What is this log?

We have to be honest, logs are often an after thought to most developers. Many logs are pretty cryptic unless you can look at the code and see what is going on. In this section, we will share what we think of a specific log: - the cryptic ones, the fun ones and some of the ones we see more often.

Log: sshd-failed-password-gitlab

May 12 21:28:26 log1 sshd[31245]: Invalid user gitlab from port 59318

ID:  sshd-failed-password-gitlab
For: Linux/BSD servers running SSHD

Meaning: SSHD failed login attempt for an invalid user. We see them often on brute force attacks, where many users are tried - in this case for gitlab. The IP is from the IS-AS-1 ASN - pointing to santovapor, which is likely compromised.

What to do: Block IP / Use strong passwords via SSH / Only allow SSH keys.

Simple, affordable, log management and analysis.