我注意到我的 vps 上存在一些可疑的操作,我想进一步了解它们。
postfix:我在 mail.log 中看到了很多使用 postfix 的操作,所以我关闭了 postfix,然后看到
1 月 9 日 22:58:28 域 postfix/postfix-script[6035]: 停止 Postfix 邮件系统 1 月 9 日 22:58:28 域 postfix/master[791]: 终止于信号 15 1 月 9 日 22:58:28 域 postfix/postfix-script[6045]: 致命:Postfix 邮件系统未运行 1 月 9 日 22:58:30 域 postfix/postfix-script[6119]: 警告:不属于 root:/etc/postfix/./sasl/sasl_passwd.db 1 月 9 日 22:58:30 域 postfix/postfix-script[6120]: 警告:不属于 root:/etc/postfix/./sasl/sasl_passwd 1 月 9 日 22:58:30 域 postfix/postqueue[6162]: 警告:邮件系统已关闭 - 直接访问队列
之后就安静了。我不需要 postfix,所以我可以把它关掉吗?还是它会影响我不知道的其他东西?假设现在日志很平静,我能确定没有人能用我的 vps 发送电子邮件吗?
还有一件事:在 webmin 中我看到了 43 个用户!root 很明显。其他 42 个包括(例如)deamon、dovecot、tomcat、list、irc...我怎么知道我可以删除哪些?起初我禁用了除 root 之外的所有内容,但后来我意识到我的 tomcat 已关闭,因此我重新启用了所有内容并再次启动了 tomcat。这有关系吗?我需要保留某些用户并删除其他用户吗?
最后一件事,来自 auth.log
Jan 9 23:22:20 domain su[15114]: Successful su for domain by root
Jan 9 23:22:20 domain su[15114]: + ??? root:domain
Jan 9 23:22:20 domain su[15114]: pam_unix(su:session): session opened for user domain by (uid=0)
Jan 9 23:22:20 domain su[15114]: pam_systemd(su:session): Failed to create session: Maximum number of sessions (8192) reached, refusing further sessions.
Jan 9 23:22:20 domain su[15114]: pam_unix(su:session): session closed for user domain
Jan 9 23:24:47 domain sshd[15645]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=111.231.50.90 user=root
Jan 9 23:24:49 domain sshd[15645]: Failed password for root from 111.231.50.90 port 54480 ssh2
Jan 9 23:24:49 domain sshd[15645]: Received disconnect from 111.231.50.90 port 54480:11: Bye Bye [preauth]
Jan 9 23:24:49 domain sshd[15645]: Disconnected from authenticating user root 111.231.50.90 port 54480 [preauth]
Jan 9 23:27:21 domain su[16754]: Successful su for domain by root
Jan 9 23:27:21 domain su[16754]: + ??? root:domain
Jan 9 23:27:21 domain su[16754]: pam_unix(su:session): session opened for user domain by (uid=0)
Jan 9 23:27:21 domain su[16754]: pam_systemd(su:session): Failed to create session: Maximum number of sessions (8192) reached, refusing further sessions.
Jan 9 23:27:21 domain su[16754]: pam_unix(su:session): session closed for user domain
Jan 9 23:29:12 domain sshd[17078]: Invalid user ay from 164.132.57.16 port 42111
Jan 9 23:29:12 domain sshd[17078]: pam_unix(sshd:auth): check pass; user unknown
Jan 9 23:29:12 domain sshd[17078]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=164.132.57.16
Jan 9 23:29:14 domain sshd[17078]: Failed password for invalid user ay from 164.132.57.16 port 42111 ssh2
Jan 9 23:29:14 domain sshd[17078]: Received disconnect from 164.132.57.16 port 42111:11: Bye Bye [preauth]
Jan 9 23:29:14 domain sshd[17078]: Disconnected from invalid user ay 164.132.57.16 port 42111 [preauth]
Jan 9 23:30:30 domain sshd[17295]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=190.195.131.249 user=root
Jan 9 23:30:32 domain sshd[17295]: Failed password for root from 190.195.131.249 port 40859 ssh2
Jan 9 23:30:32 domain sshd[17295]: Received disconnect from 190.195.131.249 port 40859:11: Bye Bye [preauth]
Jan 9 23:30:32 domain sshd[17295]: Disconnected from authenticating user root 190.195.131.249 port 40859 [preauth]
Jan 9 23:32:23 domain su[18247]: Successful su for domain by root
Jan 9 23:32:23 domain su[18247]: + ??? root:domain
Jan 9 23:32:23 domain su[18247]: pam_unix(su:session): session opened for user domain by (uid=0)
Jan 9 23:32:23 domain su[18247]: pam_systemd(su:session): Failed to create session: Maximum number of sessions (8192) reached, refusing further sessions.
