我似乎在通过 ssh 连接的这台 Ubuntu 服务器上收到了很多不同的连接 (ssh)。这些只是暴力破解尝试吗?
运行时netstat -tnpa | grep 'ESTABLISHED.*sshd'为什么每行末尾分别出现“root@p”和“[accep”?
此外,运行时grep sshd.\*Failed /var/log/auth.log | tail -20我似乎会得到很多不同的“无效用户”。为什么会这样?最后,ps auxwww | grep sshd:输出两个“[accepted]”。为什么会这样?
谢谢。命令的输出如下所示 -->
https://i.stack.imgur.com/f2qNQ.png https://i.stack.imgur.com/kMByp.png
更新:
现在又发生了一件有趣的事情。我 netstat -tnpa | grep 'ESTABLISHED.*sshd'再次运行,发现一个来自香港的 IP 格式为“103.100.xxxx”,显然被列出来了。然后我运行cat /var/log/auth.log | tail -100并得到了以下结果
Feb 16 17:58:25 838396123831 sshd[227710]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.100.210.xxx user=root
Feb 16 17:58:26 838396123831 sshd[227708]: Received disconnect from 103.136.xxxxp ort 33268:11: Bye Bye [preauth]
Feb 16 17:58:26 838396123831 sshd[227708]: Disconnected from invalid user hero 103.136.xxxx port 33268 [preauth]
Feb 16 17:58:27 838396123831 sshd[227710]: Failed password for root from 103.100.xxxx port 40810 ssh2
Feb 16 17:58:27 838396123831 sshd[227710]: Received disconnect from 103.100.xxxx port 40810:11: Bye Bye [preauth]
Feb 16 17:58:27 838396123831 sshd[227710]: Disconnected from authenticating user root 103.100.xxxx port 40810 [preauth]
然后我跑过去grep sshd.\*Failed /var/log/auth.log | tail -20发现Feb 16 18:00:42 838396123831 sshd[227760]: Failed password for invalid user ircbot from 103.136.xxxxx port 47546 ssh2
然后我跑去grep sshd.\*Failed /var/log/auth.log | tail -100看看
Feb 16 17:53:24 838396123831 sshd[227596]: Failed password for root from 103.136.xxxx port 33470 ssh2
Feb 16 17:55:57 838396123831 sshd[227652]: Failed password for root from 103.136.xxxxx port 47406 ssh2
Feb 16 17:58:24 838396123831 sshd[227708]: Failed password for invalid user hero from 103.136.xxxxx port 33268 ssh2
Feb 16 18:00:42 838396123831 sshd[227760]: Failed password for invalid user ircbot from 103.136.xxxxx port 47546 ssh2
这是什么意思?发生了什么事?是否有其他人设法通过 ssh 登录到服务器?
答案1
是的,这些都是暴力攻击。任何拥有面向外部的设备的人几乎都会立即遭受此类攻击。
不,我不认为您实际上已经受到攻击。ESTABLISHED您观察到的连接只是一次正在进行的尝试。不要将ESTABLISHEDTCP 连接与成功的 SSH 登录混淆,它们并不相同。
我假设实际的 SSH 连接就是你。
考虑将 SSH 端口从默认端口 22 更改为其他端口,并/或实施“坏人”检测器。许多人推荐使用 fail2ban。我使用 iptables 中的最新模块。针对中国的技巧是封锁整个子网,而不仅仅是攻击 IP,因为他们变得很聪明,一旦被封锁,就会切换到另一个 IP。示例 iptables 规则段,有点脱离上下文:
# Dynamic Badguy List. Detect and DROP Bad IPs that do password attacks on SSH.
# Once they are on the BADGUY list then DROP all packets from them.
# Sometimes make the lock time very long. Typically to try to get rid of coordinated attacks from China.
$IPTABLES -A INPUT -i $EXTIF -m recent --mask $BIT_MASK --update --hitcount 3 --seconds 90000 --name BADGUY_SSH -j LOG --log-prefix "SSH BAD:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -m recent --mask $BIT_MASK --update --hitcount 3 --seconds 90000 --name BADGUY_SSH -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 -m recent --mask $BIT_MASK --set --name BADGUY_SSH -j ACCEPT