在我的 Ubuntu 服务器上,我偶尔会运行以下命令来查看来自我的服务器的任何打开的 TCP 连接的文件:
lsof -uroot | grep 104.236.XX.XXX
上次运行它时,我看到其中一条条目:
sshd 15651 root 3u IPv4 1813348 0t0 TCP 104.236.XX.XXX:ssh->62-210-180-69.rev.poneytelecom.eu:38114 (ESTABLISHED)
这是什么连接?我运行的所有进程都不会导致此连接。我应该担心吗?有人知道这从何而来吗?
编辑
检查文件后,/var/log/auth.log我确实看到该主机有一些失败的身份验证尝试。
Jan 13 09:45:50 prod sshd[5474]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Jan 13 09:45:51 prod sshd[5476]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Jan 13 09:45:51 prod sshd[5474]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=li829-5.members.linode.com user=root
Jan 13 09:45:51 prod sshd[5476]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-180-69.rev.poneytelecom.eu user=root
Jan 13 09:45:53 prod sshd[5474]: Failed password for root from 104.237.138.5 port 54713 ssh2
Jan 13 09:45:53 prod sshd[5474]: Received disconnect from 104.237.138.5: 11: Bye Bye [preauth]
Jan 13 09:45:53 prod sshd[5476]: Failed password for root from 62.210.180.69 port 60293 ssh2
Jan 13 09:45:57 prod sshd[5476]: message repeated 2 times: [ Failed password for root from 62.210.180.69 port 60293 ssh2]
Jan 13 09:45:57 prod sshd[5476]: Received disconnect from 62.210.180.69: 11: [preauth]
Jan 13 09:45:57 prod sshd[5476]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-180-69.rev.poneytelecom.eu user=root
Jan 13 09:45:58 prod sshd[5478]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Jan 13 09:45:58 prod sshd[5478]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-180-69.rev.poneytelecom.eu user=root
Jan 13 09:45:59 prod sshd[5478]: Failed password for root from 62.210.180.69 port 51275 ssh2
Jan 13 09:46:04 prod sshd[5478]: message repeated 2 times: [ Failed password for root from 62.210.180.69 port 51275 ssh2]
Jan 13 09:46:04 prod sshd[5478]: Received disconnect from 62.210.180.69: 11: [preauth]
Jan 13 09:46:04 prod sshd[5478]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-180-69.rev.poneytelecom.eu user=root
Jan 13 09:46:04 prod sshd[5480]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Jan 13 09:46:05 prod sshd[5480]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62-210-180-69.rev.poneytelecom.eu user=root
Jan 13 09:46:06 prod sshd[5480]: Failed password for root from 62.210.180.69 port 41907 ssh2
Jan 13 09:46:10 prod sshd[5480]: message repeated 2 times: [ Failed password for root from 62.210.180.69 port 41907 ssh2]
答案1
这是以下两种情况之一:
从严格的技术意义上讲,有人试图使用 ssh 进行身份验证。其目的很可能是猜测密码或以其他方式获取访问权限。因此,您的标准扫描器流量是通过在标准端口运行 ssh 获得的。
有人直接通过 ssh 以 root 身份登录。为了实现此目的,请在 中将 AllowRootLogin 设置为 on
/etc/ssh/sshd_config。
您可以在 中找到差异/var/log/auth.log。如果您看到来自该 IP 的多次登录尝试失败,则它是一个扫描器。如果您看到成功登录或找不到任何信息,那么您就知道您有麻烦了。您还可以使用 w(1) 命令查看当前登录的用户,但如果有人获得访问权限,您就不能信任输出。
如果是扫描仪,请考虑结合防火墙安装fail2ban或sshguard。