The 'Connection closed by invalid user' message appears in sshd server logs when someone attempts to SSH into your server using a username that doesn't exist on the system. This is a security event (usually an automated attack) and is normal on any publicly accessible SSH server.
The "Connection closed by invalid user" message is logged by the SSH server daemon (sshd) when it receives an authentication attempt using a username that doesn't exist in the system's user database or is not allowed to log in via SSH. This is **not an error on your client machine** - it's information logged on the **SSH server** showing that someone (or something) tried to connect with invalid credentials. Key points: - This happens automatically on every internet-connected SSH server - Hackers use automated tools to scan for weak credentials - It is not a configuration problem unless you cannot access YOUR OWN server - The connections are automatically rejected and closed by sshd - This is normal security noise, not a system problem
First, confirm that YOU can still log in with your valid username and credentials:
# From your local machine
ssh [email protected]
# This should work normally if you have correct credentialsIf you CAN log in successfully, the 'invalid user' messages are just failed external attacks and are not affecting your access.
Check the SSH server logs to see the extent of the attack:
# View recent invalid user attempts
sudo grep "Invalid user" /var/log/auth.log | tail -20
# Count total attempts by IP
sudo grep "Invalid user" /var/log/auth.log | awk '{print $(NF-2)}' | sort | uniq -c | sort -rn | head -10
# View entries from the last hour
sudo grep "Invalid user" /var/log/auth.log | tail -100Expected output:
Invalid user admin from 203.0.113.45 port 54321
Invalid user root from 198.51.100.89 port 12345
Invalid user test from 192.0.2.200 port 9999These are from attackers, not actual problems.
Even though invalid user attempts are harmless, you should harden SSH to reduce noise and improve security:
# Edit SSH server configuration
sudo nano /etc/ssh/sshd_configAdd or modify these settings:
# Disable root login (very common target)
PermitRootLogin no
# Only accept public key authentication
PubkeyAuthentication yes
PasswordAuthentication no
# Reduce MaxAuthTries to fail faster on wrong passwords
MaxAuthTries 3
# Disable empty passwords
PermitEmptyPasswords no
# Use only modern SSH protocol
Protocol 2
# Specify allowed key types (Ed25519 and RSA-4096 are most secure)
HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256
PubkeyAcceptedKeyTypes ssh-ed25519,rsa-sha2-512,rsa-sha2-256Then restart SSH:
sudo systemctl restart sshdMoving SSH from port 22 (the default) to an unpredictable high port significantly reduces automated attacks:
# Edit SSH configuration
sudo nano /etc/ssh/sshd_config
# Find the line "Port 22" and change it:
Port 2222 # or any high number > 1024 (avoid common ports like 3389, 5900)Restart SSH:
sudo systemctl restart sshdNow connect using the new port:
ssh -p 2222 [email protected]
# Or configure it permanently in ~/.ssh/config
Host myserver
HostName your-server.com
Port 2222
User usernameImportant: Make sure your firewall allows the new port and update any deployment scripts that use SSH.
fail2ban monitors logs and temporarily bans IPs that make too many failed attempts:
# Install fail2ban
sudo apt-get update
sudo apt-get install fail2ban
# Start the service
sudo systemctl enable fail2ban
sudo systemctl start fail2banConfigure it for SSH:
# Create a local jail configuration
sudo nano /etc/fail2ban/jail.localAdd:
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3
[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log
maxretry = 3Restart fail2ban:
sudo systemctl restart fail2ban
# Check banned IPs
sudo fail2ban-client status sshdDisable password authentication entirely - use SSH keys instead:
# On your server, edit sshd_config
sudo nano /etc/ssh/sshd_config
# Make sure these lines are set:
PubkeyAuthentication yes
PasswordAuthentication noThen restart:
sudo systemctl restart sshdNow attackers cannot guess your password because passwords are not accepted:
# This will fail
ssh [email protected] # No password prompt, connection refused
# This will work
ssh -i ~/.ssh/id_ed25519 [email protected]If you always connect from the same IP address, restrict SSH access to that IP:
# Using ufw (Ubuntu)
sudo ufw allow from 203.0.113.100 to any port 22/tcp
# For multiple IPs
sudo ufw allow from 203.0.113.100 to any port 22/tcp
sudo ufw allow from 203.0.113.101 to any port 22/tcp
# Check the rules
sudo ufw statusOr using SSH config (/etc/ssh/sshd_config):
# Allow only from specific IPs
ListenAddress 0.0.0.0
AllowUsers [email protected] [email protected]Then restart:
sudo systemctl restart sshdKeep an eye on attack patterns to detect changes:
# Watch for new attacks in real-time
sudo tail -f /var/log/auth.log | grep "Invalid user"
# Or use journalctl on systemd systems
sudo journalctl -u sshd -f
# Generate a daily report of attack summary
sudo grep "Invalid user" /var/log/auth.log | wc -l # Total attempts
# Top attacking IPs
sudo grep "Invalid user" /var/log/auth.log | awk '{print $(NF-2)}' | sort | uniq -c | sort -rn | head -20
# Most commonly attempted usernames
sudo grep "Invalid user" /var/log/auth.log | awk '{print $3}' | sort | uniq -c | sort -rn | head -20This helps you identify if attacks are increasing or coming from new sources.
