昨天我在 DigitalOcean 创建了一个 Ubuntu 18.04 droplet,其中包含一个 MongoDB v4.0.2 图像,今天我检查了文件/var/log/auth.log...我看到的是:
Oct 1 16:16:25 mongodb-server-1 sshd[9171]: Failed password for root from 116.31.116.16 port 61535 ssh2
Oct 1 16:16:30 mongodb-server-1 sshd[9171]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 61535 ssh2]
Oct 1 16:16:30 mongodb-server-1 sshd[9171]: Received disconnect from 116.31.116.16 port 61535:11: [preauth]
Oct 1 16:16:30 mongodb-server-1 sshd[9171]: Disconnected from authenticating user root 116.31.116.16 port 61535 [preauth]
Oct 1 16:16:30 mongodb-server-1 sshd[9171]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:17:01 mongodb-server-1 CRON[9173]: pam_unix(cron:session): session opened for user root by (uid=0)
Oct 1 16:17:01 mongodb-server-1 CRON[9173]: pam_unix(cron:session): session closed for user root
Oct 1 16:17:34 mongodb-server-1 sshd[9176]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:17:36 mongodb-server-1 sshd[9176]: Failed password for root from 116.31.116.16 port 60613 ssh2
Oct 1 16:17:40 mongodb-server-1 sshd[9176]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 60613 ssh2]
Oct 1 16:17:40 mongodb-server-1 sshd[9176]: Received disconnect from 116.31.116.16 port 60613:11: [preauth]
Oct 1 16:17:40 mongodb-server-1 sshd[9176]: Disconnected from authenticating user root 116.31.116.16 port 60613 [preauth]
Oct 1 16:17:40 mongodb-server-1 sshd[9176]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:18:43 mongodb-server-1 sshd[9178]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:18:45 mongodb-server-1 sshd[9178]: Failed password for root from 116.31.116.16 port 30163 ssh2
Oct 1 16:18:49 mongodb-server-1 sshd[9178]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 30163 ssh2]
Oct 1 16:18:49 mongodb-server-1 sshd[9178]: Received disconnect from 116.31.116.16 port 30163:11: [preauth]
Oct 1 16:18:49 mongodb-server-1 sshd[9178]: Disconnected from authenticating user root 116.31.116.16 port 30163 [preauth]
Oct 1 16:18:49 mongodb-server-1 sshd[9178]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:19:50 mongodb-server-1 sshd[9183]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:19:53 mongodb-server-1 sshd[9183]: Failed password for root from 116.31.116.16 port 55398 ssh2
Oct 1 16:19:57 mongodb-server-1 sshd[9183]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 55398 ssh2]
Oct 1 16:19:57 mongodb-server-1 sshd[9183]: Received disconnect from 116.31.116.16 port 55398:11: [preauth]
Oct 1 16:19:57 mongodb-server-1 sshd[9183]: Disconnected from authenticating user root 116.31.116.16 port 55398 [preauth]
Oct 1 16:19:57 mongodb-server-1 sshd[9183]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:20:57 mongodb-server-1 sshd[9186]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:20:59 mongodb-server-1 sshd[9186]: Failed password for root from 116.31.116.16 port 24942 ssh2
Oct 1 16:21:04 mongodb-server-1 sshd[9186]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 24942 ssh2]
Oct 1 16:21:05 mongodb-server-1 sshd[9186]: Received disconnect from 116.31.116.16 port 24942:11: [preauth]
Oct 1 16:21:05 mongodb-server-1 sshd[9186]: Disconnected from authenticating user root 116.31.116.16 port 24942 [preauth]
Oct 1 16:21:05 mongodb-server-1 sshd[9186]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:22:15 mongodb-server-1 sshd[9188]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:22:18 mongodb-server-1 sshd[9188]: Failed password for root from 116.31.116.16 port 17758 ssh2
Oct 1 16:22:22 mongodb-server-1 sshd[9188]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 17758 ssh2]
Oct 1 16:22:23 mongodb-server-1 sshd[9188]: Received disconnect from 116.31.116.16 port 17758:11: [preauth]
