auth.log 中的“sshd:错误:connect_to ...失败”是什么意思?

tag-icon tag-icon linux ssh
auth.log 中的“sshd:错误:connect_to ...失败”是什么意思?

/var/log/auth.log我注意到服务器上多次重复出现以下错误消息:

Aug 10 09:10:16 hostname sshd[661]: error: connect_to 1.1.1.1 port
25: failed.

我已经更改了实际的 IP 地址,它们是通常属于邮件服务器的外部地址。

我不明白的是究竟是谁试图连接这些地址以及 sshd 与此有何关系。sshd 在端口 22 上运行,该服务器上的端口 25 上没有运行任何程序。

这一行到底是什么意思,谁发起了连接,为什么涉及 sshd?

答案1

您可以通过设置 SSH 动态端口转发来重现此问题:

man ssh

 -D [bind_address:]port
         Specifies a local “dynamic” application-level port forwarding.  This works by allocating a socket
         to listen to port on the local side, optionally bound to the specified bind_address.  Whenever a
         connection is made to this port, the connection is forwarded over the secure channel, and the
         application protocol is then used to determine where to connect to from the remote machine.  Cur‐
         rently the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a SOCKS server.  Only
         root can forward privileged ports.  Dynamic port forwardings can also be specified in the configu‐
         ration file.

         IPv6 addresses can be specified by enclosing the address in square brackets.  Only the superuser
         can forward privileged ports.  By default, the local port is bound in accordance with the
         GatewayPorts setting.  However, an explicit bind_address may be used to bind the connection to a
         specific address.  The bind_address of “localhost” indicates that the listening port be bound for
         local use only, while an empty address or ‘*’ indicates that the port should be available from all
         interfaces.

在本地主机、端口 2302 上启动 SOCKS 代理:

$ ssh -v -ND 2302 user@host

要通过此隧道路由 HTTP 流量,在 Firefox 中:

编辑 -> 首选项 -> 高级 -> 网络选项卡 -> 设置 -> 手动代理配置 -> SOCKS 主机:localhost 和端口:2302

为了在其他流量中使用 SOCKS 代理,你可以使用 socksifier 程序,例如tsocks

[I] net-proxy/tsocks
     Available versions:  1.8_beta5-r3 ~1.8_beta5-r4 1.8_beta5-r5 ~1.8_beta5-r6 {tordns}
     Installed versions:  1.8_beta5-r5(10:08:28 AM 06/15/2010)(-tordns)
     Homepage:            http://tsocks.sourceforge.net/
     Description:         Transparent SOCKS v4 proxying library

在我的 Gentoo 上,编辑如下/etc/socks/tsocks.conf

# Otherwise we use the server
server = 127.0.0.1
server_port = 2302

测试:

$ tsocks telnet 255.255.255.255 25

您将在 SSH 服务器上看到类似这样的内容/var/log/secure

sshd[28491]: error: connect_to 255.255.255.255 port 25: failed.

我不明白的是到底是谁试图连接这些地址

为了缩小范围,请查看/var/log/secureauth.log在您的发行版上),并检查在此之前谁登录过:

sshd[26898]: pam_unix(sshd:session): session opened for user quanta

答案2

将用户的 shell 设置为 /bin/false 不会阻止 ssh 端口转发。

http://random.cconn.info/2012/05/06/binfalse-sbinnologin-and-ssh/ http://www.semicomplete.com/articles/ssh-security/

所以我的猜测是,OP 让用户使用弱密码或简单密码登录,通过将 shell 设置为 /bin/false 或 /bin/nologin 来“禁用”该帐户,然后利用该帐户通过 ssh 端口转发发送垃圾邮件。

答案3

也许登录到您的服务器的某个人正在尝试建立到 1.1.1.1:25 的 ssh 隧道?

相关内容