Are many sshd/root processes listed by ps, brute force SSH hack attempt?
Does this mean that someone is trying to brute force the root password on this machine over SSH? Or is it something less nefarious?
It could be attempts to brute force in via SSH, but even if it was “nefarious” I would not lose any sleep over it. Most any server that is publicly accessible on the Internet gets probed by attackers all the time. Someone virtually “casing the joint” is nothing to lose sleep over; actual penetration of the system is.
Heck, I just checked the auth.log
on a public server I manage and count over 2000+ “authentication failure” attempts over the past 24 hours when I run this command:
sudo grep "authentication failure;" /var/log/auth.log | wc -l
Sounds scary but honestly, who cares? A quick visual check of the log entries in auth.log
using a slightly modified version of the above command:
sudo grep "authentication failure;" /var/log/auth.log
…shows me stuff like this:
Mar 15 07:02:09 hostname sshd[2213]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.239.228.35 user=root
Mar 15 07:02:19 hostname sshd[2236]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.239.228.35 user=root
Mar 15 07:02:31 hostname sshd[2355]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.239.228.35 user=root
Note how all of the attempted access attempts are on the root
account? On any system I setup, root
get’s neutered right away. So these attempts are past fruitless in my case. So if you check your auth.log
and see tons of attempts to ssh
into the system via the root
account, make sure your system’s root
account is completely disabled to knock that concern off of the list.
Past the root
account attempts, if you see accesses of seemingly random usernames to your system that too is another attempt to hack into the system. And unless those usernames equate to some username on your system, I would not worry about them at all either.
Now some sysadmins would say the best solution to this issue is to simple disable password authentication completely from SSH and only use SSH key pairs, but I tend to think that is overkill. Not saying SSH key pairs are weak—they aren’t—but if a system’s access methods are setup sanely and securely from day one, and the passwords are robust enough to not easily be hacked, then the system is quite secure. That’s because the biggest vulnerability on modern web servers is the front-facing web application actually running on the server itself and not things like SSH.
At the end of the day I would not worry about these kinds of random “war dialing” attempts, but rather be preemptively rational in making sure the server itself has the root
user account disabled. If you still operate a public server in 2015 with the root
account enabled, you’re basically asking for headaches in the long run.
Related videos on Youtube
Andrew Mao
Updated on September 18, 2022Comments
-
Andrew Mao over 1 year
When doing a
ps -efH
I see lots of the following, where 14:24 is basically the current system time. These processes keep popping up every minute.root 6851 1 0 14:24 ? 00:00:00 sshd: root [priv] sshd 6852 6851 0 14:24 ? 00:00:00 sshd: root [net] root 6869 6851 1 14:24 ? 00:00:00 sshd: root [pam] root 6861 1 0 14:24 ? 00:00:00 sshd: root [priv] sshd 6863 6861 0 14:24 ? 00:00:00 sshd: root [net] root 6874 6861 0 14:24 ? 00:00:00 sshd: root [pam] root 6865 1 0 14:24 ? 00:00:00 sshd: root [priv] sshd 6866 6865 0 14:24 ? 00:00:00 sshd: root [net] root 6875 6865 0 14:24 ? 00:00:00 sshd: root [pam] root 6872 1 1 14:24 ? 00:00:00 sshd: root [priv] sshd 6873 6872 0 14:24 ? 00:00:00 sshd: root [net] root 6876 6872 0 14:24 ? 00:00:00 sshd: root [pam]
Does this mean that someone is trying to brute force the root password on this machine over SSH? Or is it something less nefarious?
-
Zoredache about 9 yearsHow many sessions do you see if you run
who
? Given the above I suspect you should see 4. Are all for of those users you recognize?
-