SSH port scan

How would you know if someone has made a SSH port scan on your server? TL;DR: Check your log file.

How to know that an SSH port scan has occurred on you server

It is very common that you get your server ports scanned if you your server is reachable from the internet. But how do you know if that has happened? The log files is you friend. Especially the log file found in /var/logs/ called auth.log. Here you find all connection attempts to your SSH server. A port scan looks exactky like this in the log, and this is an authentic SSH port scan from an Russian IP address:

Jan 5 08:03:51 <your server name> sshd[59690]: Connection from port 1506 on <your server IP address> port <your SSH port, default 22>
Jan 5 08:03:51 <your server name> sshd[59690]: Did not receive identification string from

So the /var/logs/auth.log log file is your friend if you want to find out if someone is trying to hack your server. But remember that the above log message is just a result of a ssh port scan and no one actually tried to login to your server in this case.

Leave a comment

Your email address will not be published. Required fields are marked *