Hello, I've already wrote about this in the past but then I never take any countermeasure nor direct actions. Today I was monitoring my Tumbleweed /var/log/messages and I noticed some weird messages (here below I copy latest 30 lines of system log): marco@linux-turion64:~> sudo cat /var/log/messages|grep ssh|tail -30 2015-12-04T16:32:05.622900-02:00 linux-turion64 kernel: [29046.711474] audit: type=2404 audit(1449253925.616:316): pid=15120 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=0a:64:ea:50:7e:05:1a:ef:84:c0:5e:fa:1c:82:cb:5e [MD5] direction=? spid=15120 suid=0 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:39:44.444307-02:00 linux-turion64 kernel: [29505.239471] audit: type=2404 audit(1449254384.385:325): pid=15291 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=ec:a9:63:90:61:bf:ea:53:d3:1b:fa:c3:38:da:ff:cc [MD5] direction=? spid=15291 suid=0 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:39:44.444328-02:00 linux-turion64 kernel: [29505.239612] audit: type=2404 audit(1449254384.385:326): pid=15291 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=0a:64:ea:50:7e:05:1a:ef:84:c0:5e:fa:1c:82:cb:5e [MD5] direction=? spid=15291 suid=0 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:39:44.444331-02:00 linux-turion64 kernel: [29505.239860] audit: type=2404 audit(1449254384.385:327): pid=15291 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=31:8f:10:b4:18:ea:de:ca:d7:b3:3f:1f:1d:51:92:32 [MD5] direction=? spid=15291 suid=0 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:39:44.444333-02:00 linux-turion64 kernel: [29505.239942] audit: type=2404 audit(1449254384.385:328): pid=15291 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=f5:ea:4f:cc:e0:1e:8c:5a:6b:f9:3f:14:36:09:12:d7 [MD5] direction=? spid=15291 suid=0 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:39:44.778846-02:00 linux-turion64 kernel: [29505.628145] audit: type=2407 audit(1449254384.773:329): pid=15289 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 spid=15291 suid=495 rport=33796 laddr=192.168.1.11 lport=22 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:39:44.778864-02:00 linux-turion64 kernel: [29505.628238] audit: type=2407 audit(1449254384.773:330): pid=15289 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 spid=15291 suid=495 rport=33796 laddr=192.168.1.11 lport=22 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:39:46.898850-02:00 linux-turion64 kernel: [29507.746109] audit: type=1112 audit(1449254386.893:331): pid=15289 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=ssh res=failed' 2015-12-04T16:39:48.470863-02:00 linux-turion64 kernel: [29509.317652] audit: type=2404 audit(1449254388.465:332): pid=15289 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=15291 suid=495 rport=33796 laddr=192.168.1.11 lport=22 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:39:48.470888-02:00 linux-turion64 kernel: [29509.318201] audit: type=1109 audit(1449254388.465:333): pid=15289 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=178.136.234.6 addr=178.136.234.6 terminal=ssh res=failed' 2015-12-04T16:39:48.470892-02:00 linux-turion64 kernel: [29509.318956] audit: type=2404 audit(1449254388.465:334): pid=15289 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=ec:a9:63:90:61:bf:ea:53:d3:1b:fa:c3:38:da:ff:cc [MD5] direction=? spid=15289 suid=0 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:47:31.406074-02:00 linux-turion64 kernel: [29971.965632] audit: type=2404 audit(1449254851.354:339): pid=15409 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=ec:a9:63:90:61:bf:ea:53:d3:1b:fa:c3:38:da:ff:cc [MD5] direction=? spid=15409 suid=0 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:47:31.406077-02:00 linux-turion64 kernel: [29971.965755] audit: type=2404 audit(1449254851.354:340): pid=15409 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=0a:64:ea:50:7e:05:1a:ef:84:c0:5e:fa:1c:82:cb:5e [MD5] direction=? spid=15409 suid=0 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:47:31.406078-02:00 linux-turion64 kernel: [29971.965941] audit: type=2404 audit(1449254851.354:341): pid=15409 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=31:8f:10:b4:18:ea:de:ca:d7:b3:3f:1f:1d:51:92:32 [MD5] direction=? spid=15409 suid=0 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:47:31.406079-02:00 linux-turion64 kernel: [29971.966014] audit: type=2404 audit(1449254851.354:342): pid=15409 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=f5:ea:4f:cc:e0:1e:8c:5a:6b:f9:3f:14:36:09:12:d7 [MD5] direction=? spid=15409 suid=0 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:47:31.750842-02:00 linux-turion64 kernel: [29972.354421] audit: type=2407 audit(1449254851.742:343): pid=15408 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 spid=15409 suid=495 rport=33936 laddr=192.168.1.11 lport=22 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:47:31.750857-02:00 linux-turion64 kernel: [29972.354575] audit: type=2407 audit(1449254851.742:344): pid=15408 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 spid=15409 suid=495 rport=33936 laddr=192.168.1.11 lport=22 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:47:33.906848-02:00 linux-turion64 kernel: [29974.511547] audit: type=1112 audit(1449254853.898:345): pid=15408 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=ssh