Are many sshd/root processes listed by ps, brute force SSH hack attempt?

linux ssh security
5,804

Does this mean that someone is trying to brute force the root password on this machine over SSH? Or is it something less nefarious?

It could be attempts to brute force in via SSH, but even if it was “nefarious” I would not lose any sleep over it. Most any server that is publicly accessible on the Internet gets probed by attackers all the time. Someone virtually “casing the joint” is nothing to lose sleep over; actual penetration of the system is.

Heck, I just checked the auth.log on a public server I manage and count over 2000+ “authentication failure” attempts over the past 24 hours when I run this command:

sudo grep "authentication failure;" /var/log/auth.log | wc -l

Sounds scary but honestly, who cares? A quick visual check of the log entries in auth.log using a slightly modified version of the above command:

sudo grep "authentication failure;" /var/log/auth.log

…shows me stuff like this:

Mar 15 07:02:09 hostname sshd[2213]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.239.228.35  user=root
Mar 15 07:02:19 hostname sshd[2236]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.239.228.35  user=root
Mar 15 07:02:31 hostname sshd[2355]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.239.228.35  user=root

Note how all of the attempted access attempts are on the root account? On any system I setup, root get’s neutered right away. So these attempts are past fruitless in my case. So if you check your auth.log and see tons of attempts to ssh into the system via the root account, make sure your system’s root account is completely disabled to knock that concern off of the list.

Past the root account attempts, if you see accesses of seemingly random usernames to your system that too is another attempt to hack into the system. And unless those usernames equate to some username on your system, I would not worry about them at all either.

Now some sysadmins would say the best solution to this issue is to simple disable password authentication completely from SSH and only use SSH key pairs, but I tend to think that is overkill. Not saying SSH key pairs are weak—they aren’t—but if a system’s access methods are setup sanely and securely from day one, and the passwords are robust enough to not easily be hacked, then the system is quite secure. That’s because the biggest vulnerability on modern web servers is the front-facing web application actually running on the server itself and not things like SSH.

At the end of the day I would not worry about these kinds of random “war dialing” attempts, but rather be preemptively rational in making sure the server itself has the root user account disabled. If you still operate a public server in 2015 with the root account enabled, you’re basically asking for headaches in the long run.

Share:
5,804

Related videos on Youtube

Andrew Mao
Author by

Andrew Mao

Updated on September 18, 2022

Comments

  • Andrew Mao
    Andrew Mao over 1 year

    When doing a ps -efH I see lots of the following, where 14:24 is basically the current system time. These processes keep popping up every minute.

    root      6851     1  0 14:24 ?        00:00:00   sshd: root [priv]
sshd      6852  6851  0 14:24 ?        00:00:00     sshd: root [net]
root      6869  6851  1 14:24 ?        00:00:00     sshd: root [pam]
root      6861     1  0 14:24 ?        00:00:00   sshd: root [priv]
sshd      6863  6861  0 14:24 ?        00:00:00     sshd: root [net]
root      6874  6861  0 14:24 ?        00:00:00     sshd: root [pam]
root      6865     1  0 14:24 ?        00:00:00   sshd: root [priv]
sshd      6866  6865  0 14:24 ?        00:00:00     sshd: root [net]
root      6875  6865  0 14:24 ?        00:00:00     sshd: root [pam]
root      6872     1  1 14:24 ?        00:00:00   sshd: root [priv]
sshd      6873  6872  0 14:24 ?        00:00:00     sshd: root [net]
root      6876  6872  0 14:24 ?        00:00:00     sshd: root [pam]

    Does this mean that someone is trying to brute force the root password on this machine over SSH? Or is it something less nefarious?

    • Zoredache
      Zoredache about 9 years
      How many sessions do you see if you run who? Given the above I suspect you should see 4. Are all for of those users you recognize?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to login ssh without a password using the ssh host key?
Most secure way to access my home Linux server while I am on the road? Specialized solution wanted
How to allow anonymous ssh login to a Linux box and only run one program?
How to generate "ssh-rsa" key instead of "rsa-sha2-512"
How do I properly SSH into a server behind a NAT while maintaining the tightest possible security?
How to change encryption algorithm for private key file using OpenSSH 5.3
What are possible security issues with an SSH daemon?
How to reliably keep an SSH tunnel open?
SSH through bastion host gives: open failed: connect failed: Connection timed out
setting minimum size of accepted rsa key