Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Getting lots of random login attempts from different users on my Google Compute Engine instance

Tags:

google-compute-engine

I'm getting hundreds of these on the serial console output when viewing my instance information on the Google Cloud Console. What's going on? (IP address obscured)

sshd[21514]: Received disconnect from 123.456.7.890: 11: Bye Bye [preauth]
Jun 30 01:25:16 collabspot sshd[21516]: Invalid user florida from 123.456.7.890
Jun 30 01:25:16 collabspot sshd[21516]: input_userauth_request: invalid user florida [preauth]
Jun 30 01:25:16 collabspot sshd[21516]: Received disconnect from 123.456.7.890: 11: Bye Bye [preauth]
Jun 30 01:25:18 collabspot sshd[21518]: Invalid user florrie from 123.456.7.890
Jun 30 01:25:18 collabspot sshd[21518]: input_userauth_request: invalid user florrie [preauth]

It seems to be trying different usernames, alphabetically. I've never provided my instance's IP address to anyone.

like image 833
john2x Avatar asked Dec 03 '25 22:12

john2x

2 Answers

I'm guessing that your instance's IP is being subjected to a brute-force SSH login attack. You've obscured the source IP address of the attacks, but you can use whois 123.456.7.890 to find out the owner of the netblock, which may be an ISP in a foreign country... usually, the IP address registrar requires an abuse contact, but you may find that the abuse contact can't help much with this traffic.

Since GCE disables password logins by default in favor of public-key authentication, it's unlikely that these attacks will succeed unless you explicitly enable password authentication and set a password for at least one user. They are annoying, though.

If you tend to connect to GCE from a small range of IP addresses, you can remove the default-ssh firewall rule that allows traffic from all IP addresses to port 22 and replace it with a targeted rule that only allows port 22 TCP traffic from your netblocks. For example, if your ISP uses 3.4.6.0/23 for your network, and you connect from 8.1.0.0/16 at home, you could run the following commands to only allow SSH connections from those two ranges:

gcutil deletefirewall default-ssh
gcutil addfirewall limited-ssh --allowed=tcp:ssh --allowed_ip_sources=3.4.6.0/23,8.1.0.0/16

If you later need to reinstate the default-ssh rule, the definition looks like this:

gcutil addfirewall default-ssh --allowed=tcp:ssh
like image 95
E. Anderson Avatar answered Dec 07 '25 01:12

E. Anderson

This are simply portscans. I assume they are from scripts scanning an IP range. I can see the same on my personal server machine for many years now. There is not muc you can do about it, except to make sure that you have no ports open for connect, which are not really neccessary for your system, and regularly look for intruders.

like image 23
Devolus Avatar answered Dec 07 '25 00:12

Devolus
Sign in to Comment

Related questions

How to fix local IP in Nat Configuration on WHM/Cpanel on Centos 6 on Google Compute Engine

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!