我有一个 VPS,每天都会收到非常拥挤的 Logwatch。
我不是 Debian 专家,所以我不知道这是否正常或者我是否应该担心。
有什么意见吗?
################### Logwatch 7.4.0 (03/01/11) ####################
Processing Initiated: Wed Apr 15 06:25:28 2020
Date Range Processed: yesterday
( 2020-Apr-14 )
Period is day.
Detail Level of Output: 0
Type of Output/Format: mail / text
Logfiles for Host: ***.***.**
##################################################################
--------------------- fail2ban-messages Begin ------------------------
Banned services with Fail2Ban: Bans:Unbans
ssh: [495:500]
---------------------- fail2ban-messages End -------------------------
--------------------- httpd Begin ------------------------
Connection attempts using mod_proxy:
113.128.105.226 -> www.baidu.com:443: 1 Time(s)
119.118.30.23 -> www.ipip.net:443: 1 Time(s)
223.12.78.165 -> cn.bing.com:443: 1 Time(s)
45.13.93.90 -> ip.ws.126.net:443: 1 Time(s)
A total of 993 sites probed the server
100.18.10.141
101.165.194.135
102.115.161.115
103.214.12.244
103.80.239.154
104.191.118.29
104.192.236.93
106.180.4.213
107.141.74.125
108.17.75.210
108.70.82.189
109.112.38.174
109.116.190.21
109.117.136.112
109.118.88.47
[...]
---------------------- httpd End -------------------------
--------------------- iptables firewall Begin ------------------------
Listed by source hosts:
Logged 4735 packets on interface eth0
From 2.25.218.189 - 16 packets to tcp(443)
From 2.32.62.225 - 8 packets to tcp(443)
From 2.34.179.95 - 4 packets to tcp(443)
From 2.36.160.255 - 4 packets to tcp(443)
From 2.37.140.177 - 1 packet to tcp(443)
From 2.39.41.23 - 10 packets to tcp(443)
From 2.45.1.230 - 3 packets to tcp(443)
From 2.45.152.99 - 2 packets to tcp(443)
From 2.102.45.174 - 2 packets to tcp(443)
From 2.132.43.242 - 1 packet to tcp(80)
From 2.177.207.154 - 1 packet to tcp(443)
From 2.178.237.89 - 1 packet to tcp(80)
From 2.180.124.124 - 1 packet to tcp(22)
From 2.181.21.231 - 3 packets to tcp(80)
From 2.181.67.150 - 3 packets to tcp(22)
From 2.186.1.136 - 2 packets to tcp(80)
From 2.186.43.121 - 1 packet to tcp(443)
[...]
---------------------- iptables firewall End -------------------------
--------------------- pam_unix Begin ------------------------
sshd:
Authentication Failures:
root (222.186.190.17): 180 Time(s)
unknown (78.107.220.5): 82 Time(s)
unknown (139.217.218.255): 48 Time(s)
root (9.213.155.104.bc.googleusercontent.com): 47 Time(s)
root (206.189.164.136): 41 Time(s)
unknown (134.209.228.253): 41 Time(s)
root (125.74.47.230): 38 Time(s)
root (163.172.178.167): 36 Time(s)
root (ns3003413.ip-5-196-75.eu): 36 Time(s)
root (106.12.2.81): 35 Time(s)
root (184.13.240.142): 35 Time(s)
unknown (9.213.155.104.bc.googleusercontent.com): 35 Time(s)
[...]
Invalid Users:
Unknown Account: 2879 Time(s)
---------------------- pam_unix End -------------------------
--------------------- SSHD Begin ------------------------
Illegal users from:
undef: 1441 times
1.53.158.156: 1 time
1.214.156.163: 43 times
2.184.4.3: 46 times
3.133.0.24 (ec2-3-133-0-24.us-east-2.compute.amazonaws.com): 31 times
5.135.94.191 (ip191.ip-5-135-94.eu): 36 times
5.135.181.53 (ns3120718.ip-5-135-181.eu): 27 times
5.147.173.226 (ip-5-147-173-226.unitymediagroup.de): 1 time
[...]
Login attempted when not in AllowUsers list:
backup : 18 Time(s)
bin : 32 Time(s)
daemon : 5 Time(s)
games : 3 Time(s)
irc : 1 Time(s)
list : 1 Time(s)
lp : 1 Time(s)
mail : 2 Time(s)
man : 1 Time(s)
messagebus : 3 Time(s)
mysql : 26 Time(s)
news : 3 Time(s)
nobody : 2 Time(s)
postfix : 1 Time(s)
proxy : 1 Time(s)
root : 4881 Time(s)
sshd : 3 Time(s)
sync : 3 Time(s)
sys : 5 Time(s)
uucp : 3 Time(s)
www-data : 6 Time(s)
---------------------- SSHD End -------------------------
###################### Logwatch End #########################
答案1
这是扫描和攻击的混合体(寻找弱点,查看常用用户名/服务被尝试的次数)。每个面向互联网的服务器都会被这样探测,如果您提供的服务是公开的,则无法避免。
它不是 Debian 特有的,它与您服务器上的服务有关。
您可以做的(并且您已经为 ssh 做了)是尝试限制这些扫描在被禁止之前进行的尝试次数(fail2ban)。您可能还想检查您是否正在使用mod_proxy,因为一些探测器正在检查您是否设置了开放代理(但没有成功)。
虽然我看不出你的报告有什么值得担心的地方,但你还是得学会如何阅读它,以防发生不好的事情。如果你不明白其中的某些部分(大部分内容都是不言自明的),请随时提问。