SSH hacked?

Phil Tann phil.tann at
Mon Jan 12 23:18:40 UTC 2009

NoOp wrote:
> For where it came from have a look in /var/log/auth.log
> It should show something along the lines of:
> Jan 12 14:06:22 <user> sshd[12412]: Accepted password for <username>
> from port 54921 ssh2
> Jan 12 14:06:22 <user> sshd[12414]: pam_unix(sshd:session): session
> opened for user <username> by (uid=0)
> Jan 12 14:06:32 <user> sshd[12414]: pam_unix(sshd:session): session
> closed for user <username>
> $ cat /var/log/auth.log |grep sshd
> To stop it happening again, I'd recommend looking into denyhosts &
> changing your ssh port number from the default 22.
I have found from personal experience that if a "determined person" 
keeps hunting they go WAY outside the rane for standard ports.  So I use 
port 19 for ssh on a couple of systems I maintain.  Its very occasional 
that I even get a hit on 19. :)

Good Luck!

Phil Tann
phil.tann at

More information about the ubuntu-users mailing list