< OS 有关 > 阿里云 几个小时前 使用密钥替换 SSH 密码认证后, 发现主机正在被“攻击” 分析与应对

news2025/1/30 14:40:34

信息来源:

文件:/var/log/auth.log

因为在 sshd_config 配置文件中,已经定义 LogLevel INFO 

部分内容:

2025-01-27T18:18:55.682727+08:00 jpn sshd[15891]: Received disconnect from 45.194.37.171 port 58954:11: Bye Bye [preauth]
2025-01-27T18:18:55.682852+08:00 jpn sshd[15891]: Disconnected from invalid user es 45.194.37.171 port 58954 [preauth]
2025-01-27T18:19:30.861201+08:00 jpn sshd[15894]: Accepted publickey for root from **** port 37287 ssh2: ED25519 SHA256:jpUCXR/o4OM5+8TNsIYfpJyZWHLLxghIOe36RMVEx+0
2025-01-27T18:19:30.863454+08:00 jpn sshd[15894]: pam_unix(sshd:session): session opened for user root(uid=0) by root(uid=0)
2025-01-27T18:19:30.894649+08:00 jpn systemd-logind[834]: New session 68 of user root.
2025-01-27T18:19:30.936765+08:00 jpn (systemd): pam_unix(systemd-user:session): session opened for user root(uid=0) by root(uid=0)
2025-01-27T18:19:40.757504+08:00 jpn sudo:     root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/visudo
2025-01-27T18:19:40.758049+08:00 jpn sudo: pam_unix(sudo:session): session opened for user root(uid=0) by root(uid=0)
2025-01-27T18:19:48.862708+08:00 jpn sshd[16046]: Connection closed by 2.57.122.32 port 45270
2025-01-27T18:19:49.986155+08:00 jpn sudo: pam_unix(sudo:session): session closed for user root
2025-01-27T18:19:52.902680+08:00 jpn sudo:     root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/visudo
2025-01-27T18:19:52.904224+08:00 jpn sudo: pam_unix(sudo:session): session opened for user root(uid=0) by root(uid=0)
2025-01-27T18:19:59.817863+08:00 jpn sshd[16051]: Invalid user es from 103.27.36.57 port 52330
2025-01-27T18:19:59.927275+08:00 jpn sshd[16051]: Received disconnect from 103.27.36.57 port 52330:11: Bye Bye [preauth]
2025-01-27T18:19:59.927353+08:00 jpn sshd[16051]: Disconnected from invalid user es 103.27.36.57 port 52330 [preauth]
2025-01-27T18:20:22.627449+08:00 jpn sshd[16055]: Received disconnect from 218.92.0.229 port 27794:11:  [preauth]
2025-01-27T18:20:22.627596+08:00 jpn sshd[16055]: Disconnected from 218.92.0.229 port 27794 [preauth]
2025-01-27T18:20:22.745077+08:00 jpn sshd[16057]: Invalid user sammy from 45.194.37.171 port 45126
2025-01-27T18:20:22.812352+08:00 jpn sshd[16057]: Received disconnect from 45.194.37.171 port 45126:11: Bye Bye [preauth]
2025-01-27T18:20:22.812444+08:00 jpn sshd[16057]: Disconnected from invalid user sammy 45.194.37.171 port 45126 [preauth]
2025-01-27T18:20:26.370459+08:00 jpn sshd[16059]: Invalid user test from 185.213.165.222 port 41514
2025-01-27T18:20:26.709218+08:00 jpn sshd[16059]: Received disconnect from 185.213.165.222 port 41514:11: Bye Bye [preauth]
2025-01-27T18:20:26.709308+08:00 jpn sshd[16059]: Disconnected from invalid user test 185.213.165.222 port 41514 [preauth]
2025-01-27T18:20:42.828438+08:00 jpn sudo: pam_unix(sudo:session): session closed for user root
2025-01-27T18:21:23.015774+08:00 jpn sshd[16098]: Invalid user ftpuser from 103.27.36.57 port 58928
2025-01-27T18:21:23.118253+08:00 jpn sshd[16098]: Received disconnect from 103.27.36.57 port 58928:11: Bye Bye [preauth]
2025-01-27T18:21:23.118331+08:00 jpn sshd[16098]: Disconnected from invalid user ftpuser 103.27.36.57 port 58928 [preauth]
2025-01-27T18:21:40.835987+08:00 jpn sshd[16101]: Invalid user dev from 185.213.165.222 port 39898
