lastb
only shows login failures. Use last
to see successful logins.
It shows people trying to upload or download content. The “notty” part means no tty (where tty is short for teletype) which these days means no monitor or gui, and the ssh indicates port 22, which taken together mean something like scp or rsync.
So not hacking or login attempts, but wrong or mistyped passwords. It might be some content was located via google, but required a password which someone tried to guess.
Actually, on reflection, the above is not right. They could be failed login attempts via ssh, as the questioner suspected; and (as I missed first time) they are at regular 21 or 22 minute intervals which suggests a degree of automation, but lastb
shows failures by definition, so these results would need to be compared against last
to see if any were successful.
Lastb is the same as last, except that by default it shows a log of the file /var/log/btmp
, which contains all the bad login attempts.