使用我的公钥从我的 IP 进行无休止的 ssh 尝试?Fail2ban 无法记录任何有用的信息

使用我的公钥从我的 IP 进行无休止的 ssh 尝试?Fail2ban 无法记录任何有用的信息

最近,我的 hostinger 服务器表现得很奇怪,我很难访问上面托管的网站,我甚至无法 ssh,但是当我从 hostinger 面板重新启动服务器时,它又恢复正常了。

经检查top,sshd 进程占用了 100% 的 CPU,因此我决定查看/var/log/auth.log

在此处输入图片描述

上面的 gif 图像是我的输出sudo tail -f /var/log/auth.log,到目前为止它仍在无休止地运行,输出似乎是接受来自我的 IP 的登录日志 — 然后断开连接(如断开与 ssh 的连接),然后重新连接,然后断开连接。我已经在这里坐了 30 分钟,它仍然在喷出同样的东西。

有线索知道这是什么吗?这实际上是一次入侵尝试吗?我已在此服务器上设置了 fail2ban 和 ufw,fail2ban 日志未产生任何奇怪的行。

top产生这个。

在此处输入图片描述

答案1

默认情况下sshd不会记录错误的公钥尝试(您需要增加其日志级别以启用它们(它需要LogLevel VERBOSEsshd_config...

或者你可以简单地切换到fail2ban 的监狱模式 -在你的监狱中aggressive设置模式:sshdjail.local

[sshd]
mode = aggressive
enabled = true

此后,fail2ban 还会考虑未经身份验证的尝试(连接到 sshd-listener 的机器人、端口扫描器等)并禁止此类恶意行为者。

要查看差异,您可以比较这两个命令的输出:

?sudo? fail2ban-regex -v /var/log/auth.log sshd
?sudo? fail2ban-regex -v /var/log/auth.log 'sshd[mode=aggressive]'

答案2

经过一周的混乱之后,我终于找到了罪魁祸首,其实是我的 Pi 导致了整个事情的发生——这也解释了为什么auth.log显示从我的 IP 登录,最重要的是,它使用公钥身份验证(我只允许对我的受信任的设备进行公钥身份验证)。

我是怎么发现这个的?@Kamil Maciorowski 的评论为我的发现提供了一些线索,所以我尝试关闭 Pi,然后我的服务器就会再次顺利运行 — — 不会出现奇怪的 CPU 使用率。

我检查了我的 Pi 并找到了有问题的脚本,特别是下面这行。

rsync --remove-source-files -e "ssh -o ServerAliveInterval=60" -chaP --stats --info=progress2 $host:/home/user/mybackup/dbonly/$(date +"%Y-%m-%d") $backup_location/$host

正如你所见,我使用的$(date +"%Y-%m-%d")是今天的返回日期年月日格式,问题是我已经附加hh:mm到我的备份目录 -没有改变脚本来处理新的命名格式。

在此处输入图片描述 我在11月12日更改了命名

查看我的 rsync 日志后,我的怀疑得到了证实,它清楚地表明它rsync一遍又一遍地尝试访问不存在的目录。

sent 8 bytes  received 115 bytes  14.47 bytes/sec
total size is 0  speedup is 0.00
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1655) [Receiver=3.1.1]
rsync: [Receiver] write error: Broken pipe (32)
+ [[ 5 -lt 5 ]]
++ date '+%Y-%m-%d %H:%M'
+ fail '2021-11-13 03:43 // The command has failed after 5 attempts for vps-strat.'
+ echo 2021-11-13 03:43 // The command has failed after 5 attempts for vps-strat.
2021-11-13 03:43 // The command has failed after 5 attempts for vps-strat.
+ true
+ rsync --remove-source-files -e 'ssh -o ServerAliveInterval=60' -chaP --stats --info=progress2 vps-strat:/home/user/mybackup/dbonly/2021-11-13 /media/pi/local_backup/db-server/vps-strat
receiving incremental file list
rsync: link_stat "/home/user/mybackup/dbonly/2021-11-13" failed: No such file or directory (2)