For additional security, access SSH through a VPN or jump host:
# Connect through a jump host (bastion)
ssh -J jump-host.com [email protected]
# Or configure in ~/.ssh/config
Host bastion
HostName jump-host.com
User username
IdentityFile ~/.ssh/bastion_key
Host internal-server
HostName internal-ip
User username
ProxyJump bastion
IdentityFile ~/.ssh/internal_keyThen connect normally:
ssh internal-serverOr use a VPN:
# Connect to VPN first
sudo openvpn --config client.ovpn
# Then SSH is only available through VPN
ssh username@internal-ipWhy this is normal:
Any server with a public IP address on the internet receives constant automated SSH probing. Major platforms like AWS, Azure, Google Cloud report thousands of failed login attempts per day as the norm. This is not a sign of a breach - it's just the background radiation of internet attacks.
Understanding the attack process:
Automated scanners work in stages:
1. Port scanning (checking if port 22 is open)
2. Banner grabbing (identifying SSH version)
3. Username enumeration (trying common usernames: root, admin, ubuntu, pi)
4. Password spraying (trying weak passwords against discovered usernames)
5. Keylogging (if they gain access)
The "Invalid user" message appears at stage 3 - the connection is immediately rejected because the username doesn't exist. This is a failed attempt and harmless.
The difference between "Invalid user" and "Failed password":
- "Invalid user": Username doesn't exist in /etc/passwd
- "Failed password": Username exists but wrong password was provided
Seeing "Invalid user" frequently is actually a GOOD sign - it means attackers are getting rejected early without reaching the authentication stage.
Security best practices in order of importance:
1. Use SSH keys, not passwords - eliminates guessing attacks entirely
2. Disable root login - most automated attacks target root account
3. Use fail2ban - rate limits failed attempts (basic but effective)
4. Change default port - reduces automated scanning (security through obscurity, but helps with noise)
5. Restrict source IPs - only if your IP is static
6. Use VPN/bastion - excellent for defense-in-depth
Tools to monitor SSH security:
# Watch for successful logins
sudo grep "Accepted" /var/log/auth.log
# Look for permission denied (password auth attempts)
sudo grep "Permission denied" /var/log/auth.log
# Find any successful key-based logins
sudo grep "Accepted publickey" /var/log/auth.log
# Check for repeated failed attempts from same IP
sudo grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -rnShould you be concerned?
- If you see "Invalid user" messages: No, this is normal noise
- If you see "Accepted password" from unknown IPs: Yes, investigate immediately
- If you cannot log in with your credentials: Critical, your account may be compromised
Check for unauthorized access:
# Successful logins in last 24 hours
sudo grep "Accepted" /var/log/auth.log | grep -v "grep"
# If you see IPs/users you don't recognize, change your password/keys immediatelyLoad key "/home/user/.ssh/id_rsa": invalid format
How to fix 'Load key invalid format' in SSH
Bad owner or permissions on /home/user/.ssh/config
How to fix "Bad owner or permissions on .ssh/config" in SSH
Error connecting to agent: Connection refused
How to fix "Error connecting to agent: Connection refused" in SSH
Connection closed by UNKNOWN port 65535
How to fix 'Connection closed by UNKNOWN port 65535' in SSH
Offending ECDSA key in /home/user/.ssh/known_hosts:line
How to fix "Offending ECDSA key in known_hosts" in SSH