这些日志是什么意思?有人试图通过 ssh 入侵我的服务器吗?

tag-icon tag-icon ssh logging ddos
这些日志是什么意思?有人试图通过 ssh 入侵我的服务器吗?

今天我醒来发现有大量的日志ssh,我只能假设有人正试图访问我的 Linux 服务器。

以下是日志

-- Logs begin at Wed 2023-08-02 08:59:10 EEST, end at Wed 2024-01-24 08:57:36 EET. --
ian 24 08:53:49 Linux-Server sshd[372712]: Invalid user mireielle from 201.184.50.251 port 59440
ian 24 08:53:49 Linux-Server sshd[372712]: pam_unix(sshd:auth): check pass; user unknown
ian 24 08:53:49 Linux-Server sshd[372712]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.184.50.251
ian 24 08:53:51 Linux-Server sshd[372712]: Failed password for invalid user mireielle from 201.184.50.251 port 59440 ssh2
ian 24 08:53:51 Linux-Server sshd[372712]: Received disconnect from 201.184.50.251 port 59440:11: Bye Bye [preauth]
ian 24 08:53:51 Linux-Server sshd[372712]: Disconnected from invalid user mireielle 201.184.50.251 port 59440 [preauth]
ian 24 08:54:08 Linux-Server sshd[372726]: User root from 218.92.0.29 not allowed because not listed in AllowUsers
ian 24 08:54:09 Linux-Server sshd[372726]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.29  user=root
ian 24 08:54:11 Linux-Server sshd[372726]: Failed password for invalid user root from 218.92.0.29 port 41135 ssh2
ian 24 08:54:14 Linux-Server sshd[372726]: Failed password for invalid user root from 218.92.0.29 port 41135 ssh2
ian 24 08:54:14 Linux-Server sshd[372731]: Invalid user hawkos from 118.163.63.23 port 33902
ian 24 08:54:14 Linux-Server sshd[372731]: pam_unix(sshd:auth): check pass; user unknown
ian 24 08:54:14 Linux-Server sshd[372731]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.163.63.23
ian 24 08:54:16 Linux-Server sshd[372731]: Failed password for invalid user hawkos from 118.163.63.23 port 33902 ssh2
ian 24 08:54:16 Linux-Server sshd[372731]: Received disconnect from 118.163.63.23 port 33902:11: Bye Bye [preauth]
ian 24 08:54:16 Linux-Server sshd[372731]: Disconnected from invalid user hawkos 118.163.63.23 port 33902 [preauth]
ian 24 08:54:18 Linux-Server sshd[372726]: Failed password for invalid user root from 218.92.0.29 port 41135 ssh2
ian 24 08:54:20 Linux-Server sshd[372726]: Received disconnect from 218.92.0.29 port 41135:11:  [preauth]
ian 24 08:54:20 Linux-Server sshd[372726]: Disconnected from invalid user root 218.92.0.29 port 41135 [preauth]
ian 24 08:54:20 Linux-Server sshd[372726]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.29  user=root
ian 24 08:54:50 Linux-Server sshd[372743]: User root from 218.92.0.29 not allowed because not listed in AllowUsers
ian 24 08:54:50 Linux-Server sshd[372743]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.29  user=root
ian 24 08:54:52 Linux-Server sshd[372743]: Failed password for invalid user root from 218.92.0.29 port 23264 ssh2
ian 24 08:54:54 Linux-Server sshd[372743]: Failed password for invalid user root from 218.92.0.29 port 23264 ssh2
ian 24 08:54:55 Linux-Server sshd[372745]: Invalid user skaret from 201.184.50.251 port 51582
ian 24 08:54:55 Linux-Server sshd[372745]: pam_unix(sshd:auth): check pass; user unknown
ian 24 08:54:55 Linux-Server sshd[372745]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.184.50.251
ian 24 08:54:57 Linux-Server sshd[372743]: Failed password for invalid user root from 218.92.0.29 port 23264 ssh2
ian 24 08:54:57 Linux-Server sshd[372745]: Failed password for invalid user skaret from 201.184.50.251 port 51582 ssh2
ian 24 08:54:59 Linux-Server sshd[372743]: Received disconnect from 218.92.0.29 port 23264:11:  [preauth]
ian 24 08:54:59 Linux-Server sshd[372743]: Disconnected from invalid user root 218.92.0.29 port 23264 [preauth]
ian 24 08:54:59 Linux-Server sshd[372743]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.29  user=root
ian 24 08:54:59 Linux-Server sshd[372745]: Received disconnect from 201.184.50.251 port 51582:11: Bye Bye [preauth]
ian 24 08:54:59 Linux-Server sshd[372745]: Disconnected from invalid user skaret 201.184.50.251 port 51582 [preauth]
ian 24 08:55:13 Linux-Server sshd[372748]: User root from 180.101.88.221 not allowed because not listed in AllowUsers
ian 24 08:55:13 Linux-Server sshd[372748]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=180.101.88.221  user=root
ian 24 08:55:15 Linux-Server sshd[372748]: Failed password for invalid user root from 180.101.88.221 port 62046 ssh2
ian 24 08:55:18 Linux-Server sshd[372748]: Failed password for invalid user root from 180.101.88.221 port 62046 ssh2
ian 24 08:55:21 Linux-Server sshd[372748]: Failed password for invalid user root from 180.101.88.221 port 62046 ssh2
ian 24 08:55:23 Linux-Server sshd[372748]: Received disconnect from 180.101.88.221 port 62046:11:  [preauth]
ian 24 08:55:23 Linux-Server sshd[372748]: Disconnected from invalid user root 180.101.88.221 port 62046 [preauth]
ian 24 08:55:23 Linux-Server sshd[372748]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=180.101.88.221  user=root
ian 24 08:56:04 Linux-Server sshd[372762]: Invalid user ubuntu from 201.184.50.251 port 43720
ian 24 08:56:04 Linux-Server sshd[372762]: pam_unix(sshd:auth): check pass; user unknown
ian 24 08:56:04 Linux-Server sshd[372762]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.184.50.251
ian 24 08:56:06 Linux-Server sshd[372762]: Failed password for invalid user ubuntu from 201.184.50.251 port 43720 ssh2
ian 24 08:56:08 Linux-Server sshd[372762]: Received disconnect from 201.184.50.251 port 43720:11: Bye Bye [preauth]
ian 24 08:56:08 Linux-Server sshd[372762]: Disconnected from invalid user ubuntu 201.184.50.251 port 43720 [preauth]
ian 24 08:56:48 Linux-Server sshd[372771]: Invalid user alberik from 118.163.63.23 port 38078
ian 24 08:56:48 Linux-Server sshd[372771]: pam_unix(sshd:auth): check pass; user unknown
ian 24 08:56:48 Linux-Server sshd[372771]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.163.63.23
ian 24 08:56:50 Linux-Server sshd[372771]: Failed password for invalid user alberik from 118.163.63.23 port 38078 ssh2
ian 24 08:56:51 Linux-Server sshd[372771]: Received disconnect from 118.163.63.23 port 38078:11: Bye Bye [preauth]

这些是过去 5 分钟的日志。

我追溯到 开始Octomber 23, 00:00:42 AM。它们看起来确实很可疑。

我有什么可担心的吗?我有 5 个不同的允许 ssh 用户,其中 2 个被我限制在 SSH jail 中,只能访问以下文件夹:

bin  dev  etc  lib  lib64  proc  run  sbin  share  sys  tmp  usr

共享只是一个中间目录,允许特定用户访问特定文件夹。

那么,我被黑客入侵了吗?这是潜在的 DDoS 攻击吗?我该怎么办?

我将感谢任何建议!

答案1

当您向互联网开放一项服务时,您可以确信,不久之后就会有僵尸网络发现它并开始尝试寻找安全漏洞。

  • 保持你的服务器为最新状态
  • 禁用已知用户名登录(root
  • 禁用密码登录,仅使用公钥验证
  • 如果可以,请通过防火墙将对服务的访问限制到特定的 IP 地址或子网。
  • 设置 fail2ban 使探测你的服务器变得更加困难

相关内容