Monday, March 30, 2015

ssh - Is this server hacked or just login attempts ? See log



Can someone tell what does this mean? I tried a command like lastb to see last user logins and I see some strange logins from China (server is EU, I am in EU). I was wondering if these could be login attempts or successfull logins?



These seem to be very old and usually I lock port 22 to my IPs only, I think I had the port open for a while, last log is in July.




root     ssh:notty    222.92.89.xx     Sat Jul  9 12:26 - 12:26  (00:00)
root ssh:notty 222.92.89.xx Sat Jul 9 12:04 - 12:04 (00:00)
oracle ssh:notty 222.92.89.xx Sat Jul 9 11:43 - 11:43 (00:00)
gary ssh:notty 222.92.89.xx Sat Jul 9 11:22 - 11:22 (00:00)
root ssh:notty 222.92.89.xx Sat Jul 9 11:01 - 11:01 (00:00)
gt05 ssh:notty 222.92.89.xx Sat Jul 9 10:40 - 10:40 (00:00)
admin ssh:notty 222.92.89.xx Sat Jul 9 10:18 - 10:18 (00:00)

Answer




lastb only shows login failures. Use last to see successful logins.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...