The sshd service on my Ubuntu server is under constant attack for various IP and user id.
According to /var/log/auth.log file, there are three different types of fails from unknown id and IP address:
Disconnected from invalid user...Connection closed by invalid user...Connection closed by xxx.xxx.xxx.xxx
What is the difference among the three? Do any of these suggest a successful (unauthorized) login? especially the last one…
I'm assuming all of these are failed attempts, on the basis that I've configured the SSH server to require pubkey from non-LAN IP and restricted login to only one, non-root, user ID.
But, in truth, I don't know how to verify that these security precautions are set properly, if my pub-key has not been compromised or if my servers password auth mechanism has not been compromised. So I can't say for sure that these are all failed attempts.
I tried to use fail2ban to block repeat attacks from certain IP, but this was major fail. First, no quicker than 24hr later, did attacker(s) switch to rotating thru hundreds of unique IP addresses. Second (and more worryingly) fail2ban doesn't seem to acknowledge the repeat attempts that result in Connection closed by xxx.xxx.xxx.xxx.
Best Answer
The messages:
both indicate a failed login attempt with a username that doesn't exist on your server. The difference is just an insignificant detail in the way the connection was torn down.
A failed attempt with an existing username would instead be logged as:
A successful login would be logged as:
The message:
(without any mention of user) indicates a connection to your server's ssh port where no attempt was made to authenticate, ie. to actually log in. These are usually scans to collect open ssh ports and the ssh server version they are using in order to find servers with known vulnerabilities. Since repeating such an attempt doesn't increase the risk it doesn't make much sense for
fail2banto block them.