0

I'm facing very strange logs in my /var/log/auth.log. Every single second I can read one or more lines like this:

Accepted publickey for git from MY_OWN_IP port 51885 ssh2: RSA db:fc:1c:e2:7f:dc:b1:76:d8:97:e6:49:fd:9d:34:18
Received disconnect from MY_OWN_IP: 11: disconnected by user

And all that changes is port number. 30168, 30169, 30170...

I'm having GitLab installed on my server.

What can be cause of this? Is this some kind of attack?

Cristian Ciupitu
  • 6,396
  • 2
  • 42
  • 56
cadavre
  • 121
  • 2
  • There is nothing strange about the port. This is the port the connection is established **from**. That is randomly chosen each time. I don't know what/why connects every second though... – faker Apr 24 '14 at 21:21
  • It does not sound like an attack. It sounds more like a legitimate, but poorly written, script doing lots of ssh commands. Possibly it is doing some git operations accessing data across different repositories. It should be possible to eliminate the ssh part of the operation, when both repositories are on the same host. – kasperd Apr 24 '14 at 21:22
  • But each connection is on different port. And repos are on same host as **from** IP. It just look weird... and my auth.log gets 60M in 4 days. – cadavre Apr 24 '14 at 21:56

0 Answers0