最近我注意到有人不断尝试通过 ssh 以 root 身份登录我的 Ubuntu 服务器。我大约一周前就注意到了这一点,并且是从多个 IP 地址进行的。一开始他试图访问最常见的帐户,但最近他专注于 root。
Jan 21 23:55:38 GrXXXXXmp sshd[1566731]: Failed password for invalid user birgit from 125.129.82.220 port 39106 ssh2
Jan 21 23:55:47 GrXXXXXmp sshd[1566733]: Failed password for invalid user wordpress from 5.51.84.107 port 36050 ssh2
Jan 21 23:55:53 GrXXXXXmp sshd[1566737]: Failed password for invalid user test from 103.149.198.24 port 35914 ssh2
Jan 21 23:55:53 GrXXXXXmp sshd[1566735]: Failed password for invalid user user2 from 190.9.130.159 port 37515 ssh2
Jan 21 23:56:03 GrXXXXXmp sshd[1566741]: Failed password for invalid user sshadmin from 43.135.163.185 port 38084 ssh2
Jan 21 23:56:03 GrXXXXXmp sshd[1566739]: Failed password for invalid user wcsuser from 61.19.127.228 port 39448 ssh2
Jan 21 23:56:03 GrXXXXXmp sshd[1566743]: Failed password for invalid user phpmyadmin from 147.182.247.29 port 35134 ssh2
...
Jan 26 12:13:51 GrXXXXXmp sshd[1687744]: Failed password for root from 45.158.181.150 port 56728 ssh2
Jan 26 12:14:24 GrXXXXXmp sshd[1687873]: Failed password for root from 122.155.166.78 port 41422 ssh2
Jan 26 12:14:56 GrXXXXXmp sshd[1687880]: Failed password for root from 45.158.181.150 port 43194 ssh2
Jan 26 12:15:44 GrXXXXXmp sshd[1687890]: Failed password for root from 122.155.166.78 port 37962 ssh2
Jan 26 12:16:15 GrXXXXXmp sshd[1687913]: Failed password for root from 45.158.181.150 port 57896 ssh2
Jan 26 12:17:03 GrXXXXXmp sshd[1687918]: Failed password for root from 122.155.166.78 port 34108 ssh2
Jan 26 12:17:23 GrXXXXXmp sshd[1687923]: Failed password for root from 45.158.181.150 port 44366 ssh2
我配置了非标准的 ssh 端口。
通常,我可以列出这些地址并通过 hosts.deny 锁定它们,并减少 ssh 配置上的 MaxTries。但是我只是想知道是否有人更有经验如何对抗这种攻击?
这看起来像是 SSH 暴力攻击
答案1
如果您的 ssh 暴露在互联网上,我建议您使用密钥而不是密码来登录。
有几点建议:
禁用 root 登录(仅允许您的用户)
设置 ssh 密钥后禁用密码登录
我也不是什么专家,只是从一个教程中学到了东西: