Hi, I recently get many of those, which means someone found out that ssh external is on port 22222 and is trying to do some evil work there. Should I worry or do something?
Jun 10 02:44:38 server sshd[3189]: debug1: Forked child 21583. Jun 10 02:44:38 server sshd[21583]: debug1: Set /proc/self/oom_score_adj to 0 Jun 10 02:44:38 server sshd[21583]: debug1: rexec start in 4 out 4 newsock 4 pipe 6 sock 7 Jun 10 02:44:38 server sshd[21583]: debug1: inetd sockets after dupping: 3, 3 Jun 10 02:44:38 server sshd[21583]: Connection from 197.159.128.171 port 60976 on 192.168.40.40 port 22222 Jun 10 02:44:38 server sshd[21583]: debug1: Client protocol version 2.0; client software version libssh-0.2 Jun 10 02:44:38 server sshd[21583]: debug1: no match: libssh-0.2 Jun 10 02:44:38 server sshd[21583]: debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u3 Jun 10 02:44:38 server sshd[21583]: debug1: Enabling compatibility mode for protocol 2.0 Jun 10 02:44:38 server sshd[21583]: debug2: fd 3 setting O_NONBLOCK Jun 10 02:44:38 server sshd[21583]: debug2: Network child is on pid 21584 Jun 10 02:44:38 server sshd[21583]: debug1: permanently_set_uid: 109/65534 [preauth] Jun 10 02:44:38 server sshd[21583]: debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256 [preauth] Jun 10 02:44:38 server sshd[21583]: debug1: SSH2_MSG_KEXINIT sent [preauth] Jun 10 02:44:38 server sshd[21583]: Connection closed by 197.159.128.171 port 60976 [preauth] Jun 10 02:44:38 server sshd[21583]: debug1: do_cleanup [preauth] Jun 10 02:44:38 server sshd[21583]: debug1: monitor_read_log: child log fd closed Jun 10 02:44:38 server sshd[21583]: debug1: do_cleanup Jun 10 02:44:38 server sshd[21583]: debug1: Killing privsep child 21584 Jun 10 02:44:38 server sshd[21583]: debug1: audit_event: unhandled event 12 Similar for apache web server. I think both are secure: for ssh no users with easy password allowed to login and apache - no pages or stuff that would compromise. thanks for opinion regards