"POSSIBLE BREAK-IN ATTEMPT!" in /var/log/secure — what does this mean?

Solution 1:

Unfortunately this in now a very common occurrence. It is an automated attack on SSH which is using 'common' usernames to try and break into your system. The message means exactly what it says, it does not mean that you have been hacked, just that someone tried.

Solution 2:

The "POSSIBLE BREAK-IN ATTEMPT" part specifically, is related to the "reverse mapping checking getaddrinfo failed" part. It means the person who was connecting didn't have forward and reverse DNS configured correctly. This is quite common, especially for ISP connections, which is where the "attack" was probably coming from.

Unrelated the the "POSSIBLE BREAK-IN ATTEMPT" message, the person is actually trying to break in using common user names and passwords. Do not use simple passwords for SSH; in fact the best idea to to disable passwords altogether and use SSH keys only.


Solution 3:

"What exactly does "POSSIBLE BREAK-IN ATTEMPT" mean?"

This means that the netblock owner did not update the PTR record for a static IP within their range, and said PTR record is outdated, OR an ISP does not setup proper reverse records for its dynamic IP customers. This is very common, even for large ISPs.

You end up getting the msg in your log because someone coming from an IP with improper PTR records (due to one of the reasons above) is trying to use common usernames to try SSH into your server (possibly bruteforce attack, or maybe an honest mistake).

To disable these alerts, you have two choices:

1) If you have a static IP, add your reverse mapping to your /etc/hosts file (see more info here):

10.10.10.10 server.remotehost.com

2) If you have a dynamic IP and really want to make those alerts go away, comment out the "GSSAPIAuthentication yes" in your /etc/ssh/sshd_config file.


Solution 4:

You can make your logs easier to read and check by turning off reverse lookp-ups in sshd_config (UseDNS no). This will prevent sshd from logging the "noise" lines containing "POSSIBLE BREAK-IN ATTEMPT" leaving you to concentrate on the slightly more interesting lines containing "Invalid user USER from IPADDRESS".


Solution 5:

It's not necessary a successful login, but what it says "posible" and "attempt".

Some bad boy or script kiddie, is sending you crafted traffic with a false origin IP.

You can add origin IP limitations to your SSH keys, and try something like fail2ban.