Number of files: 0
Number of created files: 0
Number of deleted files: 0
Number of regular files transferred: 0
Total file size: 0 bytes
Total transferred file size: 0 bytes
Literal data: 0 bytes
Matched data: 0 bytes
File list size: 115
Total bytes sent: 8
Total bytes received: 115

sent 8 bytes  received 115 bytes  12.95 bytes/sec
total size is 0  speedup is 0.00
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1655) [Receiver=3.1.1]
rsync: [Receiver] write error: Broken pipe (32)
+ [[ 5 -lt 5 ]]
++ date '+%Y-%m-%d %H:%M'
+ fail '2021-11-13 03:43 // The command has failed after 5 attempts for vps-strat.'
+ echo 2021-11-13 03:43 // The command has failed after 5 attempts for vps-strat.
2021-11-13 03:43 // The command has failed after 5 attempts for vps-strat.
+ true
+ rsync --remove-source-files -e 'ssh -o ServerAliveInterval=60' -chaP --stats --info=progress2 vps-strat:/home/user/mybackup/dbonly/2021-11-13 /media/pi/local_backup/db-server/vps-strat
receiving incremental file list
rsync: link_stat "/home/user/mybackup/dbonly/2021-11-13" failed: No such file or directory (2)

Number of files: 0
Number of created files: 0
Number of deleted files: 0
Number of regular files transferred: 0
Total file size: 0 bytes
Total transferred file size: 0 bytes
Literal data: 0 bytes
Matched data: 0 bytes
File list size: 115
Total bytes sent: 8
Total bytes received: 115

sent 8 bytes  received 115 bytes  16.40 bytes/sec
total size is 0  speedup is 0.00
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1655) [Receiver=3.1.1]
rsync: [Receiver] write error: Broken pipe (32)
+ [[ 5 -lt 5 ]]
++ date '+%Y-%m-%d %H:%M'
+ fail '2021-11-13 03:43 // The command has failed after 5 attempts for vps-strat.'
+ echo 2021-11-13 03:43 // The command has failed after 5 attempts for vps-strat.
2021-11-13 03:43 // The command has failed after 5 attempts for vps-strat.
+ true
+ rsync --remove-source-files -e 'ssh -o ServerAliveInterval=60' -chaP --stats --info=progress2 vps-strat:/home/user/mybackup/dbonly/2021-11-13 /media/pi/local_backup/db-server/vps-strat
receiving incremental file list
rsync: link_stat "/home/user/mybackup/dbonly/2021-11-13" failed: No such file or directory (2)

Number of files: 0
Number of created files: 0
Number of deleted files: 0
Number of regular files transferred: 0
Total file size: 0 bytes
Total transferred file size: 0 bytes
Literal data: 0 bytes
Matched data: 0 bytes
File list size: 115
Total bytes sent: 8
Total bytes received: 115

sent 8 bytes  received 115 bytes  12.95 bytes/sec
total size is 0  speedup is 0.00
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1655) [Receiver=3.1.1]
rsync: [Receiver] write error: Broken pipe (32)
+ [[ 5 -lt 5 ]]
++ date '+%Y-%m-%d %H:%M'
+ fail '2021-11-13 03:43 // The command has failed after 5 attempts for vps-strat.'
+ echo 2021-11-13 03:43 // The command has failed after 5 attempts for vps-strat.
2021-11-13 03:43 // The command has failed after 5 attempts for vps-strat.
+ true
+ rsync --remove-source-files -e 'ssh -o ServerAliveInterval=60' -chaP --stats --info=progress2 vps-strat:/home/user/mybackup/dbonly/2021-11-13 /media/pi/local_backup/db-server/vps-strat
receiving incremental file list
rsync: link_stat "/home/user/mybackup/dbonly/2021-11-13" failed: No such file or directory (2)

我已更改脚本以匹配新的命名,到目前为止没有问题。

总而言之,这可能又是我的粗心大意,但我很高兴这不是什么险恶的事。

相关内容