Monday, March 30, 2015

ssh - Is this server hacked or just login attempts ? See log



Can someone tell what does this mean? I tried a command like lastb to see last user logins and I see some strange logins from China (server is EU, I am in EU). I was wondering if these could be login attempts or successfull logins?



These seem to be very old and usually I lock port 22 to my IPs only, I think I had the port open for a while, last log is in July.




root     ssh:notty    222.92.89.xx     Sat Jul  9 12:26 - 12:26  (00:00)
root     ssh:notty    222.92.89.xx     Sat Jul  9 12:04 - 12:04  (00:00)
oracle   ssh:notty    222.92.89.xx     Sat Jul  9 11:43 - 11:43  (00:00)
gary     ssh:notty    222.92.89.xx     Sat Jul  9 11:22 - 11:22  (00:00)
root     ssh:notty    222.92.89.xx     Sat Jul  9 11:01 - 11:01  (00:00)
gt05     ssh:notty    222.92.89.xx     Sat Jul  9 10:40 - 10:40  (00:00)
admin    ssh:notty    222.92.89.xx     Sat Jul  9 10:18 - 10:18  (00:00)

Answer




lastb only shows login failures. Use last to see successful logins.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...