有人试图攻击我,不明白他们是如何绕过我的路由器的,请帮我理解一下?

tag-icon tag-icon linux ssh security internet-security
有人试图攻击我,不明白他们是如何绕过我的路由器的,请帮我理解一下? 
Mar  5 00:39:44 deepcool sshd[259265]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.128.220.78  user=root
Mar  5 00:39:47 deepcool sshd[259265]: Failed password for invalid user root from 178.128.220.78 port 33500 ssh2
Mar  5 00:39:48 deepcool sshd[259265]: Received disconnect from 178.128.220.78 port 33500:11: Bye Bye [preauth]
Mar  5 00:39:48 deepcool sshd[259265]: Disconnected from invalid user root 178.128.220.78 port 33500 [preauth]
Mar  5 00:39:57 deepcool sshd[259288]: User root from 183.47.14.74 not allowed because not listed in AllowUsers
Mar  5 00:39:57 deepcool sshd[259288]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.47.14.74  user=root
Mar  5 00:39:59 deepcool sshd[259288]: Failed password for invalid user root from 183.47.14.74 port 47761 ssh2
Mar  5 00:40:00 deepcool sshd[259288]: Received disconnect from 183.47.14.74 port 47761:11: Bye Bye [preauth]
Mar  5 00:40:00 deepcool sshd[259288]: Disconnected from invalid user root 183.47.14.74 port 47761 [preauth]
Mar  5 00:40:17 deepcool sshd[259299]: User root from 62.4.16.39 not allowed because not listed in AllowUsers
Mar  5 00:40:17 deepcool sshd[259299]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62.4.16.39  user=root
Mar  5 00:40:19 deepcool sshd[259299]: Failed password for invalid user root from 62.4.16.39 port 32980 ssh2
Mar  5 00:40:21 deepcool sshd[259299]: Received disconnect from 62.4.16.39 port 32980:11: Bye Bye [preauth]
Mar  5 00:40:21 deepcool sshd[259299]: Disconnected from invalid user root 62.4.16.39 port 32980 [preauth]
Mar  5 00:40:37 deepcool sshd[259311]: User root from 138.68.139.104 not allowed because not listed in AllowUsers
Mar  5 00:40:37 deepcool sshd[259311]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=138.68.139.104  user=root
Mar  5 00:40:39 deepcool sshd[259311]: Failed password for invalid user root from 138.68.139.104 port 58750 ssh2
Mar  5 00:40:40 deepcool sshd[259311]: Received disconnect from 138.68.139.104 port 58750:11: Bye Bye [preauth]
Mar  5 00:40:40 deepcool sshd[259311]: Disconnected from invalid user root 138.68.139.104 port 58750 [preauth]
Mar  5 00:41:18 deepcool sshd[259375]: User root from 47.91.106.208 not allowed because not listed in AllowUsers
Mar  5 00:41:18 deepcool sshd[259375]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=47.91.106.208  user=root
Mar  5 00:41:20 deepcool sshd[259375]: Failed password for invalid user root from 47.91.106.208 port 39690 ssh2
Mar  5 00:41:22 deepcool sshd[259375]: Received disconnect from 47.91.106.208 port 39690:11: Bye Bye [preauth]
Mar  5 00:41:22 deepcool sshd[259375]: Disconnected from invalid user root 47.91.106.208 port 39690 [preauth]
Mar  5 00:41:41 deepcool sshd[259485]: User root from 175.24.125.23 not allowed because not listed in AllowUsers
Mar  5 00:41:41 deepcool sshd[259485]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=175.24.125.23  user=root
Mar  5 00:41:42 deepcool sshd[259485]: Failed password for invalid user root from 175.24.125.23 port 43484 ssh2
Mar  5 00:41:44 deepcool sshd[259485]: Received disconnect from 175.24.125.23 port 43484:11: Bye Bye [preauth]
Mar  5 00:41:44 deepcool sshd[259485]: Disconnected from invalid user root 175.24.125.23 port 43484 [preauth]
Mar  5 00:41:50 deepcool sshd[259536]: User root from 134.175.59.225 not allowed because not listed in AllowUsers
Mar  5 00:41:50 deepcool sshd[259536]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=134.175.59.225  user=root
Mar  5 00:41:53 deepcool sshd[259536]: Failed password for invalid user root from 134.175.59.225 port 35164 ssh2
Mar  5 00:41:54 deepcool sshd[259536]: Received disconnect from 134.175.59.225 port 35164:11: Bye Bye [preauth]
Mar  5 00:41:54 deepcool sshd[259536]: Disconnected from invalid user root 134.175.59.225 port 35164 [preauth]
Mar  5 00:44:32 deepcool sshd[259772]: User root from 106.75.188.19 not allowed because not listed in AllowUsers
Mar  5 00:44:32 deepcool sshd[259772]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=106.75.188.19  user=root
Mar  5 00:44:34 deepcool sshd[259772]: Failed password for invalid user root from 106.75.188.19 port 55758 ssh2
Mar  5 00:44:36 deepcool sshd[259772]: Received disconnect from 106.75.188.19 port 55758:11: Bye Bye [preauth]
Mar  5 00:44:36 deepcool sshd[259772]: Disconnected from invalid user root 106.75.188.19 port 55758 [preauth]
Mar  5 00:44:45 deepcool sshd[259798]: User root from 47.91.106.208 not allowed because not listed in AllowUsers
Mar  5 00:44:45 deepcool sshd[259798]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=47.91.106.208  user=root
Mar  5 00:44:47 deepcool sshd[259798]: Failed password for invalid user root from 47.91.106.208 port 48074 ssh2
Mar  5 00:44:49 deepcool sshd[259798]: Received disconnect from 47.91.106.208 port 48074:11: Bye Bye [preauth]
Mar  5 00:44:49 deepcool sshd[259798]: Disconnected from invalid user root 47.91.106.208 port 48074 [preauth]
Mar  5 00:45:00 deepcool sshd[259818]: User root from 178.128.220.78 not allowed because not listed in AllowUsers
Mar  5 00:45:00 deepcool sshd[259818]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=178.128.220.78  user=root
Mar  5 00:45:02 deepcool sshd[259818]: Failed password for invalid user root from 178.128.220.78 port 45682 ssh2
Mar  5 00:45:03 deepcool sshd[259818]: Received disconnect from 178.128.220.78 port 45682:11: Bye Bye [preauth]
Mar  5 00:45:03 deepcool sshd[259818]: Disconnected from invalid user root 178.128.220.78 port 45682 [preauth]
Mar  5 00:45:21 deepcool sshd[259823]: User root from 212.64.65.2 not allowed because not listed in AllowUsers
Mar  5 00:45:21 deepcool sshd[259823]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=212.64.65.2  user=root
Mar  5 00:45:23 deepcool sshd[259823]: Failed password for invalid user root from 212.64.65.2 port 53300 ssh2
Mar  5 00:45:25 deepcool sshd[259823]: Received disconnect from 212.64.65.2 port 53300:11: Bye Bye [preauth]
Mar  5 00:45:25 deepcool sshd[259823]: Disconnected from invalid user root 212.64.65.2 port 53300 [preauth]
Mar  5 00:45:27 deepcool sshd[259827]: User root from 152.179.67.70 not allowed because not listed in AllowUsers
Mar  5 00:45:27 deepcool sshd[259827]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=152.179.67.70  user=root
Mar  5 00:45:30 deepcool sshd[259827]: Failed password for invalid user root from 152.179.67.70 port 2317 ssh2
Mar  5 00:45:31 deepcool sshd[259827]: Received disconnect from 152.179.67.70 port 2317:11: Bye Bye [preauth]
Mar  5 00:45:31 deepcool sshd[259827]: Disconnected from invalid user root 152.179.67.70 port 2317 [preauth]
Mar  5 00:46:21 deepcool sshd[259893]: User root from 62.4.16.39 not allowed because not listed in AllowUsers
Mar  5 00:46:21 deepcool sshd[259893]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62.4.16.39  user=root
Mar  5 00:46:23 deepcool sshd[259893]: Failed password for invalid user root from 62.4.16.39 port 36470 ssh2
Mar  5 00:46:24 deepcool sshd[259893]: Received disconnect from 62.4.16.39 port 36470:11: Bye Bye [preauth]
Mar  5 00:46:24 deepcool sshd[259893]: Disconnected from invalid user root 62.4.16.39 port 36470 [preauth]
Mar  5 00:46:49 deepcool sshd[259924]: User root from 49.235.33.85 not allowed because not listed in AllowUsers
Mar  5 00:46:49 deepcool sshd[259924]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.235.33.85  user=root
Mar  5 00:46:51 deepcool sshd[259924]: Failed password for invalid user root from 49.235.33.85 port 34972 ssh2
Mar  5 00:46:51 deepcool sshd[259924]: Received disconnect from 49.235.33.85 port 34972:11: Bye Bye [preauth]
Mar  5 00:46:51 deepcool sshd[259924]: Disconnected from invalid user root 49.235.33.85 port 34972 [preauth]
Mar  5 00:48:19 deepcool sshd[260513]: User root from 47.91.106.208 not allowed because not listed in AllowUsers
Mar  5 00:48:19 deepcool sshd[260513]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=47.91.106.208  user=root
Mar  5 00:48:21 deepcool sshd[260513]: Failed password for invalid user root from 47.91.106.208 port 56456 ssh2
Mar  5 00:48:22 deepcool sshd[260513]: Received disconnect from 47.91.106.208 port 56456:11: Bye Bye [preauth]
Mar  5 00:48:22 deepcool sshd[260513]: Disconnected from invalid user root 47.91.106.208 port 56456 [preauth]
Mar  5 00:49:34 deepcool sshd[260702]: User root from 59.40.79.227 not allowed because not listed in AllowUsers
Mar  5 00:49:34 deepcool sshd[260702]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59.40.79.227  user=root
Mar  5 00:49:36 deepcool sshd[260702]: Failed password for invalid user root from 59.40.79.227 port 56604 ssh2
Mar  5 00:49:37 deepcool sshd[260702]: Received disconnect from 59.40.79.227 port 56604:11: Bye Bye [preauth]
Mar  5 00:49:37 deepcool sshd[260702]: Disconnected from invalid user root 59.40.79.227 port 56604 [preauth]

我有一些软件保护,并且位于路由器后面。我不明白的是,这些探测器是如何到达 LAN 后面的我的机器的?路由器到我的机器有几个端口转发,但这些家伙瞄准的是随机端口,它们似乎正在到达这台特定的机器。根据我对网络的理解,它们应该在路由器上被拒绝。

为什么会发生这种情况?这是哪种症状?您有什么建议?

编辑:谢谢大家。我已经启用了你们推荐的大部分保护措施。我没有转发路由器上的 22 端口,而 ssh 正在使用另一个端口。我真正不明白的是这些请求是到达我的机器,而不是我的打印机/手机/笔记本电脑,还是只是被路由器阻止了。事实上,我正考虑购买一台新路由器,因为我认为这台路由器受到了威胁。

答案1

多年来,至少有数千个,甚至数十万个机器人(其中许多属于已经被黑客入侵的机器的僵尸网络)不断扫描公共 IPv4 空间,寻找在流行管理端口(如 22(SSH)和 3389(RDP))上监听的系统。

如果您在公共 IPv4 上的其中一个端口上安装了一台机器,您将受到无休止的被动探测,这些机器人会试图通过缓慢地暴力破解密码来破坏您的系统。如果您禁用了 SSH 密码验证或设置了带符号的强密码,那么您在数学上是安全的,因为他们提供正确私钥或密码的可能性几乎为零。

最值得关注的是 OpenSSH 服务器零日漏洞,它允许远程代码攻击。这些漏洞需要立即修补,因为它们是将 SSH 暴露在公共互联网上的最大风险。

至于为什么会暴露,原因可能有很多。如果您转发的端口范围包括端口 22,这就是原因。您的路由器也可能以某种方式进行动态端口转发,或者您的系统可能配置为执行 UPnP 以请求打开端口。不太可能,但有可能。

如果不提供有关您拥有的路由器的具体详细信息、它是如何配置的、您拥有的 Linux 系统及其如何配置的详细信息,就不可能确切知道为什么要转发端口 22。

答案2

你可以设置一个 crontab 来阻止试图入侵你服务器的 IP,它必须每 10 分钟运行一次

##crontab 中的行
*/10 * * * * /usr/bin/tools/anti_hacking.sh > /dev/null 2>&1

这是我的剧本

srvftp01:/usr/bin/tools> cat anti_hacking.sh
DESTINATARIO="[电子邮件保护]"
FECHA=$(date '+%b %d %H:%M:%S') && FECHA_PREV=$(date --date '-10 min' '+%b %d %H:%M:%S')
#echo $FECHA_PREV && echo $FECHA

