我的 sshd 日志中出现了这个令人不安的消息:
Jun 01 00:39:00 redy sshd[7856]: Accepted publickey for mgara from 127.0.0.1 port 34732 ssh2: RSA SHA256:ymHGJgkw9wZp6E5d/LudMza4rAeacI4mdyj/oMLgPJE
Jun 01 00:38:58 redy sshd[7846]: Did not receive identification string from 127.0.0.1 port 34730
Jun 01 00:38:58 redy sshd[7845]: Did not receive identification string from 127.0.0.1 port 34728
Jun 01 00:38:58 redy sshd[7844]: Server listening on :: port 7022.
Jun 01 00:38:58 redy sshd[7844]: Server listening on 0.0.0.0 port 7022.
Jun 01 00:38:57 redy sshd[7794]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.198.144 user=root
这让我很困扰,因为我没有设置要授权的公钥,而且我此时也没有尝试以任何方式访问我的计算机。例如,我的.ssh文件夹是空的。
[mgara@redy ~]$ ls ~/.ssh
known_hosts
这是否意味着我的计算机正被某些潜在的恶意攻击者通过 ssh 登录?
我的理解是127.0.0.1localhost,即我的计算机,这对我来说毫无意义。这是 sshd 的某种良性/预期行为,还是某种聪明的攻击者通过将其 IP 地址欺骗为 localhost 来登录?
如果有必要,我可以采取什么措施进一步调查此事?如果这是一个妥协的解决办法?
我目前在端口 22 上运行 sshd,并且运行 fail2ban,因为我的计算机不断受到登录尝试的轰炸。
编辑
我已经关闭了 sshd:
[mgara@redy ~]$ sudo service sshd status
Redirecting to /bin/systemctl status sshd.service
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; disabled; vendor preset: disabled)
Active: inactive (dead) since Thu 2017-06-01 12:22:59 PDT; 22h ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 966 (code=exited, status=0/SUCCESS)
Jun 01 11:48:53 redy sshd[15527]: Received disconnect from 101.66.253.100 port 45742:11: Bye Bye [preauth]
Jun 01 12:08:14 redy sshd[21037]: Invalid user support from 103.207.38.167 port 56463
Jun 01 12:08:14 redy sshd[21037]: input_userauth_request: invalid user support [preauth]
Jun 01 12:08:15 redy sshd[21037]: pam_unix(sshd:auth): check pass; user unknown
Jun 01 12:08:15 redy sshd[21037]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.207.38.167
Jun 01 12:08:17 redy sshd[21037]: Failed password for invalid user support from 103.207.38.167 port 56463 ssh2
Jun 01 12:08:17 redy sshd[21037]: error: Received disconnect from 103.207.38.167 port 56463:3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Jun 01 12:08:17 redy sshd[21037]: Disconnected from 103.207.38.167 port 56463 [preauth]
Jun 01 12:22:59 redy systemd[1]: Stopping OpenSSH server daemon...
Jun 01 12:22:59 redy systemd[1]: Stopped OpenSSH server daemon.
但是我仍然有晚于停止 sshd 的日志消息!
Jun 01 19:41:53 redy sshd[24602]: Accepted publickey for mgara from 127.0.0.1 port 42700 ssh2: RSA SHA256:oTJuUm8APxMB0nHOKhAo+mdnM5L59g+7kxy7TzsdNp0
Jun 01 19:41:47 redy sshd[24581]: Did not receive identification string from 127.0.0.1 port 42698
Jun 01 12:26:26 redy sshd[26552]: Accepted publickey for mgara from 127.0.0.1 port 38096 ssh2: RSA SHA256:bBBPSge3eFEDWY50mjvOjQgYRSqiN6/qy+jlewBLdGA
Jun 01 12:26:24 redy sshd[26542]: Did not receive identification string from 127.0.0.1 port 38094
Jun 01 12:26:24 redy sshd[26541]: Did not receive identification string from 127.0.0.1 port 38092
Jun 01 12:26:24 redy sshd[26540]: Server listening on :: port 7022.
Jun 01 12:26:24 redy sshd[26540]: Server listening on 0.0.0.0 port 7022.
Jun 01 12:26:02 redy sshd[7844]: Received signal 15; terminating.
我的 ssh_config 是 Fedora 25 自带的默认配置。
答案1
127.0.0.1是本地主机。您可以authorized_keys在其他地方配置 - 查看sshd_config。
答案2
对于那些见过这种奇怪行为但无法弄清楚的人来说,对我来说,这是 x2go 服务器的问题。关闭 sshd 不会禁用 x2go 服务器,它显然仍会间歇性地尝试与本地主机建立连接。对我来说,关闭、禁用 x2go 就足够了,消息就会消失。