Oct 1 16:22:23 mongodb-server-1 sshd[9188]: Disconnected from authenticating user root 116.31.116.16 port 17758 [preauth]
Oct 1 16:22:23 mongodb-server-1 sshd[9188]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:23:15 mongodb-server-1 sshd[9190]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:23:17 mongodb-server-1 sshd[9190]: Failed password for root from 116.31.116.16 port 17471 ssh2
Oct 1 16:23:21 mongodb-server-1 sshd[9190]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 17471 ssh2]
Oct 1 16:23:22 mongodb-server-1 sshd[9190]: Received disconnect from 116.31.116.16 port 17471:11: [preauth]
Oct 1 16:23:22 mongodb-server-1 sshd[9190]: Disconnected from authenticating user root 116.31.116.16 port 17471 [preauth]
Oct 1 16:23:22 mongodb-server-1 sshd[9190]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:24:19 mongodb-server-1 sshd[9209]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:24:20 mongodb-server-1 sshd[9209]: Failed password for root from 116.31.116.16 port 37695 ssh2
Oct 1 16:24:25 mongodb-server-1 sshd[9209]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 37695 ssh2]
Oct 1 16:24:26 mongodb-server-1 sshd[9209]: Received disconnect from 116.31.116.16 port 37695:11: [preauth]
Oct 1 16:24:26 mongodb-server-1 sshd[9209]: Disconnected from authenticating user root 116.31.116.16 port 37695 [preauth]
Oct 1 16:24:26 mongodb-server-1 sshd[9209]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:25:26 mongodb-server-1 sshd[9214]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:25:27 mongodb-server-1 sshd[9214]: Failed password for root from 116.31.116.16 port 17403 ssh2
Oct 1 16:25:31 mongodb-server-1 sshd[9214]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 17403 ssh2]
Oct 1 16:25:32 mongodb-server-1 sshd[9214]: Received disconnect from 116.31.116.16 port 17403:11: [preauth]
Oct 1 16:25:32 mongodb-server-1 sshd[9214]: Disconnected from authenticating user root 116.31.116.16 port 17403 [preauth]
Oct 1 16:25:32 mongodb-server-1 sshd[9214]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:26:25 mongodb-server-1 sshd[9367]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
Oct 1 16:26:27 mongodb-server-1 sshd[9367]: Failed password for root from 116.31.116.16 port 42236 ssh2
Oct 1 16:26:31 mongodb-server-1 sshd[9367]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 42236 ssh2]
Oct 1 16:26:32 mongodb-server-1 sshd[9367]: Received disconnect from 116.31.116.16 port 42236:11: [preauth]
Oct 1 16:26:32 mongodb-server-1 sshd[9367]: Disconnected from authenticating user root 116.31.116.16 port 42236 [preauth]
Oct 1 16:26:32 mongodb-server-1 sshd[9367]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16 user=root
记录了数千次连接尝试!而且还在继续!
我是唯一有权访问该服务器的人,并且我唯一开放的端口是 22!
发生了什么?
答案1
此特定流量来自来自中国的 IP 地址(dnslytics.com 上的 IP 地址基本信息) 并尝试root通过 SSH 使用密码验证登录您的用户。
跑步时主要担心的问题任何面向 Internet 的服务:
- 全部上网时到处都会探测IP地址。
- 当某些探测器发现开放端口(如 SSH 端口)时,恶意威胁行为者将尝试继续探测,看他们是否可以通过密码攻击进入您的系统。
这两者都是面向互联网的服务的事实标准。因此,许多此类威胁仍在持续。然而,这种情况发生在许多服务 – 不仅仅是 SSH。
这类探测不太可能停止。这就是为什么在向互联网公开服务时应该小心谨慎。
根据我过去的所见所闻、对 IT 安全的了解以及我自己运行多个面向互联网的服务所获得的第一手知识,此活动看起来像大多数直接面向互联网的系统发生的典型服务扫描和探测活动。 这并不意味着您的服务器直接受到攻击。只是,服务扫描程序发现您的服务器在端口 22 上响应,并反复返回并尝试使用弱密码进行身份验证,试图攻破服务器。这在面向 Internet 的连接上并不罕见。
不过,你可以做一些事情来进一步缓解这种情况:
直接禁用用户的 SSH 登录访问
root。编辑
/etc/ssh/sshd_config,找到显示以下内容的行PermitRootLogin并确保其设置为prohibit-password或no。请注意,您需要拥有非根如果您这样做,您可以登录到该用户;这样您就保护了用户
root,并且您有一个非 root 用户,可以sudo为他们配置访问权限,以便他们仍然可以根据需要执行超级用户命令。(切勿使用 SSH 进行root管理功能和操作!)禁用密码验证,并将 SSH 密钥验证设置为唯一可行的 SSH 登录机制。有很多关于如何执行此操作的指南,例如这是来自 Digital Ocean 的。
设置类似
fail2ban以帮助阻止暴力破解尝试。这本身就是一个复杂的过程,但您可以通过执行 完成基本设置sudo apt install fail2ban。这将默认设置为启用以保护 SSH 连接。在继续添加其他服务之前,请先设置防火墙。这样您就可以仅有的接收您信任的连接以便向互联网提供您想要提供的服务,而不是将所有内容暴露在外。