Is this server hacked or just login attempts ? See log

Solution 1:

lastb only shows login failures. Use last to see successful logins.

Solution 2:

It shows people trying to upload or download content. The "notty" part means no tty (where tty is short for teletype) which these days means no monitor or gui, and the ssh indicates port 22, which taken together mean something like scp or rsync.

So not hacking or login attempts, but wrong or mistyped passwords. It might be some content was located via google, but required a password which someone tried to guess.

Actually, on reflection, the above is not right. They could be failed login attempts via ssh, as the questioner suspected; and (as I missed first time) they are at regular 21 or 22 minute intervals which suggests a degree of automation, but lastb shows failures by definition, so these results would need to be compared against last to see if any were successful.

---

Solution 3:

Close port 22. Configure your sshd to listen on a different port, and install and run denyhosts.

---

Solution 4:

Why dont use last ?? Please use the 'last' command, and look for ips from china or outside usa.

Also... man is your friend man lasttb

Lastb is the same as last, except that by default it shows a log of the file /var/log/btmp, which contains all the bad login attempts.

---

Solution 5:

Yes those appear to be login attempts as the same IP used multiple usernames to attempt entry. Most likely a Brute Force attack.

To resolve this:

Install Fail2Ban and block failed login attempts with a -1 this makes their ban permanent.

Add a jail file to protect SSH. Create a new file with the Nano editor or vi , vim

nano /etc/fail2ban/jail.d/sshd.local

To the above file, add the following lines of code.

[sshd]

enabled = true

port = ssh

"#"action = firewallcmd-ipset

logpath = %(sshd_log)s

maxretry = 5

bantime = -1