When I run ps aux
command in my Centos 7 machine, I see about 100 entries:
root 19862 0.0 0.0 151692 8 ? Ss Oct09 0:00 sshd: unknown [priv]
sshd 19864 0.0 0.0 105068 0 ? S Oct09 0:00 sshd: unknown [net]
I'd like to ask whether this is normal, or is my system under some kind of ssh brute force attack?
Thanks!
Best Answer
Yes, this is normal. sshd opens 2 new processes for each user currently trying to authenticate.
Yes, it is very likely indicates someone attempting to authenticate to your server who was not meant to. If not, one look into you
/var/log/auth.log
should point you to the server in your network that has a deprecated cron script running.Rule of thumb: If you are concerned that someone might break in, then the issue is not people trying to break in! Instead, ensure that nobody will ever succeed brute-forcing.
You can tune your sshd config in order and somewhat restrict how much system resources are spent dealing with these. But the defaults should be fine for any but the thinnest servers, its really not that much of a problem.
You also can move your ssh to another port, which will greatly limit the number of people trying. I do not recommend doing that. It does not improve security and it makes things more complicated.