1

I am using amazon ec2 and i have public key encryption.

I was checking the /var/log/secure file and i get this

Jul 17 21:14:18 server sshd[26590]: Excess permission or bad ownership on file /var/log/btmp
Jul 17 21:14:18 server sshd[26591]: input_userauth_request: invalid user net
Jul 17 21:14:18 server sshd[26591]: Received disconnect from 195.189.62.29: 11: Bye Bye
Jul 17 21:14:22 server sshd[26592]: Invalid user internet from 195.189.62.29
Jul 17 21:14:22 server sshd[26592]: Excess permission or bad ownership on file /var/log/btmp
Jul 17 21:14:22 server sshd[26593]: input_userauth_request: invalid user internet
Jul 17 21:14:22 server sshd[26593]: Received disconnect from 195.189.62.29: 11: Bye Bye
Jul 17 21:14:25 server sshd[26594]: Invalid user cafe from 195.189.62.29
Jul 17 21:14:25 server sshd[26594]: Excess permission or bad ownership on file /var/log/btmp
Jul 17 21:14:25 server sshd[26595]: input_userauth_request: invalid user cafe
Jul 17 21:14:25 server sshd[26595]: Received disconnect from 195.189.62.29: 11: Bye Bye
Jul 17 21:14:28 server sshd[26596]: Invalid user station from 195.189.62.29
Jul 17 21:14:28 server sshd[26596]: Excess permission or bad ownership on file /var/log/btmp
Jul 17 21:14:28 server sshd[26597]: input_userauth_request: invalid user station
Jul 17 21:14:29 server sshd[26597]: Received disconnect from 195.189.62.29: 11: Bye Bye
Jul 17 21:14:32 server sshd[26598]: Invalid user play from 195.189.62.29
Jul 17 21:14:32 server sshd[26598]: Excess permission or bad ownership on file /var/log/btmp
Jul 17 21:14:32 server sshd[26599]: input_userauth_request: invalid user play
Jul 17 21:14:32 server sshd[26599]: Received disconnect from 195.189.62.29: 11: Bye Bye
Jul 17 21:14:33 server sshd[26603]: Connection closed by 127.0.0.1
Jul 17 21:14:35 server sshd[26604]: Invalid user open from 195.189.62.29
Jul 17 21:14:35 server sshd[26604]: Excess permission or bad ownership on file /var/log/btmp
Jul 17 21:14:35 server sshd[26605]: input_userauth_request: invalid user open
Jul 17 21:14:36 server sshd[26605]: Received disconnect from 195.189.62.29: 11: Bye Bye
Jul 17 21:14:39 server sshd[26607]: Invalid user dulap from 195.189.62.29
Jul 17 21:14:39 server sshd[26607]: Excess permission or bad ownership on file /var/log/btmp

i just want to know how did i get those request because i am using public key logins.

Are these attemps from inside my server or external network and at which port

MOtaro Site
  • 213
  • 2
  • 4
  • 13

1 Answers1

3

They are login attempts from the ukraine. Just because you have public key doesn't mean that people can't try to login, they can try and fail just fine. Assuming you don't accept passwords the public/private key just make it harder to crack. If you want to avoid the log spam of bots hammering away at your server all day/night move ssh to a non standard port (such as 8022, or 28022) and you will see way less automated login attempts. Also I would check the permissions on your btmp file they appear to be incorrect.

/var/log/btmp should be owned by the root user and have permission 600, so a chown root:utmp /var/log/btmp && chmod 600 /var/log/btmp should fix that. And yes it isn't meant to be read by vi, you can use the last command such as last -f /var/log/btmp to read it.

as for changing the ssh port from 22 you need to edit /etc/ssh/sshd_config and add a line such as Port 8022 to it, commenting out a Port 22 if it exists, then restart ssh. Also make sure that if you are using a firewall you allow the new port before disconnecting so you don't lock yourself out.

Doon
  • 1,441
  • 9
  • 9
  • what should be the permissions. i tried opening with vim its showed some garbage characters. also how can i move ssh port to other port number – MOtaro Site Jul 19 '13 at 03:07
  • i'll edit my answer. .. – Doon Jul 19 '13 at 03:21
  • thanks for that . i read the file it contain bunch of usernames what are they? Also i have no iptables and i am only using Amazon firewall and allowd ports in there. when i tried connecting via puttu i get connection refused. i also check `netstat -tlnp` and its listening on that port. is there any other place where i need to chnage port number for amazon ec2 – MOtaro Site Jul 19 '13 at 03:31
  • welcome to a server on the internet. There are lots of bots out there that scan the net looking for port 22, and then when find one try tons of random user name/password combos looking for week passwords. once you edit the sshd_config and restart ssh it should be listening on that port `netstat -an | grep 8022` should show it. I don't really know EC2 as I have my own servers, but in their firewall you would need to allow inbound 8022 assuming you used that port. – Doon Jul 19 '13 at 03:36
  • I have added that port in that firewall. is there any log where i can see why something is blocked. so that i can see if its on my server or on amazon side – MOtaro Site Jul 19 '13 at 03:41
  • and you are setting the port in putty as well? Did you enable the centos firewall when you installed the OS? check here http://wiki.centos.org/HowTos/Network/IPTables for more info. – Doon Jul 19 '13 at 03:46
  • i ahve chnaged port in putty. in my `iptables -L` i get empty list. is that ok or i ahve to explicitly allow all . do i need to delete .known hosts file – MOtaro Site Jul 19 '13 at 04:16
  • let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/9713/discussion-between-doon-and-motaro-site) – Doon Jul 19 '13 at 11:15