How to Distinguish Between SSH Brute Force Attacks and Successful Compromises in Linux Login Logs


32 views

The log entries you're seeing with ssh:notty and very short session durations (00:00) clearly indicate failed login attempts rather than successful breaches. Here's why:

# Typical brute force pattern characteristics:
1. Multiple usernames attempted (root, oracle, gary, admin, etc.)
2. Same IP address with sequential attempts
3. "notty" indicates no terminal was allocated (failed auth)
4. Sessions lasting 00:00 means immediate disconnect after failure

The 222.92.89.xx IP belongs to a known malicious actor range from China targeting SSH ports. These are automated scripts scanning for weak credentials. Since you mentioned port 22 was temporarily open, this explains the intrusion attempts.

Here's what I implement on all my servers:

# 1. Install and configure fail2ban
sudo apt install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

# Edit jail.local (example configuration):
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400
# 2. Change SSH port and restrict access
sudo nano /etc/ssh/sshd_config
# Change these lines:
Port 2222 # Any non-standard port
PermitRootLogin no
PasswordAuthentication no
AllowUsers yourusername

For production systems, consider these additional measures:

# Set up geo-blocking with iptables
sudo iptables -A INPUT -p tcp --dport 2222 -m geoip ! --src-cc US,EU -j DROP
# (Requires xt_geoip module)

# Implement port knocking for hidden SSH
sudo apt install knockd
sudo nano /etc/knockd.conf
[options]
    UseSyslog

[openSSH]
    sequence = 7000,8000,9000
    seq_timeout = 10
    command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 2222 -j ACCEPT
    tcpflags = syn

To check if any attempts succeeded despite these failed logs:

# Check successful logins:
last -i

# Search auth logs for suspicious activity:
grep "Accepted password" /var/log/auth.log
grep "session opened" /var/log/auth.log

# Check for unknown users:
cut -d: -f1 /etc/passwd | sort

Here's a Python script to monitor SSH attempts in real-time:

#!/usr/bin/env python3
import subprocess
from collections import defaultdict

def monitor_ssh():
    cmd = "tail -f /var/log/auth.log | grep --line-buffered 'sshd'"
    process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE)
    ip_counts = defaultdict(int)
    
    while True:
        line = process.stdout.readline()
        if b'Failed password' in line:
            ip = line.split(b'from ')[1].split(b' ')[0].decode()
            ip_counts[ip] += 1
            if ip_counts[ip] > 3:
                print(f"Brute force detected from {ip} - {ip_counts[ip]} attempts")
                
if __name__ == "__main__":
    monitor_ssh()

The log entries you're seeing are classic signs of SSH brute force attacks, not successful logins. Here's why:

root     ssh:notty    222.92.89.xx     Sat Jul  9 12:26 - 12:26  (00:00)
root     ssh:notty    222.92.89.xx     Sat Jul  9 12:04 - 12:04  (00:00)
oracle   ssh:notty    222.92.89.xx     Sat Jul  9 11:43 - 11:43  (00:00)

Key indicators:

  • ssh:notty means no terminal was allocated - typical for automated attacks
  • Very short session durations (00:00)
  • Multiple username attempts (root, oracle, gary, admin, etc.)
  • Same IP trying different common usernames

Since you've already restricted port 22, here are additional hardening measures:

# Install and configure fail2ban
sudo apt install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit /etc/fail2ban/jail.local:

[sshd]
enabled = true
maxretry = 3
bantime = 1d
findtime = 1h

Even though these appear to be failed attempts, it's good practice to check for signs of compromise:

# Check for unusual processes
ps aux | grep -E '(ssh|python|perl|nc|netcat)'

# Look for suspicious cron jobs
crontab -l
ls -la /etc/cron*

# Verify SSH authorized_keys files
find / -name authorized_keys -print -exec cat {} \;

Beyond IP restrictions, implement these security layers:

# Disable root login and password authentication
sudo sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config

# Change default SSH port (optional but effective)
sudo sed -i 's/#Port 22/Port 2222/' /etc/ssh/sshd_config

# Restart SSH service
sudo systemctl restart sshd

For even better security, consider implementing:

  • Certificate-based authentication
  • Two-factor authentication
  • Port knocking

Set up automated monitoring for SSH attempts:

# Create a daily SSH attempt report script
cat << 'EOF' > /usr/local/bin/ssh_monitor.sh
#!/bin/bash
TODAY=$(date +"%b %e")
LOG_FILE="/var/log/auth.log"
REPORT_FILE="/var/log/ssh_report_$(date +%F).log"

echo "SSH login attempts for $TODAY" > $REPORT_FILE
echo "=============================" >> $REPORT_FILE
grep "$TODAY" $LOG_FILE | grep sshd | \
    grep -E "Failed|Accepted" >> $REPORT_FILE

# Email the report (requires mailutils)
mail -s "Daily SSH Report" admin@example.com < $REPORT_FILE
EOF

# Make it executable and schedule daily
chmod +x /usr/local/bin/ssh_monitor.sh
(crontab -l ; echo "0 0 * * * /usr/local/bin/ssh_monitor.sh") | crontab -