ssh login attempts still showing up even with password login disabled?



  • I switched all my servers to ssh publickey login and disabled password login about a week ago (root login IS still enabled). I also run Fail2ban and logwatch.

    Why is there still login attempts showing up in the logs? I admit the number of attempts is down to low double digits, but shouldn’t there basically be none? Are there bots actually trying to brute force a key that makes no sense? Or my guess I have something configured incorrectly?

    Serves are Ubuntu 18.04 and Debian 10 both up to date.

    EDIT: For future reference this question pertains more to the logging of login attempts then the security there of.



  • It is very common to see login attempts in the logs. As long as you see the "publickey" message you are good to go.

    For example, have a look, I just tried on my AWS instance which only has pubkey auth:

    ➜  ~ ssh heysecuritystack@x
    heysecuritystack@x: Permission denied (publickey).
    

    And this is how it looked on my logs:

    Apr  8 07:37:25 ip-x sshd[128054]: Invalid user heysecuritystack from 192.168.2.2 port 43892
    Apr  8 07:37:25 ip-x sshd[128054]: Connection closed by invalid user heysecuritystack x port 43892 [preauth]
    

    PS: As a curious fact, I just had a look at the SSH logs and saw more than 20 login attempts in the last hour.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2