Logwatch - 多次攻击?我很担心!我该怎么办?

Logwatch - 多次攻击?我很担心!我该怎么办?

我有一个 VPS,每天都会收到非常拥挤的 Logwatch。

我不是 Debian 专家,所以我不知道这是否正常或者我是否应该担心。

有什么意见吗?


 ################### Logwatch 7.4.0 (03/01/11) #################### 
        Processing Initiated: Wed Apr 15 06:25:28 2020
        Date Range Processed: yesterday
                              ( 2020-Apr-14 )
                              Period is day.
        Detail Level of Output: 0
        Type of Output/Format: mail / text
        Logfiles for Host: ***.***.**
 ################################################################## 

 --------------------- fail2ban-messages Begin ------------------------ 

 Banned services with Fail2Ban:              Bans:Unbans
    ssh:                                                    [495:500]

 ---------------------- fail2ban-messages End ------------------------- 


 --------------------- httpd Begin ------------------------ 


 Connection attempts using mod_proxy:
    113.128.105.226 -> www.baidu.com:443: 1 Time(s)
    119.118.30.23 -> www.ipip.net:443: 1 Time(s)
    223.12.78.165 -> cn.bing.com:443: 1 Time(s)
    45.13.93.90 -> ip.ws.126.net:443: 1 Time(s)

 A total of 993 sites probed the server 
    100.18.10.141
    101.165.194.135
    102.115.161.115
    103.214.12.244
    103.80.239.154
    104.191.118.29
    104.192.236.93
    106.180.4.213
    107.141.74.125
    108.17.75.210
    108.70.82.189
    109.112.38.174
    109.116.190.21
    109.117.136.112
    109.118.88.47
    [...]

 ---------------------- httpd End ------------------------- 


 --------------------- iptables firewall Begin ------------------------ 


 Listed by source hosts:
 Logged 4735 packets on interface eth0
   From 2.25.218.189 - 16 packets to tcp(443) 
   From 2.32.62.225 - 8 packets to tcp(443) 
   From 2.34.179.95 - 4 packets to tcp(443) 
   From 2.36.160.255 - 4 packets to tcp(443) 
   From 2.37.140.177 - 1 packet to tcp(443) 
   From 2.39.41.23 - 10 packets to tcp(443) 
   From 2.45.1.230 - 3 packets to tcp(443) 
   From 2.45.152.99 - 2 packets to tcp(443) 
   From 2.102.45.174 - 2 packets to tcp(443) 
   From 2.132.43.242 - 1 packet to tcp(80) 
   From 2.177.207.154 - 1 packet to tcp(443) 
   From 2.178.237.89 - 1 packet to tcp(80) 
   From 2.180.124.124 - 1 packet to tcp(22) 
   From 2.181.21.231 - 3 packets to tcp(80) 
   From 2.181.67.150 - 3 packets to tcp(22) 
   From 2.186.1.136 - 2 packets to tcp(80) 
   From 2.186.43.121 - 1 packet to tcp(443) 
   [...]

 ---------------------- iptables firewall End ------------------------- 


 --------------------- pam_unix Begin ------------------------ 

 sshd:
    Authentication Failures:
       root (222.186.190.17): 180 Time(s)
       unknown (78.107.220.5): 82 Time(s)
       unknown (139.217.218.255): 48 Time(s)
       root (9.213.155.104.bc.googleusercontent.com): 47 Time(s)
       root (206.189.164.136): 41 Time(s)
       unknown (134.209.228.253): 41 Time(s)
       root (125.74.47.230): 38 Time(s)
       root (163.172.178.167): 36 Time(s)
       root (ns3003413.ip-5-196-75.eu): 36 Time(s)
       root (106.12.2.81): 35 Time(s)
       root (184.13.240.142): 35 Time(s)
       unknown (9.213.155.104.bc.googleusercontent.com): 35 Time(s)
       [...]

    Invalid Users:
       Unknown Account: 2879 Time(s)


 ---------------------- pam_unix End ------------------------- 


 --------------------- SSHD Begin ------------------------ 


 Illegal users from:
    undef: 1441 times
    1.53.158.156: 1 time
    1.214.156.163: 43 times
    2.184.4.3: 46 times
    3.133.0.24 (ec2-3-133-0-24.us-east-2.compute.amazonaws.com): 31 times
    5.135.94.191 (ip191.ip-5-135-94.eu): 36 times
    5.135.181.53 (ns3120718.ip-5-135-181.eu): 27 times
    5.147.173.226 (ip-5-147-173-226.unitymediagroup.de): 1 time
    [...]

 Login attempted when not in AllowUsers list:
    backup : 18 Time(s)
    bin : 32 Time(s)
    daemon : 5 Time(s)
    games : 3 Time(s)
    irc : 1 Time(s)
    list : 1 Time(s)
    lp : 1 Time(s)
    mail : 2 Time(s)
    man : 1 Time(s)
    messagebus : 3 Time(s)
    mysql : 26 Time(s)
    news : 3 Time(s)
    nobody : 2 Time(s)
    postfix : 1 Time(s)
    proxy : 1 Time(s)
    root : 4881 Time(s)
    sshd : 3 Time(s)
    sync : 3 Time(s)
    sys : 5 Time(s)
    uucp : 3 Time(s)
    www-data : 6 Time(s)

 ---------------------- SSHD End ------------------------- 




 ###################### Logwatch End ######################### 

答案1

这是扫描和攻击的混合体(寻找弱点,查看常用用户名/服务被尝试的次数)。每个面向互联网的服务器都会被这样探测,如果您提供的服务是公开的,则无法避免。

它不是 Debian 特有的,它与您服务器上的服务有关。

您可以做的(并且您已经为 ssh 做了)是尝试限制这些扫描在被禁止之前进行的尝试次数(fail2ban)。您可能还想检查您是否正在使用mod_proxy,因为一些探测器正在检查您是否设置了开放代理(但没有成功)。

虽然我看不出你的报告有什么值得担心的地方,但你还是得学会如何阅读它,以防发生不好的事情。如果你不明白其中的某些部分(大部分内容都是不言自明的),请随时提问。

相关内容