2025-01-27T18:21:41.196305+08:00 jpn sshd[16101]: Received disconnect from 185.213.165.222 port 39898:11: Bye Bye [preauth]
2025-01-27T18:21:41.196384+08:00 jpn sshd[16101]: Disconnected from invalid user dev 185.213.165.222 port 39898 [preauth]
2025-01-27T18:21:50.976607+08:00 jpn sshd[16103]: Invalid user alex from 45.194.37.171 port 33420
2025-01-27T18:21:51.038467+08:00 jpn sshd[16103]: Received disconnect from 45.194.37.171 port 33420:11: Bye Bye [preauth]
2025-01-27T18:21:51.038551+08:00 jpn sshd[16103]: Disconnected from invalid user alex 45.194.37.171 port 33420 [preauth]
2025-01-27T18:22:00.498436+08:00 jpn sshd[16105]: Received disconnect from 218.92.0.221 port 29964:11:  [preauth]
2025-01-27T18:22:00.498537+08:00 jpn sshd[16105]: Disconnected from 218.92.0.221 port 29964 [preauth]
2025-01-27T18:22:03.387463+08:00 jpn sshd[16107]: Received disconnect from 218.92.0.222 port 57854:11:  [preauth]
2025-01-27T18:22:03.387564+08:00 jpn sshd[16107]: Disconnected from 218.92.0.222 port 57854 [preauth]
2025-01-27T18:22:46.297244+08:00 jpn sshd[16109]: Invalid user sammy from 103.27.36.57 port 51744
2025-01-27T18:22:46.409949+08:00 jpn sshd[16109]: Received disconnect from 103.27.36.57 port 51744:11: Bye Bye [preauth]
2025-01-27T18:22:46.410041+08:00 jpn sshd[16109]: Disconnected from invalid user sammy 103.27.36.57 port 51744 [preauth]
2025-01-27T18:23:03.386976+08:00 jpn sshd[16111]: Invalid user server from 185.213.165.222 port 39412
2025-01-27T18:23:03.736443+08:00 jpn sshd[16111]: Received disconnect from 185.213.165.222 port 39412:11: Bye Bye [preauth]
2025-01-27T18:23:03.736530+08:00 jpn sshd[16111]: Disconnected from invalid user server 185.213.165.222 port 39412 [preauth]
2025-01-27T18:23:24.999251+08:00 jpn sshd[16116]: Invalid user user1 from 45.194.37.171 port 37228
2025-01-27T18:23:25.063685+08:00 jpn sshd[16116]: Received disconnect from 45.194.37.171 port 37228:11: Bye Bye [preauth]
2025-01-27T18:23:25.063778+08:00 jpn sshd[16116]: Disconnected from invalid user user1 45.194.37.171 port 37228 [preauth]
2025-01-27T18:24:04.966112+08:00 jpn sshd[16120]: Received disconnect from 103.27.36.57 port 57388:11: Bye Bye [preauth]
2025-01-27T18:24:04.966269+08:00 jpn sshd[16120]: Disconnected from authenticating user admin 103.27.36.57 port 57388 [preauth]
2025-01-27T18:24:15.054187+08:00 jpn sshd[16122]: Invalid user smart from 185.213.165.222 port 39408
2025-01-27T18:24:15.377906+08:00 jpn sshd[16122]: Received disconnect from 185.213.165.222 port 39408:11: Bye Bye [preauth]
2025-01-27T18:24:15.378009+08:00 jpn sshd[16122]: Disconnected from invalid user smart 185.213.165.222 port 39408 [preauth]
2025-01-27T18:25:01.028050+08:00 jpn CRON[16125]: pam_unix(cron:session): session opened for user root(uid=0) by root(uid=0)
2025-01-27T18:25:01.030389+08:00 jpn CRON[16125]: pam_unix(cron:session): session closed for user root
2025-01-27T18:25:01.780947+08:00 jpn sshd[16128]: Invalid user smart from 45.194.37.171 port 54306
2025-01-27T18:25:01.841197+08:00 jpn sshd[16128]: Received disconnect from 45.194.37.171 port 54306:11: Bye Bye [preauth]
2025-01-27T18:25:01.841281+08:00 jpn sshd[16128]: Disconnected from invalid user smart 45.194.37.171 port 54306 [preauth]
2025-01-27T18:25:19.503142+08:00 jpn sshd[16130]: Invalid user test from 103.27.36.57 port 49936
