4

I set up my Raspberry a few weeks ago. Currently I just use it as an SSH server until I find the time to do something more interesting with it.

The Raspberry runs a sshd server and is connected to my home router. My router forwards a port (not 22, something different) to port 22 on the Raspberry. I disabled password authentication for the SSH server and set up a private/public key authentication. Also, my router updates my (dynamic) home IP address to some sort of dynamic DNS service.

So that's my setup, and it works.

What bothers me: I just checked my /var/log/auth.log file and noticed some strange entries. First of all, every hour I get an entry like this one:

CRON[31837]: pam_unix(cron:session): session opened for user root by (uid=0) CRON[31837]: pam_unix(cron:session): session closed for user root

Even though I have no cronjobs running (sudo crontab -e is empty, so is crontab -e for the pi-user). Is this normal?

Then, I noticed some other entries with unknown (not mine) IP addresses:

Jan 4 sshd[29395]: Connection closed by xx.xx.xx.xx [preauth] Jan 5 sshd[30658]: Received disconnect from xx.xx.xx.xx: 11: disconnect [preauth] Jan 7 sshd[31634]: Bad protocol version identification '\026\003\001' from xx.xx.xx.xx port xxxxx Jan 7 sshd[31635]: Bad protocol version identification 'GET //a2billing HTTP/1.1' from xx.xx.xx.xx port xxxx

Do I have to worry that someone is trying to access my Raspberry? Or is this completely normal for an SSH server that is connected to the internet? Are there any things I should do to improve the security?

Improve this question

2 Answers 2

Reset to default
4

I think you don't have to worry.

For the CRON I guess it's the fake-hwclock run hourly. You can check this with:

ls /etc/cron.hourly/

If fake-hwclock is there, and it should be, this is the cause.

The first two other messages come in the pre-authorization phase. This happens if no valid authentication has been provided within the login grace time.

The other two messages are related to wrong protocol headers. They are typical results of port-scanning. Sometimes they are very noisy, but nothing to get worried about.

Improve this answer
2
  • I've forgotten to mention the other cron jobs (daily etc) as Jakuje did. Commented Jan 7, 2016 at 11:24
  • ls /etc/cron.hourly/ shows fake-hwclock, so I guess that's the origin of the CRON entries. Thanks a lot. Commented Jan 7, 2016 at 11:58
3

Even if you didn't set up any cron job, there might be some default "maintenence" ones, for example /etc/cron.daily/logrotate, which certainly runs with root permissions.

Check paths in /etc/cron.daily, hourly, monthly or so. It should be also logged somewhere.

The second one is just some HTTP client trying to connect to your SSH over the forwarding. Probably some random port scanner. If you did block password authentication, there is nothing to worry about.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.