因此,我的服务器被数千次 SSH 登录尝试所淹没。Fail2ban 正在捕获并禁止它们 - 但我的收件箱让我很担心,并且它用警报填满了收件箱。以下是我看到的一个示例:
May 28 15:26:09 sshd[4908]: input_userauth_request: invalid user test [preauth]
May 28 15:26:09 sshd[4908]: pam_unix(sshd:auth): check pass; user unknown
May 28 15:26:09 sshd[4908]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<<SNIPIP>>
May 28 15:26:11 sshd[4908]: Failed password for invalid user test from <<SNIPIP>> port 41344 ssh2
May 28 15:26:11 sshd[4908]: Received disconnect from <<SNIPIP>> port 41344:11: Bye Bye [preauth]
May 28 15:26:11 sshd[4908]: Disconnected from <<SNIPIP>> port 41344 [preauth]
有趣的是,当我尝试使用类似以下方式进行连接时:
ssh test@myserverip -p 41344
我的连接尝试最终超时,并且在 auth.log 中看不到任何条目 - 这是我所期望发生的,因为我已经通过 UFW 锁定了机器防火墙:(旁注:我已经在非标准端口上运行 ssh)
ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
Anywhere DENY IN 144.202.55.196
Anywhere DENY IN 188.53.140.190
Anywhere DENY IN 185.50.197.159
Anywhere DENY IN 206.189.197.133
Anywhere DENY IN 61.175.121.73
Anywhere DENY IN 8.30.124.149
Anywhere DENY IN 193.105.134.45
Anywhere DENY IN 139.129.14.230
Anywhere DENY IN 37.247.96.111
22 DENY IN Anywhere
2200/tcp ALLOW IN Anywhere
25/tcp ALLOW IN Anywhere
80,443/tcp (Nginx Full) ALLOW IN Anywhere
2246 ALLOW IN Anywhere
2812 ALLOW IN Anywhere
2247/tcp ALLOW IN Anywhere
19999/tcp ALLOW IN Anywhere
82/tcp ALLOW IN Anywhere
22 (v6) DENY IN Anywhere (v6)
2200/tcp (v6) ALLOW IN Anywhere (v6)
25/tcp (v6) ALLOW IN Anywhere (v6)
80,443/tcp (Nginx Full (v6)) ALLOW IN Anywhere (v6)
2246 (v6) ALLOW IN Anywhere (v6)
2812 (v6) ALLOW IN Anywhere (v6)
2247/tcp (v6) ALLOW IN Anywhere (v6)
19999/tcp (v6) ALLOW IN Anywhere (v6)
82/tcp (v6) ALLOW IN Anywhere (v6)
所以我的主要问题是,当我不能尝试登录端口 41344 时,别人怎么可能有机会尝试登录呢?
答案1
这是远程端连接的源端口。连接将连接到您这边的端口 22(或您的 SSH 守护程序正在监听的任何端口)。
每个网络套接字都由源地址和端口以及目标地址和端口组成。源端口由原始操作系统随机选择。