2025-01-27T18:25:19.604616+08:00 jpn sshd[16130]: Received disconnect from 103.27.36.57 port 49936:11: Bye Bye [preauth]
2025-01-27T18:25:19.604710+08:00 jpn sshd[16130]: Disconnected from invalid user test 103.27.36.57 port 49936 [preauth]
2025-01-27T18:25:21.589372+08:00 jpn sshd[16132]: Invalid user steam from 185.213.165.222 port 58956
2025-01-27T18:25:21.937081+08:00 jpn sshd[16132]: Received disconnect from 185.213.165.222 port 58956:11: Bye Bye [preauth]
2025-01-27T18:25:21.937164+08:00 jpn sshd[16132]: Disconnected from invalid user steam 185.213.165.222 port 58956 [preauth]
2025-01-27T18:26:27.432529+08:00 jpn sshd[16136]: Invalid user deploy from 185.213.165.222 port 43124
2025-01-27T18:26:27.766964+08:00 jpn sshd[16136]: Received disconnect from 185.213.165.222 port 43124:11: Bye Bye [preauth]
2025-01-27T18:26:27.767062+08:00 jpn sshd[16136]: Disconnected from invalid user deploy 185.213.165.222 port 43124 [preauth]
2025-01-27T18:26:36.494292+08:00 jpn sshd[16138]: Invalid user dev from 103.27.36.57 port 50164
2025-01-27T18:26:36.595899+08:00 jpn sshd[16138]: Received disconnect from 103.27.36.57 port 50164:11: Bye Bye [preauth]
2025-01-27T18:26:36.596008+08:00 jpn sshd[16138]: Disconnected from invalid user dev 103.27.36.57 port 50164 [preauth]
2025-01-27T18:26:37.148520+08:00 jpn sshd[16141]: Received disconnect from 45.194.37.171 port 43148:11: Bye Bye [preauth]
2025-01-27T18:26:37.148638+08:00 jpn sshd[16141]: Disconnected from authenticating user admin 45.194.37.171 port 43148 [preauth]
2025-01-27T18:27:19.961834+08:00 jpn sshd[16144]: Invalid user udatabase from 139.19.117.130 port 34824
2025-01-27T18:27:19.962218+08:00 jpn sshd[16144]: userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
2025-01-27T18:27:28.842456+08:00 jpn sshd[16144]: Connection closed by invalid user udatabase 139.19.117.130 port 34824 [preauth]
2025-01-27T18:27:35.048858+08:00 jpn sshd[16146]: Invalid user user from 185.213.165.222 port 35672
2025-01-27T18:27:35.388298+08:00 jpn sshd[16146]: Received disconnect from 185.213.165.222 port 35672:11: Bye Bye [preauth]
2025-01-27T18:27:35.388373+08:00 jpn sshd[16146]: Disconnected from invalid user user 185.213.165.222 port 35672 [preauth]
2025-01-27T18:27:52.749556+08:00 jpn sshd[16148]: Invalid user debian from 103.27.36.57 port 33168
2025-01-27T18:27:52.856125+08:00 jpn sshd[16148]: Received disconnect from 103.27.36.57 port 33168:11: Bye Bye [preauth]
2025-01-27T18:27:52.856215+08:00 jpn sshd[16148]: Disconnected from invalid user debian 103.27.36.57 port 33168 [preauth]
2025-01-27T18:27:58.680968+08:00 jpn sshd[16150]: Invalid user sammy from 190.181.4.12 port 53132
2025-01-27T18:27:58.945670+08:00 jpn sshd[16150]: Received disconnect from 190.181.4.12 port 53132:11: Bye Bye [preauth]
2025-01-27T18:27:58.945810+08:00 jpn sshd[16150]: Disconnected from invalid user sammy 190.181.4.12 port 53132 [preauth]
2025-01-27T18:28:17.065155+08:00 jpn sshd[16152]: Invalid user deploy from 45.194.37.171 port 36046
2025-01-27T18:28:17.129274+08:00 jpn sshd[16152]: Received disconnect from 45.194.37.171 port 36046:11: Bye Bye [preauth]
2025-01-27T18:28:17.129355+08:00 jpn sshd[16152]: Disconnected from invalid user deploy 45.194.37.171 port 36046 [preauth]
root@jpn:~# cat /var/log/auth.logcat /var/log/auth.log

