I see a bunch of logs like this


Dec 16 14:22:50 plato sshd[9546]: Failed password for root from 222.173.194.34 port 18199 ssh2
Dec 16 14:22:53 plato sshd[9548]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.173.194.34 user=root
Dec 16 14:22:55 plato sshd[9548]: Failed password for root from 222.173.194.34 port 19366 ssh2
Dec 16 14:22:59 plato sshd[9550]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.173.194.34 user=root
Dec 16 14:23:01 plato sshd[9550]: Failed password for root from 222.173.194.34 port 20514 ssh2
Dec 16 14:23:04 plato sshd[9552]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.173.194.34 user=root
Dec 16 14:23:06 plato sshd[9552]: Failed password for root from 222.173.194.34 port 21697 ssh2


where it looks like someone is trying to access my server as root user and failing? and it was not me trying to connect. Would this be true and what should I do to prevent such possibility?

You're connected to the Internet, so other things on the Internet will try to see if they can break into your server. This is normal.

Best way to avoid it: "PermitRootLogin no" and "PasswordAuthentication no" in /etc/ssh/sshd_config (note: set up key-based authentication first), and make sure logrotate is installed so that your logs are kept to a manageable size.

_________________

/* TODO: need to add signature to posts */

I wouldn't agree it is normal and would say this is certanly something that should be treated as crime. But I should take more precaution.

I do still use root, and I heard it is not good. Now I see why. How do I create some other user that has all the access and how do I create key and use it with putty? I am a noob here, so please give me some short instructions or recommendations. Has Linode got some tutorial on this?


p.s.
I see IP trying to break in some China web http://www.apnic.net/

You may certainly treat it as a crime if you wish. You'd probably have better success enforcing turn signal laws on Boston expressways, however: there are fewer drivers in Boston than there are hijacked systems on the Internet.

This page is probably what you're after: http://library.linode.com/securing-your-server

_________________

/* TODO: need to add signature to posts */

I am just saying it shouldn't be said as "normal" but I know I can expect that. Thanx on link and this info.

nor·mal
/ˈnôrməl/

Adjective
Conforming to a standard; usual,typical, or expected.

Noun
The usual, average, or typical state or condition.

Synonyms
adjective. regular - standard - ordinary - common - usual
noun. normality - normalcy - perpendicular

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.

It definitely is normal. Every server you put on the internet is going to get, often within a matter of minutes, various probes from people trying to compromise the system. This will occur regularly for the life of the server (in other words, forever).

If you wanted to treat it as a crime, you'd spend the rest of your life trying to investigate and file charges against the millions of such requests your server will get.