When doing a ps -efH
I see lots of the following, where 14:24 is basically the current system time. These processes keep popping up every minute.
root 6851 1 0 14:24 ? 00:00:00 sshd: root [priv]
sshd 6852 6851 0 14:24 ? 00:00:00 sshd: root [net]
root 6869 6851 1 14:24 ? 00:00:00 sshd: root [pam]
root 6861 1 0 14:24 ? 00:00:00 sshd: root [priv]
sshd 6863 6861 0 14:24 ? 00:00:00 sshd: root [net]
root 6874 6861 0 14:24 ? 00:00:00 sshd: root [pam]
root 6865 1 0 14:24 ? 00:00:00 sshd: root [priv]
sshd 6866 6865 0 14:24 ? 00:00:00 sshd: root [net]
root 6875 6865 0 14:24 ? 00:00:00 sshd: root [pam]
root 6872 1 1 14:24 ? 00:00:00 sshd: root [priv]
sshd 6873 6872 0 14:24 ? 00:00:00 sshd: root [net]
root 6876 6872 0 14:24 ? 00:00:00 sshd: root [pam]
Does this mean that someone is trying to brute force the root password on this machine over SSH? Or is it something less nefarious?
Best Answer
It could be attempts to brute force in via SSH, but even if it was “nefarious” I would not lose any sleep over it. Most any server that is publicly accessible on the Internet gets probed by attackers all the time. Someone virtually “casing the joint” is nothing to lose sleep over; actual penetration of the system is.
Heck, I just checked the
auth.log
on a public server I manage and count over 2000+ “authentication failure” attempts over the past 24 hours when I run this command:Sounds scary but honestly, who cares? A quick visual check of the log entries in
auth.log
using a slightly modified version of the above command:…shows me stuff like this:
Note how all of the attempted access attempts are on the
root
account? On any system I setup,root
get’s neutered right away. So these attempts are past fruitless in my case. So if you check yourauth.log
and see tons of attempts tossh
into the system via theroot
account, make sure your system’sroot
account is completely disabled to knock that concern off of the list.Past the
root
account attempts, if you see accesses of seemingly random usernames to your system that too is another attempt to hack into the system. And unless those usernames equate to some username on your system, I would not worry about them at all either.Now some sysadmins would say the best solution to this issue is to simple disable password authentication completely from SSH and only use SSH key pairs, but I tend to think that is overkill. Not saying SSH key pairs are weak—they aren’t—but if a system’s access methods are setup sanely and securely from day one, and the passwords are robust enough to not easily be hacked, then the system is quite secure. That’s because the biggest vulnerability on modern web servers is the front-facing web application actually running on the server itself and not things like SSH.
At the end of the day I would not worry about these kinds of random “war dialing” attempts, but rather be preemptively rational in making sure the server itself has the
root
user account disabled. If you still operate a public server in 2015 with theroot
account enabled, you’re basically asking for headaches in the long run.