分析日志:

密集的暴力破解尝试,主要来自以下IP:

185.213.165.222:尝试 test, dev, server, smart, steam, deploy, user 等用户名
45.194.37.171:尝试 sammy, alex, user1, smart, deploy 等用户名
103.27.36.57:尝试 es, ftpuser, sammy, dev, debian 等用户名
139.19.117.130:使用了失效的 ssh-rsa 算法尝试登录
190.181.4.12:尝试 sammy 用户名
203.23.199.89
85.208.253.163

IP 也分布在世界各地。

应对方案:

要么更改 端口,还有用 fail2ban 来封禁频繁失败的 IP。

这里记录用 fail2ban

1. 安装 fail2ban

apt update
apt install fail2ban -y

2. 阿里云的 apt 服务器连不上

3. 更新 /etc/apt/sources.list

root@jpn:~# cat /etc/apt/sources.list
deb http://jp.archive.ubuntu.com/ubuntu/ noble main restricted universe multiverse
deb http://jp.archive.ubuntu.com/ubuntu/ noble-updates main restricted universe multiverse
deb http://jp.archive.ubuntu.com/ubuntu/ noble-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu/ noble-security main restricted universe multiverse

4. 继续安装 fail2ban

sudo apt update && sudo apt upgrade -y
apt install fail2ban -y

5. 创建配置文件

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

6. 编辑配置文件 /etc/fail2ban/jail.local

原内容:

我改后的内容:

策略:5分钟内失败3次就封1小时

7. 设置开机自启、启动服务

systemctl enable fail2ban
systemctl start fail2ban

如果配置有修改,重启服务

systemctl restart fail2ban

8. 如何 检查状态和查看封禁列表

1) 查看服务状态

2) 查看 sshd 的详细状态 封禁列表

3)检查配置命令
fail2ban-client get sshd bantime
fail2ban-client get sshd findtime
fail2ban-client get sshd maxretry

结束语:

这两晚在看阿里云的性能宕机问题,从删除阿里云服务, 使用密钥验证时增加ssh输出, 突然发现日志中有重试登录 IP。 现在安装 f2b来解决。

20年前的知识,还在能用上

这么会儿功夫,关了 8只

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/2284771.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

使用八爪鱼爬虫和Web Scraper抓取数据实战案例,附详细教程

使用八爪鱼爬虫和Web Scraper抓取数据实战案例,附详细教程

最近有不少小伙伴咨询怎么抓取抖音视频或者评论的数据,他们多是自媒体或者商家,想要模仿爆火视频或者分析视频评论区的舆情信息,确实呀,现在抖音是流量高地,淘金的地方,真的是一个值得挖掘的宝藏。当然我一…
阅读更多...
海外问卷调查渠道查如何设置:最佳实践+示例

