Log log audit.log Linux

  linux, question

I bought a host computer in ariyun, and recently found that the database was deleted. looking at audit.log, I found some ssh remote login with suspicious IP. for example, can I conclude that the following information has been hacked?

type=USER_LOGIN msg=audit(1483695199.639:6342): pid=xxxxxxx uid=0 auid=xxxxxxx ses=xxxxxxx msg='op=login acct=xxxxxxx exe="/usr/sbin/sshd" hostname=?  addr=xxxxxxx terminal=ssh res=failed'
 type=USER_AUTH msg=audit(1483695199.643:6343): pid=xxxxxxx uid=0 auid=xxxxxxx ses=xxxxxxx msg='op=PAM:authentication grantors=?   acct="?"  exe="/usr/sbin/sshd" hostname=xxxxxxx addr=xxxxxxx terminal=ssh res=failed'
 type=USER_AUTH msg=audit(1483695201.437:6344): pid=xxxxxxx uid=0 auid=xxxxxxx ses=xxxxxxx msg='op=password acct=xxxxxxx exe="/usr/sbin/sshd" hostname=?  addr=xxxxxxx terminal=ssh res=failed'
 type=USER_AUTH msg=audit(1483695201.749:6345): pid=xxxxxxx uid=0 auid=xxxxxxx ses=xxxxxxx msg='op=PAM:authentication grantors=?   acct="?"  exe="/usr/sbin/sshd" hostname=xxxxxxx addr=xxxxxxx terminal=ssh res=failed'
 type=USER_AUTH msg=audit(1483695204.151:6346): pid=xxxxxxx uid=0 auid=xxxxxxx ses=xxxxxxx msg='op=password acct=xxxxxxx exe="/usr/sbin/sshd" hostname=?  addr=xxxxxxx terminal=ssh res=failed'
 type=USER_AUTH msg=audit(1483695204.464:6347): pid=xxxxxxx uid=0 auid=xxxxxxx ses=xxxxxxx msg='op=PAM:authentication grantors=?   acct="?"  exe="/usr/sbin/sshd" hostname=xxxxxxx addr=xxxxxxx terminal=ssh res=failed'
 type=USER_AUTH msg=audit(1483695205.943:6348): pid=xxxxxxx uid=0 auid=xxxxxxx ses=xxxxxxx msg='op=password acct=xxxxxxx exe="/usr/sbin/sshd" hostname=?  addr=xxxxxxx terminal=ssh res=failed'
 type=CRYPTO_KEY_USER msg=audit(1483695206.255:6349): pid=28805 uid=0 auid=xxxxxxx ses=xxxxxxx msg='op=destroy kind=session fp=?   direction=both spid=xxxxxxx suid=xxxxxxx rport=xxx laddr=xxxxxxx lport=22  exe="/usr/sbin/sshd" hostname=?   addr=xxxxxxx terminal=?  res=success'
 type=CRYPTO_KEY_USER msg=audit(1483695206.256:6350): pid=28805 uid=0 auid=xxxxxxx ses=xxxxxxx msg='op=destroy kind=server fp=xxxxxxx direction=?   spid=xxxxxxx suid=0  exe="/usr/sbin/sshd" hostname=?   addr=xxxxxxx terminal=?  res=success'
 type=CRYPTO_KEY_USER msg=audit(1483695206.256:6351): pid=28805 uid=0 auid=xxxxxxx ses=xxxxxxx msg='op=destroy kind=server fp=xxxxxxx direction=?   spid=xxxxxxx suid=0  exe="/usr/sbin/sshd" hostname=?   addr=xxxxxxx terminal=?  res=success'

Basically can confirm, and should be through violent means to break into your machine

At present, many hacker’s machines on the Internet continuously blow up the entire IP section 24 hours a day, scan the existing weak password and try to log in automatically, so try not to use weak password and limit the number of logins in a short period of time.