Jan 9 23:32:23 domain su[18247]: pam_unix(su:session): session closed for user domain
Jan 9 23:36:13 domain sshd[19029]: Accepted password for root from 87.71.134.34 port 61633 ssh2
Jan 9 23:36:13 domain sshd[19029]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 9 23:36:13 domain sshd[19029]: pam_systemd(sshd:session): Failed to create session: Maximum number of sessions (8192) reached, refusing further sessions.
我注意到的一行字
Successful su for domain by root
这是什么意思?上面的日志显示“正常”,只是意味着坏人正在尝试连接我的 vps,还是意味着他们实际上成功了,并利用它来谋取利益?
编辑:我刚刚检查了“记录的登录”,我确实只在列表中看到了 root。那么我在上面的日志中看到的是什么?
还有许多组。尝试删除它们(root 除外),出现以下信息:不允许删除系统组(GID 小于或等于 10 的组)。
在 htop 中,我看到以下进程 18h17:17 /lib/systemd/systemd --system --deserialize 28,其中 18h 用红色标记。这是什么意思?
安静了一段时间后,我在 mail.log 中看到了这个
Jan 10 00:11:08 domain dovecot: imap-login: Aborted login (no auth attempts in 4 secs): user=<>, rip=185.142.236.35, lip=93.188.167.48, TLS, session=</9Vp9r2bSKS5juwj>
Jan 10 00:11:09 domain dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=185.142.236.35, lip=93.188.167.48, TLS: SSL_read() failed: error:140940F5:SSL routines:ssl3_read_bytes:unexpected record, session=<PIx39r2bVK25juwj>
Jan 10 00:11:13 domain dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=185.142.236.35, lip=93.188.167.48, TLS: SSL_read() syscall failed: Connection reset by peer, session=<eayw9r2b1rS5juwj>
Jan 10 00:11:13 domain dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=185.142.236.35, lip=93.188.167.48, TLS, session=<Ibyx9r2b3rW5juwj>
Jan 10 00:11:13 domain dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=185.142.236.35, lip=93.188.167.48, TLS handshaking: SSL_accept() failed: error:142090FC:SSL routines:tls_early_post_process_client_hello:unknown protocol, session=<rgW19r2bxLa5juwj>
Jan 10 00:11:14 domain dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=185.142.236.35, lip=93.188.167.48, TLS handshaking: SSL_accept() failed: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low, session=<BwO69r2bkre5juwj>
Jan 10 00:11:14 domain dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=185.142.236.35, lip=93.188.167.48, TLS, session=<rnzD9r2bqLi5juwj>
Jan 10 00:11:15 domain dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=185.142.236.35, lip=93.188.167.48, TLS, session=<C/LJ9r2b7Lm5juwj>
Jan 10 00:11:15 domain dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=185.142.236.35, lip=93.188.167.48, TLS, session=<gLXR9r2b1rq5juwj>
Jan 10 00:11:16 domain dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=185.142.236.35, lip=93.188.167.48, TLS, session=</CnZ9r2bAry5juwj>
Jan 10 00:11:16 domain dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=185.142.236.35, lip=93.188.167.48, TLS, session=<Qofg9r2b8ry5juwj>
Jan 10 00:11:16 domain dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=185.142.236.35, lip=93.188.167.48, TLS handshaking: SSL_accept() failed: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher, session=<mcXi9r2bzr25juwj>
谢谢