海外问卷调查渠道查如何设置:最佳实践+示例

随着经济全球化和一体化进程的加速,企业间的竞争日益加剧,为了获得更大的市场份额,对企业和品牌而言,了解受众群体的的需求、偏好和痛点才是走向成功的关键。而海外问卷调查才是获得受众群体痛点的关键,制作海外问卷调…
阅读更多...
【C++数论】880. 索引处的解码字符串|2010

【C++数论】880. 索引处的解码字符串|2010

本文涉及知识点 数论:质数、最大公约数、菲蜀定理 LeetCode880. 索引处的解码字符串 给定一个编码字符串 s 。请你找出 解码字符串 并将其写入磁带。解码时,从编码字符串中 每次读取一个字符 ,并采取以下步骤: 如果所读的字符是…
阅读更多...
从ai产品推荐到利用cursor快速掌握一个开源项目再到langchain手搓一个Text2Sql agent

从ai产品推荐到利用cursor快速掌握一个开源项目再到langchain手搓一个Text2Sql agent

目录 0. 经验分享:产品推荐 1. 经验分享:提示词优化 2. 经验分享:使用cursor 阅读一篇文章 3. 经验分享:使用cursor 阅读一个完全陌生的开源项目 4. 经验分享:手搓一个text2sql agent (使用langchain l…
阅读更多...
Blazor-选择循环语句

Blazor-选择循环语句

今天我们来说说Blazor选择语句和循环语句。 下面我们以一个简单的例子来讲解相关的语法,我已经创建好了一个Student类,以此类来进行语法的运用 因为我们需要交互性所以我们将类创建在*.client目录下 if 我们做一个学生信息的显示,Gender为…
阅读更多...
appium自动化环境搭建

appium自动化环境搭建

一、appium介绍 appium介绍 appium是一个开源工具、支持跨平台、用于自动化ios、安卓手机和windows桌面平台上面的原生、移动web和混合应用,支持多种编程语言(python,java,Ruby,Javascript、PHP等) 原生应用和混合应用&#xf…
阅读更多...
大数据Hadoop入门2

大数据Hadoop入门2

目录 第三部分(Hadoop MapReduce和Hadoop YARN) 1.课程内容-大纲-学习目标 2.理解先分再合、分而治之的思想 3.hadoop团队针对MapReduce的设计构思 4.Hadoop MapReduce介绍、阶级划分和进程组成 5.Hadoop MapReduce官方示例-圆周率PI评估 6.Hadoo…
阅读更多...
21.Word:小赵-毕业论文排版❗【39】

21.Word:小赵-毕业论文排版❗【39】

目录 题目​ NO1.2 NO3.4 NO5.6 NO7.8.9 NO10.11.12 题目 NO1.2 自己的论文当中接收老师的修改:审阅→比较→源文档:考生文件夹:Word.docx→修订的文档:考生文件夹:教师修改→确定→接收→接收所有修订将合并之…
阅读更多...
【go语言】并发编程

【go语言】并发编程

一、协程、线程、进程 在计算机编程中,进程、线程和协程都是用于并发执行任务的不同概念。他们的区别主要体现在创建、管理和调度的复杂度上,特别是在不同的编程语言中有不同的实现方式。下面是他们的详细区别和在 go 语言中的实现方式。 1.1 进程 定义…
阅读更多...
算法1-1 模拟与高精度

算法1-1 模拟与高精度

目录 一 阶乘数码 二 麦森数 三 模拟题 一 阶乘数码 本题中n<1000,1000的阶乘为以下这么大&#xff0c;远超long的范围 402387260077093773543702433923003985719374864210714632543799910429938512398629020592044208486969404800479988610197196058631666872994808558901…
阅读更多...
公式与函数的应用

公式与函数的应用

一 相邻表格相乘 1 也可以复制 打印标题
阅读更多...
ShenNiusModularity项目源码学习(7:数据库结构)

ShenNiusModularity项目源码学习(7:数据库结构)