TIME_INICIAL= echo $FECHA_PREV | cut -c1-11
TIME_FINAL= echo $FECHA | cut -c1-11

#echo $TIME_INICIAL $TIME_FINAL

###当他们尝试猜测root密码时
EN_RIESGO= cat /var/log/secure | grep "Failed password for root"| egrep "$TIME_INICIAL|$TIME_FINAL" | wc -l
if [ $EN_RIESGO -gt "0" ]; then
echo "如果 [ $EN_RIESGO -gt "0" ]; then echo "如果产生了一个root密码hostname,请从$FECHA_PREV开始验证$FECHA"
cat /var/log/secure | grep "Failed password for root"| egrep "$TIME_INICIAL|$TIME_FINAL" > /tmp/hackeo1.txt
cat /var/log/secure | grep "Failed password for root"| egrep "$TIME_INICIAL|$TIME_FINAL" | awk '{print "sshd: "$11}' >> /tmp/hackeo1.txt
cat /var/log/secure | grep "Failed password for root"| egrep "$TIME_INICIAL|$TIME_FINAL" | awk '{print "sshd: "$11}' >> /etc/hosts.deny
/bin/mutt -e 'set realname='SEGURIDAD'' -e 'my_hdr 重要性:高' -e 'my_hdr 来自:[电子邮件保护]' -s "重要:如果要生成 root 密码hostname,请从 $FECHA_PREV 开始验证 $FECHA" $DESTINATARIO < /tmp/hackeo1.txt
else
echo "todo OK #1"
fi

###当他们尝试破解未知用户帐户
EN_RIESGO= cat /var/log/secure | grep "Failed password for invalid user"| egrep "$TIME_INICIAL|$TIME_FINAL" | wc -l
if [ $EN_RIESGO -gt "0" ];然后
echo “我产生了一个来自 root 的 adivinar clave 意图hostname,以便从 $FECHA_PREV 到 $FECHA 进行验证”
cat /var/log/secure | grep“无效用户的密码失败”| egrep “$TIME_INICIAL|$TIME_FINAL” > /tmp/hackeo2.txt
cat /var/log/secure| grep“无效用户的密码失败”| egrep "$TIME_INICIAL|$TIME_FINAL" | awk'{print“sshd:“$13}'>>/tmp/hackeo2.txt
cat /var/log/secure | grep“无效用户的密码失败”| egrep“$TIME_INICIAL|$TIME_FINAL”| awk'{print“ sshd:“$13}”>> /etc/hosts.deny
/bin/mutt -e'set realname='SEGURIDAD''-e'my_hdr 重要性:高'-e'my_hdr 来自:[电子邮件保护]' -s "重要:如果产生了访问的意图hostname,请从 $FECHA_PREV 开始验证 $FECHA" $DESTINATARIO < /tmp/hackeo2.txt
else
echo "todo OK #2"
fi

EN_RIESGO= cat /var/log/secure | grep "error: PAM: Authentication failure for root"| egrep "$TIME_INICIAL|$TIME_FINAL" | wc -l
if [ $EN_RIESGO -gt “0”];然后
echo “我产生了一个指向 root 锁的意图,以便从 $FECHA_PREV 到 $FECHA 进行验证”
cat /var/log/secure | grep “错误:PAM:root 身份验证失败”| egrep "$TIME_INICIAL|$TIME_FINAL" >> /tmp/hackeo3.txt
/bin/mutt -e 'set realname='SEGURIDAD'' -e 'my_hdr 重要性: 高' -e 'my_hdr 来自:[电子邮件保护]' -s "重要:我生成了一个添加 root 权限的意图,以便hostname从 $FECHA_PREV 到 $FECHA 进行验证" $DESTINATARIO < /tmp/hackeo3.txt
else
echo "todo OK #3"
fi

末梢血

答案3

我向您推荐以下解决方案:

  1. 将您的 SSH 端口更改为更高范围(10000 以上)的其他端口。
  2. 安装fail2ban并设置 SSH 保护。在一定次数的失败后,它将把机器人的远程 IP 地址列入黑名单。
  3. 用户级别保护:禁用 root 登录,/etc/ssh/sshd_config在您的 Linux 机器上设置一个普通用户(非超级用户),使用低凭证进行远程登录,并使用sudo命令或susudo -i获取 root shell。
  4. 设置强密码。使用包含各种小写字母、大写字母、数字和标点符号的适当哈希生成器。

可选:如果您始终从一组静态 IP 地址登录,请在文件中将它们列入白名单.txt,例如trusted-ssh-addresses.txt关闭 ssh 端口并通过脚本为每个 IP 地址生成打开规则。

答案4

我只能假设这种情况也与垃圾邮件和勒索邮件有关。真是太棒了……一群骗子通过论坛将恶意信息当作建议。太可怕了。而且这样做只是为了欺骗别人。

相关内容