# mail at root accout / invalid user(under attack?)



## OrTigaS (Feb 6, 2014)

Hi!
   I have a question, I hope this is the right place to post.
I have this test PC for about 5 days I do test/installing/configuring and when I login as root just today here I have 5 new mail. Now, I read it and I came along this messages hundreds of them.-->> 

```
"Feb 5 (time) www sshd[lookslikesportnumber]: Invalid user (user) from (lookslikeIPnumber)"
"Feb 5 (time) www sshd[3321]: input_userauth_request: invalid user (user) [preauth]"
"Feb 5 (time) www sshd[3333]: Bad Protocol version identification " from (lookslikeIPnumber)"
'GET http://www.taobao.com / HTTP/1.1' from (lookslikeIPnumber)"
"Disconnecting Too many Authentication failures for root [preauth]
```
 
The [lookslikeportnumber] is a 4 digit number, and the lookslikeIPnumber is like this one 211.60.184.138, 217.171.2.36, 82.208.124.129.

Is my box under attack?

Thanks and regards,
OrTigaS


----------



## worldi (Feb 6, 2014)

OrTigaS said:
			
		

> Is my box under attack?



Yes, of course. Anything connected to the Internet is under constant attack.

There are several things you can do to lessen the risk of getting owned:

 Make sure you use public key authentication for SSH (instead of password authentication).
 Change the SSH server's port number. These login attempts are from botnets and they only check 22/TCP for SSH. Moving to another port is the most elegant way to avoid them.


----------



## nanotek (Feb 6, 2014)

OrTigaS said:
			
		

> Hi!
> 
> [...]
> 
> ...



Hi, @OrTigaS. What you're experiencing is a run-of-the-mill brute-force attack on your open SSH port. It's very common. Here are some simple and effective measures you can take to improve your security and reduce the deluge of unauthorized access attempts.


----------



## SirDice (Feb 6, 2014)

OrTigaS said:
			
		

> ```
> "Feb 5 (time) www sshd[lookslikesportnumber]: Invalid user (user) from (lookslikeIPnumber)"
> "Feb 5 (time) www sshd[3321]: input_userauth_request: invalid user (user) [preauth]"
> "Feb 5 (time) www sshd[3333]: Bad Protocol version identification " from (lookslikeIPnumber)"
> ```


Standard SSH brute-force attempts. 



> ```
> 'GET http://www.taobao.com / HTTP/1.1' from (lookslikeIPnumber)"
> ```


Standard test to see if your web server is configured as a proxy. If it's configured as a proxy they'll abuse it to attack other systems. 

As said by others, everything you connect to the internet will get attacked. It's a fact of (internet) life nowadays, unfortunately.


----------

