0

On my Ubuntu server I occasionally run the following command to view any open files that are TCP connections from my server:

lsof -uroot | grep 104.236.XX.XXX

The last time I ran it, I saw this as one of the entries:

sshd      15651 root    3u     IPv4            1813348      0t0     TCP 104.236.XX.XXX:ssh->62-210-180-69.rev.poneytelecom.eu:38114 (ESTABLISHED)

What is this connection? None of the processes I have running would have caused this connection. Should I be concerned? Does anyone know where this would come from?

EDIT

After checking the file at /var/log/auth.log it does look like I see some failed auth attempts from that host. 

Jan 13 09:45:50 prod sshd[5474]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Jan 13 09:45:51 prod sshd[5476]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Jan 13 09:45:51 prod sshd[5474]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li829-5.members.linode.com  user=root
Jan 13 09:45:51 prod sshd[5476]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-180-69.rev.poneytelecom.eu  user=root
Jan 13 09:45:53 prod sshd[5474]: Failed password for root from 104.237.138.5 port 54713 ssh2
Jan 13 09:45:53 prod sshd[5474]: Received disconnect from 104.237.138.5: 11: Bye Bye [preauth]
Jan 13 09:45:53 prod sshd[5476]: Failed password for root from 62.210.180.69 port 60293 ssh2
Jan 13 09:45:57 prod sshd[5476]: message repeated 2 times: [ Failed password for root from 62.210.180.69 port 60293 ssh2]
Jan 13 09:45:57 prod sshd[5476]: Received disconnect from 62.210.180.69: 11:  [preauth]
Jan 13 09:45:57 prod sshd[5476]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-180-69.rev.poneytelecom.eu  user=root
Jan 13 09:45:58 prod sshd[5478]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Jan 13 09:45:58 prod sshd[5478]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-180-69.rev.poneytelecom.eu  user=root
Jan 13 09:45:59 prod sshd[5478]: Failed password for root from 62.210.180.69 port 51275 ssh2
Jan 13 09:46:04 prod sshd[5478]: message repeated 2 times: [ Failed password for root from 62.210.180.69 port 51275 ssh2]
Jan 13 09:46:04 prod sshd[5478]: Received disconnect from 62.210.180.69: 11:  [preauth]
Jan 13 09:46:04 prod sshd[5478]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-180-69.rev.poneytelecom.eu  user=root
Jan 13 09:46:04 prod sshd[5480]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Jan 13 09:46:05 prod sshd[5480]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-180-69.rev.poneytelecom.eu  user=root
Jan 13 09:46:06 prod sshd[5480]: Failed password for root from 62.210.180.69 port 41907 ssh2
Jan 13 09:46:10 prod sshd[5480]: message repeated 2 times: [ Failed password for root from 62.210.180.69 port 41907 ssh2]
flyingL123
  • 245
  • 4
  • 12

1 Answers1

0

This is one of two things:

  1. Someone trying to authenticate with ssh, in the strict technical sense. The intent is most likely to guess passwords or otherwise obtain access. So, your standard scanner traffic you get from running ssh at standard port.

  2. Someone logged in as root directly through ssh. For this to be possible, AllowRootLogin is set to on in /etc/ssh/sshd_config.

The difference you can find in /var/log/auth.log. If you see a number of failed login attempts from that IP then it is a scanner. If you see a successful login or cannot find any information, then you know you're in trouble. You can also the currently logged in users using the w(1) command, but if someone gained access, you can't trust the output.

If it is a scanner, consider installing fail2ban or sshguard in combination with a firewall.