res=failed' 2015-12-04T16:47:37.122861-02:00 linux-turion64 kernel: [29977.723799] audit: type=2404 audit(1449254857.115:346): pid=15408 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=15409 suid=495 rport=33936 laddr=192.168.1.11 lport=22 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:47:37.122890-02:00 linux-turion64 kernel: [29977.724448] audit: type=1109 audit(1449254857.115:347): pid=15408 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=178.136.234.6 addr=178.136.234.6 terminal=ssh res=failed' 2015-12-04T16:47:37.122893-02:00 linux-turion64 kernel: [29977.725374] audit: type=2404 audit(1449254857.115:348): pid=15408 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=ec:a9:63:90:61:bf:ea:53:d3:1b:fa:c3:38:da:ff:cc [MD5] direction=? spid=15408 suid=0 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:47:37.122895-02:00 linux-turion64 kernel: [29977.725469] audit: type=2404 audit(1449254857.115:349): pid=15408 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=0a:64:ea:50:7e:05:1a:ef:84:c0:5e:fa:1c:82:cb:5e [MD5] direction=? spid=15408 suid=0 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:47:37.122896-02:00 linux-turion64 kernel: [29977.725638] audit: type=2404 audit(1449254857.115:350): pid=15408 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=31:8f:10:b4:18:ea:de:ca:d7:b3:3f:1f:1d:51:92:32 [MD5] direction=? spid=15408 suid=0 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:47:37.122900-02:00 linux-turion64 kernel: [29977.725742] audit: type=2404 audit(1449254857.115:351): pid=15408 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=f5:ea:4f:cc:e0:1e:8c:5a:6b:f9:3f:14:36:09:12:d7 [MD5] direction=? spid=15408 suid=0 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=? res=success' 2015-12-04T16:47:37.122918-02:00 linux-turion64 kernel: [29977.725819] audit: type=1112 audit(1449254857.115:352): pid=15408 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=178.136.234.6 terminal=ssh res=failed' 2015-12-04T16:51:01.038849-02:00 linux-turion64 kernel: [30181.532983] audit: type=2404 audit(1449255061.033:363): pid=1177 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=ec:a9:63:90:61:bf:ea:53:d3:1b:fa:c3:38:da:ff:cc [MD5] direction=? spid=1177 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success' 2015-12-04T16:51:01.058828-02:00 linux-turion64 kernel: [30181.554578] audit: type=2404 audit(1449255061.053:364): pid=1177 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=0a:64:ea:50:7e:05:1a:ef:84:c0:5e:fa:1c:82:cb:5e [MD5] direction=? spid=1177 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success' 2015-12-04T16:51:01.062822-02:00 linux-turion64 kernel: [30181.558494] audit: type=2404 audit(1449255061.057:365): pid=1177 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=31:8f:10:b4:18:ea:de:ca:d7:b3:3f:1f:1d:51:92:32 [MD5] direction=? spid=1177 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success' 2015-12-04T16:51:01.062835-02:00 linux-turion64 kernel: [30181.558564] audit: type=2404 audit(1449255061.057:366): pid=1177 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=f5:ea:4f:cc:e0:1e:8c:5a:6b:f9:3f:14:36:09:12:d7 [MD5] direction=? spid=1177 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success' 2015-12-04T16:51:06.526880-02:00 linux-turion64 kernel: [30187.019255] audit: type=1131 audit(1449255066.521:367): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=sshd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success Then I checked the status of daemon sshd and I found this: sudo rcsshd status root's password: ● sshd.service - OpenSSH Daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2015-12-04 08:28:12 BRST; 8h ago Process: 1084 ExecStartPre=/usr/sbin/sshd-gen-keys-start (code=exited, status=0/SUCCESS) Main PID: 1177 (sshd) CGroup: /system.slice/sshd.service └─1177 /usr/sbin/sshd -D Dec 04 12:59:06 linux-turion64.ddns.net sshd[12791]: error: PAM: User not known to the underlying authentication module for illegal user admin from 46.172.71.249 Dec 04 12:59:06 linux-turion64.ddns.net sshd[12791]: Failed keyboard-interactive/pam for invalid user admin from 46.172.71.249 port 46183 ssh2 Dec 04 12:59:06 linux-turion64.ddns.net sshd[12791]: error: Received disconnect from 46.172.71.249: 14: Unable to connect using the available authentication methods [preauth] Dec 04 16:32:05 linux-turion64.ddns.net sshd[15120]: Connection closed by 178.136.234.6 [preauth] Dec 04 16:39:46 linux-turion64.ddns.net sshd[15289]: Invalid user admin from 178.136.234.6 Dec 04 16:39:46 linux-turion64.ddns.net sshd[15289]: input_userauth_request: invalid user admin [preauth] Dec 04 16:39:48 linux-turion64.ddns.net sshd[15289]: Connection closed by 178.136.234.6 [preauth] Dec 04 16:47:33 linux-turion64.ddns.net sshd[15408]: Invalid user ubnt from 178.136.234.6 Dec 04 16:47:33 linux-turion64.ddns.net sshd[15408]: input_userauth_request: invalid user ubnt [preauth] Dec 04 16:47:37 linux-turion64.ddns.net sshd[15408]: Connection closed by 178.136.234.6 [preauth] Hence I temporarily disabled sshd. Somebody see something familiar and dangerous on these messages? Many thanks. Cheers, -- Marco Calistri opensuse Tumbleweed 64 bit - Kernel 4.3.0-2-default Gnome 3.18 Intel® Core™ i5-2410M CPU @ 2.30GHz × 4 - Intel® Sandybridge Mobile -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org