Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Unknown SSH Log Response

Discussion in 'Security' started by Matthew Thurner, Apr 5, 2019.

  1. Matthew Thurner

    Matthew Thurner Member

    Joined:
    Sep 11, 2018
    Messages:
    10
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Fort Worth
    cPanel Access Level:
    Root Administrator
    I've never see a response like this when restarting SSH service. This is a new installation and I am the only 'user' on the system. I have not generated any SSH keys and am worried about if this means someone was connected to ssh, usually I get an IP address and (preauth) in the log this is new to me here.

    Waiting for “sshd” to restart ………waiting for “sshd” to initialize ………finished.

    Service Status
    sshd (sshd: root [priv]) is running as root with PID 20908 (systemd+/proc check method).
    sshd (sshd: root [net]) is running as sshd with PID 20909 (systemd+/proc check method).
    sshd (/usr/sbin/sshd -D) is running as root with PID 20961 (systemd+/proc check method).

    Startup Log
    Apr 06 02:41:50 jbm systemd[1]: Starting OpenSSH server daemon...
    Apr 06 02:41:50 jbm sshd[20961]: Server listening on 0.0.0.0 port 22.
    Apr 06 02:41:50 jbm sshd[20961]: Server listening on :: port 22.
    Apr 06 02:41:50 jbm systemd[1]: Started OpenSSH server daemon.
    Apr 06 02:41:50 jbm sshd[20908]: Failed password for root from 218.92.0.184 port 24620 ssh2

    Log Messages
    Apr 6 02:41:50 jbm sshd[20908]: Failed password for root from 218.92.0.184 port 24620 ssh2
    Apr 6 02:41:50 jbm sshd[20961]: Server listening on :: port 22.
    Apr 6 02:41:50 jbm sshd[20961]: Server listening on 0.0.0.0 port 22.
    Apr 6 02:41:49 jbm sshd[19799]: Received signal 15; terminating.
    Apr 6 02:41:48 jbm sshd[20908]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
     
  2. dalem

    dalem Well-Known Member PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,909
    Likes Received:
    127
    Trophy Points:
    368
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    It just means some one was brute forcing your SSH at the time you restarted your SSH server "unsuccessfully "

    Last root form cli will tell you who logged in last
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,466
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    As indicated by @dalem this isn't significant it's really just timing
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice