Sshd reporting frequent connection attempts

The system logs show that there are frequent ssh connection attempts since a few months. Is there anything to be concerned about? And can anything be done to limit this?


Oct 14 11:53:40 [HOSTNAME] systemd[1]: Starting sshd.service - OpenSSH server daemon...
Oct 14 11:53:40 [HOSTNAME] sshd[1844]: Server listening on port [SSHD_PORT].
Oct 14 11:53:40 [HOSTNAME] sshd[1844]: Server listening on :: port [SSHD_PORT].
Oct 14 11:53:40 [HOSTNAME] sshd[1844]: error: Bind to port [SSHD_PORT] on failed: Address already in use.
Oct 14 11:53:40 [HOSTNAME] sshd[1844]: error: Bind to port [SSHD_PORT] on :: failed: Address already in use.
Oct 14 11:53:40 [HOSTNAME] systemd[1]: Started sshd.service - OpenSSH server daemon.
Oct 14 11:56:33 [HOSTNAME] sshd[9961]: Invalid user maven from port 4413
Oct 14 11:56:33 [HOSTNAME] sshd[9961]: Received disconnect from port 4413:11: Bye Bye [preauth]
Oct 14 11:56:33 [HOSTNAME] sshd[9961]: Disconnected from invalid user maven port 4413 [preauth]
Oct 14 12:00:46 [HOSTNAME] sshd[13730]: Invalid user altibase from port 4175
Oct 14 12:00:46 [HOSTNAME] sshd[13730]: Received disconnect from port 4175:11: Bye Bye [preauth]
Oct 14 12:00:46 [HOSTNAME] sshd[13730]: Disconnected from invalid user altibase port 4175 [preauth]
Oct 14 12:02:02 [HOSTNAME] sshd[14003]: Invalid user jboisson from port 57020
Oct 14 12:02:02 [HOSTNAME] sshd[14003]: Received disconnect from port 57020:11: Bye Bye [preauth]
Oct 14 12:02:02 [HOSTNAME] sshd[14003]: Disconnected from invalid user jboisson port 57020 [preauth]
Oct 14 12:31:07 [HOSTNAME] sshd[21127]: Invalid user uno from port 22528
Oct 14 12:31:07 [HOSTNAME] sshd[21127]: Received disconnect from port 22528:11: Bye Bye [preauth]
Oct 14 12:31:07 [HOSTNAME] sshd[21127]: Disconnected from invalid user uno port 22528 [preauth]
Oct 14 12:31:29 [HOSTNAME] sshd[21205]: Invalid user console from port 52546
Oct 14 12:31:29 [HOSTNAME] sshd[21205]: Received disconnect from port 52546:11: Bye Bye [preauth]
Oct 14 12:31:29 [HOSTNAME] sshd[21205]: Disconnected from invalid user console port 52546 [preauth]
Oct 14 12:31:30 [HOSTNAME] sshd[21206]: Invalid user zemba from port 36108
Oct 14 12:31:30 [HOSTNAME] sshd[21206]: Received disconnect from port 36108:11: Bye Bye [preauth]
Oct 14 12:31:30 [HOSTNAME] sshd[21206]: Disconnected from invalid user zemba port 36108 [preauth]
Oct 14 12:35:06 [HOSTNAME] sshd[22108]: Invalid user hfdw from port 33040
Oct 14 12:35:06 [HOSTNAME] sshd[22108]: Received disconnect from port 33040:11: Bye Bye [preauth]
Oct 14 12:35:06 [HOSTNAME] sshd[22108]: Disconnected from invalid user hfdw port 33040 [preauth]
Oct 14 12:35:11 [HOSTNAME] sshd[22146]: Invalid user teamspeak from port 40587
Oct 14 12:35:11 [HOSTNAME] sshd[22146]: Received disconnect from port 40587:11: Bye Bye [preauth]
Oct 14 12:35:11 [HOSTNAME] sshd[22146]: Disconnected from invalid user teamspeak port 40587 [preauth]
Oct 14 13:22:06 [HOSTNAME] sshd[31532]: Invalid user cgz from port 33616
Oct 14 13:22:06 [HOSTNAME] sshd[31532]: Received disconnect from port 33616:11: Bye Bye [preauth]
Oct 14 13:22:06 [HOSTNAME] sshd[31532]: Disconnected from invalid user cgz port 33616 [preauth]
Oct 14 13:27:59 [HOSTNAME] sshd[32489]: Invalid user redmine from port 48432
Oct 14 13:27:59 [HOSTNAME] sshd[32489]: Received disconnect from port 48432:11: Bye Bye [preauth]
Oct 14 13:27:59 [HOSTNAME] sshd[32489]: Disconnected from invalid user redmine port 48432 [preauth]
Oct 14 15:21:46 [HOSTNAME] sshd[52126]: Invalid user user from port 48854
Oct 14 15:21:46 [HOSTNAME] sshd[52126]: Received disconnect from port 48854:11: Bye Bye [preauth]
Oct 14 15:21:46 [HOSTNAME] sshd[52126]: Disconnected from invalid user user port 48854 [preauth]
Oct 14 15:29:16 [HOSTNAME] sshd[53648]: Invalid user mysqlbackup from port 45742
Oct 14 15:29:17 [HOSTNAME] sshd[53648]: Received disconnect from port 45742:11: Bye Bye [preauth]
Oct 14 15:29:17 [HOSTNAME] sshd[53648]: Disconnected from invalid user mysqlbackup port 45742 [preauth]
Oct 14 15:29:43 [HOSTNAME] sshd[53847]: Invalid user hong from port 52645
Oct 14 15:29:44 [HOSTNAME] sshd[53847]: Received disconnect from port 52645:11: Bye Bye [preauth]
Oct 14 15:29:44 [HOSTNAME] sshd[53847]: Disconnected from invalid user hong port 52645 [preauth]
Oct 14 15:30:48 [HOSTNAME] sshd[54091]: Invalid user squid from port 1024
Oct 14 15:30:48 [HOSTNAME] sshd[54091]: Received disconnect from port 1024:11: Bye Bye [preauth]
Oct 14 15:30:48 [HOSTNAME] sshd[54091]: Disconnected from invalid user squid port 1024 [preauth]
Oct 14 15:40:43 [HOSTNAME] sshd[55748]: Invalid user demom5147 from port 54242
Oct 14 15:40:43 [HOSTNAME] sshd[55748]: Received disconnect from port 54242:11: Bye Bye [preauth]
Oct 14 15:40:43 [HOSTNAME] sshd[55748]: Disconnected from invalid user demom5147 port 54242 [preauth]
Oct 14 16:00:01 [HOSTNAME] sshd[59092]: Invalid user admin from port 54004
Oct 14 16:00:02 [HOSTNAME] sshd[59092]: Received disconnect from port 54004:11: Bye Bye [preauth]
Oct 14 16:00:02 [HOSTNAME] sshd[59092]: Disconnected from invalid user admin port 54004 [preauth]
Oct 14 16:17:57 [HOSTNAME] sshd[62515]: Invalid user ts3server from port 37986
Oct 14 16:17:58 [HOSTNAME] sshd[62515]: Received disconnect from port 37986:11: Bye Bye [preauth]
Oct 14 16:17:58 [HOSTNAME] sshd[62515]: Disconnected from invalid user ts3server port 37986 [preauth]
Oct 14 16:20:09 [HOSTNAME] sshd[62912]: Invalid user saned from port 60986
Oct 14 16:20:09 [HOSTNAME] sshd[62912]: Received disconnect from port 60986:11: Bye Bye [preauth]
Oct 14 16:20:09 [HOSTNAME] sshd[62912]: Disconnected from invalid user saned port 60986 [preauth]
Oct 14 16:21:55 [HOSTNAME] sshd[63206]: Invalid user maven from port 39144
Oct 14 16:21:55 [HOSTNAME] sshd[63206]: Received disconnect from port 39144:11: Bye Bye [preauth]
Oct 14 16:21:55 [HOSTNAME] sshd[63206]: Disconnected from invalid user maven port 39144 [preauth]
Oct 14 16:22:10 [HOSTNAME] sshd[63244]: Invalid user sftp from port 54314
Oct 14 16:22:10 [HOSTNAME] sshd[63244]: Received disconnect from port 54314:11: Bye Bye [preauth]
Oct 14 16:22:10 [HOSTNAME] sshd[63244]: Disconnected from invalid user sftp port 54314 [preauth]
Oct 14 16:22:25 [HOSTNAME] sshd[63278]: Invalid user admin from port 58212
Oct 14 16:22:25 [HOSTNAME] sshd[63278]: Received disconnect from port 58212:11: Bye Bye [preauth]
Oct 14 16:22:25 [HOSTNAME] sshd[63278]: Disconnected from invalid user admin port 58212 [preauth]
Oct 14 16:23:02 [HOSTNAME] sshd[63380]: Invalid user csgo from port 58796
Oct 14 16:23:02 [HOSTNAME] sshd[63380]: Received disconnect from port 58796:11: Bye Bye [preauth]
Oct 14 16:23:02 [HOSTNAME] sshd[63380]: Disconnected from invalid user csgo port 58796 [preauth]
Oct 14 16:27:41 [HOSTNAME] sshd[64352]: Invalid user shop from port 34584
Oct 14 16:27:41 [HOSTNAME] sshd[64352]: Received disconnect from port 34584:11: Bye Bye [preauth]
Oct 14 16:27:41 [HOSTNAME] sshd[64352]: Disconnected from invalid user shop port 34584 [preauth]
Oct 14 16:27:52 [HOSTNAME] sshd[64367]: Invalid user wcsd from port 45406
Oct 14 16:27:53 [HOSTNAME] sshd[64367]: Received disconnect from port 45406:11: Bye Bye [preauth]
Oct 14 16:27:53 [HOSTNAME] sshd[64367]: Disconnected from invalid user wcsd port 45406 [preauth]
Oct 14 16:27:55 [HOSTNAME] sshd[64382]: Invalid user rsync from port 49903
Oct 14 16:27:56 [HOSTNAME] sshd[64382]: Received disconnect from port 49903:11: Bye Bye [preauth]
Oct 14 16:27:56 [HOSTNAME] sshd[64382]: Disconnected from invalid user rsync port 49903 [preauth]
Oct 14 16:31:03 [HOSTNAME] sshd[64888]: Invalid user user from port 59834
Oct 14 16:31:04 [HOSTNAME] sshd[64888]: Received disconnect from port 59834:11: Bye Bye [preauth]
Oct 14 16:31:04 [HOSTNAME] sshd[64888]: Disconnected from invalid user user port 59834 [preauth]
Oct 14 17:26:14 [HOSTNAME] sshd[74941]: Invalid user ftpsvr from port 43464
Oct 14 17:26:14 [HOSTNAME] sshd[74941]: Received disconnect from port 43464:11: Bye Bye [preauth]
Oct 14 17:26:14 [HOSTNAME] sshd[74941]: Disconnected from invalid user ftpsvr port 43464 [preauth]
Oct 14 17:29:34 [HOSTNAME] sshd[75696]: Invalid user gabor from port 56124
Oct 14 17:29:34 [HOSTNAME] sshd[75696]: Received disconnect from port 56124:11: Bye Bye [preauth]
Oct 14 17:29:34 [HOSTNAME] sshd[75696]: Disconnected from invalid user gabor port 56124 [preauth]
Oct 14 17:30:24 [HOSTNAME] sshd[75826]: Invalid user drricardokacowicz from port 60506
Oct 14 17:30:24 [HOSTNAME] sshd[75826]: Received disconnect from port 60506:11: Bye Bye [preauth]
Oct 14 17:30:24 [HOSTNAME] sshd[75826]: Disconnected from invalid user drricardokacowicz port 60506 [preauth]
Oct 14 17:40:43 [HOSTNAME] sshd[77731]: Invalid user hfxw from port 46160
Oct 14 17:40:43 [HOSTNAME] sshd[77731]: Received disconnect from port 46160:11: Bye Bye [preauth]
Oct 14 17:40:43 [HOSTNAME] sshd[77731]: Disconnected from invalid user hfxw port 46160 [preauth]
Oct 14 17:44:41 [HOSTNAME] sshd[78315]: Invalid user guest from port 57972
Oct 14 17:44:41 [HOSTNAME] sshd[78315]: Received disconnect from port 57972:11: Bye Bye [preauth]
Oct 14 17:44:41 [HOSTNAME] sshd[78315]: Disconnected from invalid user guest port 57972 [preauth]
Oct 14 17:46:25 [HOSTNAME] sshd[78616]: User tcpdump from not allowed because not listed in AllowUsers
Oct 14 17:46:25 [HOSTNAME] sshd[78616]: Received disconnect from port 52770:11: Bye Bye [preauth]
Oct 14 17:46:25 [HOSTNAME] sshd[78616]: Disconnected from invalid user tcpdump port 52770 [preauth]
Oct 14 18:04:07 [HOSTNAME] sshd[81613]: Invalid user ladi from port 45294
Oct 14 18:04:08 [HOSTNAME] sshd[81613]: Received disconnect from port 45294:11: Bye Bye [preauth]
Oct 14 18:04:08 [HOSTNAME] sshd[81613]: Disconnected from invalid user ladi port 45294 [preauth]
Oct 14 18:04:40 [HOSTNAME] sshd[81682]: Invalid user maven from port 57308
Oct 14 18:04:40 [HOSTNAME] sshd[81682]: Received disconnect from port 57308:11: Bye Bye [preauth]
Oct 14 18:04:40 [HOSTNAME] sshd[81682]: Disconnected from invalid user maven port 57308 [preauth]
Oct 14 18:06:03 [HOSTNAME] sshd[81934]: Invalid user hadoop from port 54536
Oct 14 18:06:03 [HOSTNAME] sshd[81934]: Received disconnect from port 54536:11: Bye Bye [preauth]
Oct 14 18:06:03 [HOSTNAME] sshd[81934]: Disconnected from invalid user hadoop port 54536 [preauth]
Oct 14 18:06:16 [HOSTNAME] sshd[81966]: Invalid user shop from port 58876
Oct 14 18:06:16 [HOSTNAME] sshd[81966]: Received disconnect from port 58876:11: Bye Bye [preauth]
Oct 14 18:06:16 [HOSTNAME] sshd[81966]: Disconnected from invalid user shop port 58876 [preauth]
Oct 14 18:07:30 [HOSTNAME] sshd[82216]: Invalid user mayeh from port 6263
Oct 14 18:07:30 [HOSTNAME] sshd[82216]: Received disconnect from port 6263:11: Bye Bye [preauth]
Oct 14 18:07:30 [HOSTNAME] sshd[82216]: Disconnected from invalid user mayeh port 6263 [preauth]
Oct 14 18:07:37 [HOSTNAME] sshd[82236]: Invalid user matsu from port 35730
Oct 14 18:07:37 [HOSTNAME] sshd[82236]: Received disconnect from port 35730:11: Bye Bye [preauth]
Oct 14 18:07:37 [HOSTNAME] sshd[82236]: Disconnected from invalid user matsu port 35730 [preauth]
Oct 14 18:28:28 [HOSTNAME] sshd[85636]: Invalid user hip from port 54772
Oct 14 18:28:28 [HOSTNAME] sshd[85636]: Received disconnect from port 54772:11: Bye Bye [preauth]
Oct 14 18:28:28 [HOSTNAME] sshd[85636]: Disconnected from invalid user hip port 54772 [preauth]
Oct 14 18:33:23 [HOSTNAME] sshd[86470]: Invalid user ts from port 34232
Oct 14 18:33:23 [HOSTNAME] sshd[86470]: Received disconnect from port 34232:11: Bye Bye [preauth]
Oct 14 18:33:23 [HOSTNAME] sshd[86470]: Disconnected from invalid user ts port 34232 [preauth]

I have sshd configured to use a custom port (yay, security by obscurity not working!) which is forwarded by the router, allow only my user, no root login, no password login, public key authentication only.

Previously on every fedora upgrade I would have to reconfigure these settings which would get reset to defaults, and my config saved to an .rpmsave file, but the past 1-2 upgrades (currently on f36) I haven’t had to reconfigure for some reason.

I have noticed 3 config files: /etc/ssh/sshd_config, /etc/ssh/sshd_config.d/05-redhat.conf, and /etc/ssh/sshd_config.d/50-redhat.conf. They overlap some of the settings, and to my knowledge they consecutively apply settings, with higher numbered ones coming later and thus taking precedence, yes?

#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# To modify the system-wide sshd configuration, create a  *.conf  file under
#  /etc/ssh/sshd_config.d/  which will be automatically included below
Include /etc/ssh/sshd_config.d/*.conf

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#AddressFamily any
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#KbdInteractiveAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
# problems.
#UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	/usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server
# This system is following system-wide crypto policy. The changes to
# crypto properties (Ciphers, MACs, ...) will not have any effect here.
# They will be overridden by command-line options passed to the server
# on command line.
# Please, check manual pages for update-crypto-policies(8) and sshd_config(5).


SyslogFacility AUTHPRIV

PermitRootLogin no

PasswordAuthentication no
KbdInteractiveAuthentication no

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

GSSAPIAuthentication yes
GSSAPICleanupCredentials no

UsePAM yes

X11Forwarding yes

# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
PrintMotd no

# Accept locale-related environment variables

# This system is following system-wide crypto policy. The changes to
# crypto properties (Ciphers, MACs, ...) will not have any effect in
# this or following included files. To override some configuration option,
# write it before this block or include it before this file.
# Please, see manual pages for update-crypto-policies(8) and sshd_config(5).
Include /etc/crypto-policies/back-ends/opensshserver.config

SyslogFacility AUTHPRIV

AllowUsers [USER]
PermitRootLogin no
PasswordAuthentication no
KbdInteractiveAuthentication no

GSSAPIAuthentication yes
GSSAPICleanupCredentials no

UsePAM yes

X11Forwarding yes

# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
PrintMotd no

# Accept locale-related environment variables

Improvement suggestions are welcome. Though the first order of business is, are those connection attempts indicative of a problem?

I’d remove one of the redhat.conf files (probably both even). When you update the system it shouldn’t overwrite your config file either. As for some security I’d recommend installing the sshguard package. Out of the box it doesn’t require any additional configuration but you can customize it how you like. It will log the attempts and create firewall rules to reject additional attempts.

Interesting, I didn’t know about sshguard. The last release seems to be from 2018. Is it still maintained?

I thought the config files got split a few fedora/systemd releases ago, from a single file into a bunch of files in the .d/ subdirectory. Pretty sure I didn’t make the redhat file myself, although it’s possible one of them is the result of me saving an old config under a new name to prevent it from getting overwritten.

Do the connection attempts seem like a problem?

50-redhat.conf is provided by openssh-server so don’t remove that one… The other file probably came from an older Fedora release.

Another thing of note.
After reading /etc/ssh/sshd_config it is easy to see that the .conf files in /etc/ssh/sshd_config.d are read first so the settings in /etc/ssh/sshd_config are processed last and would over-ride the settings from the other files. It also displays all (almost all?) the defaults so it is easy to tell what the default settings are and to make changes from that point.

Hmm, true. I wonder why the .conf files are imported at the beginning instead of the end of the file.

I think I kept that file at the defaults and made changes in the .conf file(s) as mentioned in the comments at the top. That works since nearly all entries in /etc/ssh/sshd_config are commented out and just show default values.

If openssh package updates change that default config file it shouldn’t affect my settings, as long as they don’t uncomment options.

As for the connection attempts, I suppose that isn’t anything to worry about?

According tp the manual, man sshd_config

SSHD_CONFIG(5)          BSD File Formats Manual          SSHD_CONFIG(5)

     sshd_config — OpenSSH daemon configuration file

     sshd(8) reads configuration data from /etc/ssh/sshd_config (or the
     file specified with -f on the command line).  The file contains
     keyword-argument pairs, one per line.  For each keyword, the first
     obtained value will be used.  Lines starting with ‘#’ and empty
     lines are interpreted as comments.  Arguments may optionally be
     enclosed in double quotes (") in order to represent arguments con‐
     taining spaces.

The first occurrence of a keywoard will be used and later occurremces are not used.

You can create a new file in the /etc/ssh/sshd_config.d directory whre you specify all your local custpmizations. If you name the file 00local-conf.conf you can override any keyword. Also, system upgrades will not touch that file.