ShenNiusModularity项目默认使用mysql数据库&#xff0c;数据库连接字符串放到了ShenNius.Admin. Mvc、ShenNius.Admin.Hosting的appsettings.json文件内。   ShenNiusModularity项目为自媒体内容管理系统&#xff0c;支持常规管理、CMS管理、商城管理等功能&#xff0c;其数…
阅读更多...
手撕Diffusion系列 - 第九期 - 改进为Stable Diffusion(原理介绍)

手撕Diffusion系列 - 第九期 - 改进为Stable Diffusion(原理介绍)

手撕Diffusion系列 - 第九期 - 改进为Stable Diffusion&#xff08;原理介绍&#xff09; 目录 手撕Diffusion系列 - 第九期 - 改进为Stable Diffusion&#xff08;原理介绍&#xff09;DDPM 原理图Stable Diffusion 原理Stable Diffusion的原理解释Stable Diffusion 和 Diffus…
阅读更多...
论文笔记(六十三)Understanding Diffusion Models: A Unified Perspective(三)

论文笔记(六十三)Understanding Diffusion Models: A Unified Perspective(三)

Understanding Diffusion Models: A Unified Perspective&#xff08;三&#xff09; 文章概括 文章概括 引用&#xff1a; article{luo2022understanding,title{Understanding diffusion models: A unified perspective},author{Luo, Calvin},journal{arXiv preprint arXiv:…
阅读更多...
修改maven的编码格式为utf-8

修改maven的编码格式为utf-8

1.maven默认编码为GBK 注:配好MAVEN_HOME的环境变量后,在运行cmd. 打开cmd 运行mvn -v命令即可. 2.修改UTF-8为默认编码. 设置环境变量 变量名 MAVEN_OPTS 变量值 -Xms256m -Xmx512m -Dfile.encodingUTF-8 3.保存,退出cmd.重新打开cmd 运行mvn -v命令即可. 源码获取&…
阅读更多...
从AD的原理图自动提取引脚网络的小工具

从AD的原理图自动提取引脚网络的小工具

这里跟大家分享一个我自己写的小软件&#xff0c;实现从AD的原理图里自动找出网络名称和引脚的对应。存成文本方便后续做表格或是使用简单行列编辑生成引脚约束文件&#xff08;如.XDC .UCF .TCL等&#xff09;。 我们在FPGA设计中需要引脚锁定文件&#xff0c;就是指示TOP层…
阅读更多...
【数据结构】(1)集合类的认识

【数据结构】(1)集合类的认识

一、什么是数据结构 1、数据结构的定义 数据结构就是存储、组织数据的方式&#xff0c;即相互之间存在一种或多种关系的数据元素的集合。 2、学习数据结构的目的 在实际开发中&#xff0c;我们需要使用大量的数据。为了高效地管理这些数据&#xff0c;实现增删改查等操作&…
阅读更多...
解决使用Selenium时ChromeDriver版本不匹配问题

解决使用Selenium时ChromeDriver版本不匹配问题

在学习Python爬虫过程中如果使用Selenium的时候遇到报错如下session not created: This version of ChromeDriver only supports Chrome version 99… 这说明当前你的chrome驱动版本和浏览器版本不匹配。 例如 SessionNotCreatedException: Message: session not created: This…
阅读更多...
CAN波特率匹配

CAN波特率匹配

STM32 LinuxIMX6ull&#xff08;Linux&#xff09;基于can-utils测试
阅读更多...
JavaScript中的相等运算符:`==`与`===`

JavaScript中的相等运算符:`==`与`===`

&#x1f90d; 前端开发工程师、技术日更博主、已过CET6 &#x1f368; 阿珊和她的猫_CSDN博客专家、23年度博客之星前端领域TOP1 &#x1f560; 牛客高级专题作者、打造专栏《前端面试必备》 、《2024面试高频手撕题》 &#x1f35a; 蓝桥云课签约作者、上架课程《Vue.js 和 E…
阅读更多...
推荐文章
最新文章

Copyright @ 2022~2023