I hope this is the right sub! Maybe I should be looking for a sub focusing on security...?
I've been tweaking my firewalld/fail2ban/ssh setup on my linode running Centos 7, trying to maximize security and keep all those dumb brute force attacks from cluttering up my logs.
I understand I probably don't have anything to worry about, with most ports blocked and requiring key-based ssh login only and whatever else I did... But I went ahead and also added an AllowUsers line to my sshd config.
Which has resulted in some confusion for me when I'm reading /var/log/secure.
Here's an excerpt:
Nov 6 12:26:58 mail sshd[19424]: User root from mail.eigbattery.com not allowed because not listed in AllowUsers Nov 6 12:26:58 mail sshd[19424]: input_userauth_request: invalid user root [preauth] Nov 6 12:26:58 mail sshd[19424]: Connection closed by 123.141.29.11 [preauth] Nov 6 12:36:25 mail sshd[19436]: Invalid user nmis from 123.141.29.11 Nov 6 12:36:25 mail sshd[19436]: input_userauth_request: invalid user nmis [preauth] Nov 6 12:36:25 mail sshd[19436]: Connection closed by 123.141.29.11 [preauth] So, people keep trying to connect with various users that are not listed in AllowUsers. Every now and then I get the "...not listed in AllowUsers" line in my log, but then these IPs keep reconnecting and trying other also invalid user names without that message showing up.
Why? Is there a difference in what that IP is doing? Any quick insight would be much appreciated!
[link][7 comments]
