这是 DDoS 攻击、黑客攻击还是其他什么?

tag-icon tag-icon security ssh denial-of-service home-networking
这是 DDoS 攻击、黑客攻击还是其他什么?

我之前通过 SSH 连接到我的家庭服务器,因为它响应 HTTP 请求的时间太长了。我注意到 shell 提示符也很慢。所以我输入了top,然后看到几个sshd使用大量 CPU 时间的实例。我检查了 auth.log,这就是我看到的内容:

Jul 16 14:31:56 server sshd[5799]: reverse mapping checking getaddrinfo for 198-136-57-92.static.lvnoc.com [198.136.57.92] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 14:31:56 server sshd[5799]: User root from 198.136.57.92 not allowed because none of user's groups are listed in AllowGroups
Jul 16 14:31:56 server sshd[5799]: input_userauth_request: invalid user root [preauth]
Jul 16 14:31:56 server sshd[5799]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=198.136.57.92  user=root
Jul 16 14:31:59 server sshd[5799]: Failed password for invalid user root from 198.136.57.92 port 54672 ssh2
Jul 16 14:31:59 server sshd[5799]: Received disconnect from 198.136.57.92: 11: Bye Bye [preauth]
Jul 16 14:32:00 server sshd[5802]: reverse mapping checking getaddrinfo for 198-136-57-92.static.lvnoc.com [198.136.57.92] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 14:32:00 server sshd[5802]: User root from 198.136.57.92 not allowed because none of user's groups are listed in AllowGroups
Jul 16 14:32:00 server sshd[5802]: input_userauth_request: invalid user root [preauth]
Jul 16 14:32:00 server sshd[5802]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=198.136.57.92  user=root
Jul 16 14:32:01 server sshd[5802]: Failed password for invalid user root from 198.136.57.92 port 56112 ssh2
Jul 16 14:32:02 server sshd[5802]: Received disconnect from 198.136.57.92: 11: Bye Bye [preauth]
Jul 16 14:32:04 server sshd[5805]: reverse mapping checking getaddrinfo for 198-136-57-92.static.lvnoc.com [198.136.57.92] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 14:32:04 server sshd[5805]: User root from 198.136.57.92 not allowed because none of user's groups are listed in AllowGroups
Jul 16 14:32:04 server sshd[5805]: input_userauth_request: invalid user root [preauth]
Jul 16 14:32:04 server sshd[5805]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=198.136.57.92  user=root
Jul 16 14:32:06 server sshd[5805]: Failed password for invalid user root from 198.136.57.92 port 57176 ssh2
Jul 16 14:32:06 server sshd[5805]: Received disconnect from 198.136.57.92: 11: Bye Bye [preauth]

注意左侧的时间戳,看看发生的频率。根据日志,在我看见之前,这种情况已经发生了大约半个小时。不用说,我198.136.57.92在 中屏蔽了他们的 IP( )hosts.deny,但我想知道这里到底发生了什么。这只是一次拒绝服务攻击,还是POSSIBLE BREAK-IN ATTEMPT

答案1

嗯,POSSIBLE BREAK-IN ATTEMPT这意味着尝试连接的 IP 地址的反向 DNS 区域设置不正确;正向 DNS 记录与反向 DNS 记录不匹配。

看起来好像有人试图使用 SSH 强行闯入您的服务器。

我怀疑这是使用 SSH 的 DDoS。

相关内容