我之前通过 SSH 连接到我的家庭服务器,因为它响应 HTTP 请求的时间太长了。我注意到 shell 提示符也很慢。所以我输入了top
,然后看到几个sshd
使用大量 CPU 时间的实例。我检查了 auth.log,这就是我看到的内容:
Jul 16 14:31:56 server sshd[5799]: reverse mapping checking getaddrinfo for 198-136-57-92.static.lvnoc.com [198.136.57.92] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 14:31:56 server sshd[5799]: User root from 198.136.57.92 not allowed because none of user's groups are listed in AllowGroups
Jul 16 14:31:56 server sshd[5799]: input_userauth_request: invalid user root [preauth]
Jul 16 14:31:56 server sshd[5799]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=198.136.57.92 user=root
Jul 16 14:31:59 server sshd[5799]: Failed password for invalid user root from 198.136.57.92 port 54672 ssh2
Jul 16 14:31:59 server sshd[5799]: Received disconnect from 198.136.57.92: 11: Bye Bye [preauth]
Jul 16 14:32:00 server sshd[5802]: reverse mapping checking getaddrinfo for 198-136-57-92.static.lvnoc.com [198.136.57.92] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 14:32:00 server sshd[5802]: User root from 198.136.57.92 not allowed because none of user's groups are listed in AllowGroups
Jul 16 14:32:00 server sshd[5802]: input_userauth_request: invalid user root [preauth]
Jul 16 14:32:00 server sshd[5802]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=198.136.57.92 user=root
Jul 16 14:32:01 server sshd[5802]: Failed password for invalid user root from 198.136.57.92 port 56112 ssh2
Jul 16 14:32:02 server sshd[5802]: Received disconnect from 198.136.57.92: 11: Bye Bye [preauth]
Jul 16 14:32:04 server sshd[5805]: reverse mapping checking getaddrinfo for 198-136-57-92.static.lvnoc.com [198.136.57.92] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 16 14:32:04 server sshd[5805]: User root from 198.136.57.92 not allowed because none of user's groups are listed in AllowGroups
Jul 16 14:32:04 server sshd[5805]: input_userauth_request: invalid user root [preauth]
Jul 16 14:32:04 server sshd[5805]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=198.136.57.92 user=root
Jul 16 14:32:06 server sshd[5805]: Failed password for invalid user root from 198.136.57.92 port 57176 ssh2
Jul 16 14:32:06 server sshd[5805]: Received disconnect from 198.136.57.92: 11: Bye Bye [preauth]
注意左侧的时间戳,看看发生的频率。根据日志,在我看见之前,这种情况已经发生了大约半个小时。不用说,我198.136.57.92
在 中屏蔽了他们的 IP( )hosts.deny
,但我想知道这里到底发生了什么。这只是一次拒绝服务攻击,还是POSSIBLE BREAK-IN ATTEMPT
?
答案1
嗯,POSSIBLE BREAK-IN ATTEMPT
这意味着尝试连接的 IP 地址的反向 DNS 区域设置不正确;正向 DNS 记录与反向 DNS 记录不匹配。
看起来好像有人试图使用 SSH 强行闯入您的服务器。
我怀疑这是使用 SSH 的 DDoS。