Strange things in my logs

Question

So, I actually have set up my Raspberry Pi as a public web server. I have the port forwarding set up and my FTP and SSH can be accessed by me remotely.

Now I was looking around in my logs yesterday and found some alarming things in the auth.log file. Now, I could just be paranoid but I think someone might be trying to access my Pi through SSH. I'm going to paste a few logs that I saw below.

Oct 13 11:16:42 raspberrypi sshd[3747]: Invalid user glassfish from ###.###.###.###
Oct 13 11:16:42 raspberrypi sshd[3747]: input_userauth_request: invalid user
glassfish [preauth]
Oct 13 11:16:42 raspberrypi sshd[3747]: pam_unix(sshd:auth): check pass; user unknown
Oct 13 11:16:42 raspberrypi sshd[3747]: pam_unix(sshd:auth): authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=###.###.###.### 
Oct 13 11:16:44 raspberrypi sshd[3747]: Failed password for invalid user glassfish 
from ###.###.###.### port 46235 ssh2
Oct 13 11:16:44 raspberrypi sshd[3747]: Received disconnect from
###.###.###.###: 11: Bye Bye [preauth]
Oct 13 11:16:48 raspberrypi sshd[3751]: Invalid user garrysmod from ###.###.###.###
Oct 13 11:16:48 raspberrypi sshd[3751]: input_userauth_request: 
invalid user garrysmod [preauth]
Oct 13 11:16:48 raspberrypi sshd[3751]: pam_unix(sshd:auth): check pass; user unknown
Oct 13 11:16:48 raspberrypi sshd[3751]: pam_unix(sshd:auth): authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=###.###.###.### 
Oct 13 11:16:50 raspberrypi sshd[3751]: Failed password for invalid user garrysmod 
from ###.###.###.### port 47858 ssh2
Oct 13 11:16:50 raspberrypi sshd[3751]: Received disconnect from 
###.###.###.###: 11: Bye Bye [preauth]
------------------------------------------------------
Oct 13 23:31:04 raspberrypi sshd[9708]: reverse mapping checking getaddrinfo
for #-###-##-###.dynamic.primorye.net.ru [#.###.##.###] failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 13 23:31:04 raspberrypi sshd[9708]: Invalid user ubnt from #.###.##.###
Oct 13 23:31:04 raspberrypi sshd[9708]: input_userauth_request: invalid user ubnt [preauth]
Oct 13 23:31:04 raspberrypi sshd[9708]: pam_unix(sshd:auth): check pass; user unknown
Oct 13 23:31:04 raspberrypi sshd[9708]: pam_unix(sshd:auth): authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=#.###.##.### 
Oct 13 23:31:06 raspberrypi sshd[9708]: Failed password for invalid user ubnt 
from #.###.##.### port 36047 ssh2
Oct 13 23:31:07 raspberrypi sshd[9708]: Connection closed by #.###.##.### [preauth]

Now, I didn't want to put the actual IP addresses out there like that so I went ahead and masked them. But when I actually look up these IP addresses, they are coming from China and Ukraine.

There are literally hundreds of logs similar to these, they are just two separate instances. I'm relatively new to Linux and Raspberry Pi's so I could just be freaking out for nothing. I just need to make sure.

Answer 1

Technically this is not a linux or pi specific issue, as it is totally normal for a www accessible SSH server on the default port (22). I think pretty much anyone administrating such will report the same thing.

If it bothers you, you can change the default port, although this may be more of a hassle in a different way, particularly if you have various other users, etc., as the client must then specify whatever port you do use. Changing the port will not protect you any better from attack -- someone after you specifically will just scan to find the right port -- but it will mean these mass anonymous things won't bother with you.

As long as you use common sense in your configuration (e.g., if you allow passwords, don't use "123"), it should not be a problem. I imagine the success rate for nefarious attempts of this sort is very, very, very low. Some of it is probably also just information gathering/mapping.