Is someone bruteforcing my password? sshd: unknown [net] and sshd: [accepted] flashing in htop

Question

My VPS has around 3% CPU load, which is probably caused by sshd: unknown [net] and sshd: [accepted] commands appearing around once per second and quickly disappearing in htop.

Does it mean somebody is trying to bruteforce my password? What do I do about it?

Yep, they're bruteforcing based on dictionary :( – Alexei Averchenko Mar 09 '13 at 11:11 — Alexei Averchenko, Mar 09 '13 at 11:11

score 10 · Answer 1 · answered Mar 09 '13 at 11:11

10

Check your /var/log/auth.log

Install fail2ban and autoban ssh bruteforcers. You can edit /etc/fail2ban/jail.conf:

[ssh]

enabled = true
port    = 22
filter  = sshd
logpath  = /var/log/auth.log
bantime = -1
maxretry = 5

answered Mar 09 '13 at 11:11

Valery Viktorovsky

899
8
13

score 6 · Accepted Answer · edited Apr 13 '17 at 12:14

6

Check your /var/log/auth.log you should see a high number of failed attempts if someone is trying to attack you. It's commonly known as Internet Background noise.

You can install a a host based intrusion detection system like OSSEC and enable the active response to temporarily block offending IP addresses.

edited Apr 13 '17 at 12:14

Community

1

answered Mar 09 '13 at 11:09

Lucas Kauffman

16,880
9
58
93

1

`root 5277 1.0 0.0 72228 3488 ? Ss 08:39 0:00 sshd: root [priv]` `sshd 5278 0.0 0.0 51472 1432 ? S 08:39 0:00 sshd: root [net]`, Does this mean some gained access to server? – J Bourne Jan 20 '15 at 14:41

Is someone bruteforcing my password? sshd: unknown [net] and sshd: [accepted] flashing in htop

2 Answers2