: disconnected by user Jan 16 08:45:35 Tabernacle sshd[47338]: Accepted publickey for root from 127.0.0.1 port 27518 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c Jan 16 08:45:35 Tabernacle sshd[47338]: Received disconnect from 127.0.0.1: 11: disconnected by user Jan 16 08:45:35 Tabernacle sshd[47347]: Accepted publickey for root from 127.0.0.1 port 32399 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c Jan 16 08:45:35 Tabernacle sshd[47347]: Received disconnect from 127.0.0.1: 11: disconnected by user Jan 16 08:45:36 Tabernacle sshd[47364]: Accepted publickey for root from 127.0.0.1 port 29101 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c Jan 16 08:45:36 Tabernacle sshd[47364]: Received disconnect from 127.0.0.1: 11: disconnected by user Jan 16 08:45:36 Tabernacle sshd[47376]: Accepted publickey for root from 127.0.0.1 port 10225 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c Jan 16 08:45:39 Tabernacle sshd[47376]: Received disconnect from 127.0.0.1: 11: disconnected by user Jan 16 08:45:39 Tabernacle sshd[47382]: Accepted publickey for root from 127.0.0.1 port 52747 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c Jan 16 08:45:39 Tabernacle sshd[47382]: Received disconnect from 127.0.0.1: 11: disconnected by user Jan 16 08:45:39 Tabernacle sshd[47391]: Accepted publickey for root from 127.0.0.1 port 33707 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c Jan 16 08:45:39 Tabernacle sshd[47391]: Received disconnect from 127.0.0.1: 11: disconnected by user Jan 16 08:45:40 Tabernacle sshd[47408]: Accepted publickey for root from 127.0.0.1 port 33739 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c Jan 16 08:45:40 Tabernacle sshd[47408]: Received disconnect from 127.0.0.1: 11: disconnected by user Jan 16 08:45:40 Tabernacle sshd[47420]: Accepted publickey for root from 127.0.0.1 port 30387 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c Jan 16 08:45:40 Tabernacle sshd[47420]: Received disconnect from 127.0.0.1: 11: disconnected by user Jan 16 08:45:41 Tabernacle sshd[47426]: Accepted publickey for root from 127.0.0.1 port 38860 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c Jan 16 08:45:41 Tabernacle sshd[47426]: Received disconnect from 127.0.0.1: 11: disconnected by user Jan 16 08:45:41 Tabernacle sshd[47435]: Accepted publickey for root from 127.0.0.1 port 43950 ssh2: RSA 7b:53:f8:26:c2:df:53:13:85:f4:68:a0:72:f8:7d:3c Jan 16 08:45:41 Tabernacle sshd[47435]: Received disconnect from 127.0.0.1: 11: disconnected by user
It looks like they are repeatedly trying various ports? And what the heck is 127.0.0.1? Certainly unlike any local IP I have. And I have root login via SSH disabled, so I don't see how this could even be happening. I would really appreciate if someone could interpret this for me. It doesn't seem like the common kind of attempts I've read about.
Update: Duh, OK, I see that IP represents this machine, so apparently it is some process trying to get root status? I recently changed the root (webGUI) password to something tougher, so is there some way to tell the rest of the computer that? Or what's going on?
Last edited: