Hey guys I keep getting these abuse emails from my ISP. They've already disabled my internet once, and I've convinced them I would find the problem. The only culprit is my ubuntuserver running 16.04. I've tried disabling every user but my main from accessing ssh, using IPTables to block traffic and still the same thing. Which logs can I check, that can help me identify the process or culprit?
here is a quote from the email complaint. As you can see, a computer from my IP address 184.181.XXX.XXX (my ubuntu server) is using SSH against my permission to brute for another server.
Note: Local timezone is +0300 (EEST)
> Aug 17 21:49:41 mgw2 sshd[27945]: Invalid user odoo from 184.181.XXX.XXX
> Aug 17 21:49:41 mgw2 sshd[27945]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ip184-181-XXX.XXX.oc.oc.cox.net
> Aug 17 21:49:43 mgw2 sshd[27945]: Failed password for invalid user odoo from 184.181.XXX.XXX port 36256 ssh2
> Aug 17 21:49:43 mgw2 sshd[27945]: Connection closed by 184.181.XXX.XXX [preauth]
> Aug 17 21:52:03 mgw2 sshd[29644]: Invalid user odoo from 184.181.XXX.XXX
> Aug 17 21:52:03 mgw2 sshd[29644]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ip184-181-XXX.XXX.oc.oc.cox.net
> Aug 17 21:52:05 mgw2 sshd[29644]: Failed password for invalid user odoo from 184.181.XXX.XXX port 39012 ssh2
> Aug 17 21:52:05 mgw2 sshd[29644]: Connection closed by 184.181.XXX.XXX [preauth]
> Aug 17 21:52:30 mgw2 sshd[29916]: Invalid user odoo from 184.181.XXX.XXX
> Aug 17 21:52:30 mgw2 sshd[29916]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ip184-181-XXX.XXX.oc.oc.cox.net
> Aug 17 21:52:32 mgw2 sshd[29916]: Failed password for invalid user odoo from 184.181.XXX.XXX port 37828 ssh2
Bookmarks