Remote machines making unauthorized SSH login attempts

Question

I recently configured my external-facing router to forward traffic to port 22 on one machine on my LAN. SSHD is the only service listening on port 22.

Immediately I received traffic from IP addresses such as 36.156.24.97 and 223.111.139.210, which according to IP identification websites, have tried to make unauthorized login attempts on thousands of different machines.

When I reviewed /var/log/auth.log, I saw entries saying that my machine Received disconnect from 223.111.139.210. I expected to see logs detailing failed login attempts, or more detailed information.

I am running Debian.

Does anyone have any conjectures regarding what those remote machines were trying to do?

While this other question is about WGET attempts, it is still—in my humble opinion—a possible duplicate of Should I be concerned about hacking attempts via wget on a CentOS/LAMP-based web server?. The reality is any public-facing server will be probed fairly endlessly. You should not be worried. If you are concerned, then follow the advice I post here. In general, do not panic. You are not being targeted. This is normal. — Giacomo1968, Apr 12 '19 at 22:51

score 0 · Answer 1 · answered Apr 12 '19 at 22:57

Does anyone have any conjectures regarding what those remote machines were trying to do?

Attempting to connect to any open 22 port that'll take them and trying default/common credentials in order to gain access, most likely.

It's rarely a good idea to leave 22 open to the world. If you do, ensure you're taking security measures (whitelists/PKI/fail2ban/etc) and have a good reason to do so. Obfuscating your ssh port is useful, but not anything close to "secure", so pair that with the other measures if you must.

Remote machines making unauthorized SSH login attempts

1 Answers1