< OS 有关 > 阿里云 几个小时前 使用密钥替换 SSH 密码认证后, 发现主机正在被“攻击” 分析与应对

信息来源:

文件:/var/log/auth.log

因为在 sshd_config 配置文件中,已经定义 LogLevel INFO 

部分内容:

2025-01-27T18:18:55.682727+08:00 jpn sshd[15891]: Received disconnect from 45.194.37.171 port 58954:11: Bye Bye [preauth]
2025-01-27T18:18:55.682852+08:00 jpn sshd[15891]: Disconnected from invalid user es 45.194.37.171 port 58954 [preauth]
2025-01-27T18:19:30.861201+08:00 jpn sshd[15894]: Accepted publickey for root from **** port 37287 ssh2: ED25519 SHA256:jpUCXR/o4OM5+8TNsIYfpJyZWHLLxghIOe36RMVEx+0
2025-01-27T18:19:30.863454+08:00 jpn sshd[15894]: pam_unix(sshd:session): session opened for user root(uid=0) by root(uid=0)
2025-01-27T18:19:30.894649+08:00 jpn systemd-logind[834]: New session 68 of user root.
2025-01-27T18:19:30.936765+08:00 jpn (systemd): pam_unix(systemd-user:session): session opened for user root(uid=0) by root(uid=0)
2025-01-27T18:19:40.757504+08:00 jpn sudo:     root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/visudo
2025-01-27T18:19:40.758049+08:00 jpn sudo: pam_unix(sudo:session): session opened for user root(uid=0) by root(uid=0)
2025-01-27T18:19:48.862708+08:00 jpn sshd[16046]: Connection closed by 2.57.122.32 port 45270
2025-01-27T18:19:49.986155+08:00 jpn sudo: pam_unix(sudo:session): session closed for user root
2025-01-27T18:19:52.902680+08:00 jpn sudo:     root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/visudo
2025-01-27T18:19:52.904224+08:00 jpn sudo: pam_unix(sudo:session): session opened for user root(uid=0) by root(uid=0)
2025-01-27T18:19:59.817863+08:00 jpn sshd[16051]: Invalid user es from 103.27.36.57 port 52330
2025-01-27T18:19:59.927275+08:00 jpn sshd[16051]: Received disconnect from 103.27.36.57 port 52330:11: Bye Bye [preauth]
2025-01-27T18:19:59.927353+08:00 jpn sshd[16051]: Disconnected from invalid user es 103.27.36.57 port 52330 [preauth]
2025-01-27T18:20:22.627449+08:00 jpn sshd[16055]: Received disconnect from 218.92.0.229 port 27794:11:  [preauth]
2025-01-27T18:20:22.627596+08:00 jpn sshd[16055]: Disconnected from 218.92.0.229 port 27794 [preauth]
2025-01-27T18:20:22.745077+08:00 jpn sshd[16057]: Invalid user sammy from 45.194.37.171 port 45126
2025-01-27T18:20:22.812352+08:00 jpn sshd[16057]: Received disconnect from 45.194.37.171 port 45126:11: Bye Bye [preauth]
2025-01-27T18:20:22.812444+08:00 jpn sshd[16057]: Disconnected from invalid user sammy 45.194.37.171 port 45126 [preauth]
2025-01-27T18:20:26.370459+08:00 jpn sshd[16059]: Invalid user test from 185.213.165.222 port 41514
2025-01-27T18:20:26.709218+08:00 jpn sshd[16059]: Received disconnect from 185.213.165.222 port 41514:11: Bye Bye [preauth]
2025-01-27T18:20:26.709308+08:00 jpn sshd[16059]: Disconnected from invalid user test 185.213.165.222 port 41514 [preauth]
2025-01-27T18:20:42.828438+08:00 jpn sudo: pam_unix(sudo:session): session closed for user root
2025-01-27T18:21:23.015774+08:00 jpn sshd[16098]: Invalid user ftpuser from 103.27.36.57 port 58928
2025-01-27T18:21:23.118253+08:00 jpn sshd[16098]: Received disconnect from 103.27.36.57 port 58928:11: Bye Bye [preauth]
2025-01-27T18:21:23.118331+08:00 jpn sshd[16098]: Disconnected from invalid user ftpuser 103.27.36.57 port 58928 [preauth]
2025-01-27T18:21:40.835987+08:00 jpn sshd[16101]: Invalid user dev from 185.213.165.222 port 39898
2025-01-27T18:21:41.196305+08:00 jpn sshd[16101]: Received disconnect from 185.213.165.222 port 39898:11: Bye Bye [preauth]
2025-01-27T18:21:41.196384+08:00 jpn sshd[16101]: Disconnected from invalid user dev 185.213.165.222 port 39898 [preauth]
2025-01-27T18:21:50.976607+08:00 jpn sshd[16103]: Invalid user alex from 45.194.37.171 port 33420
2025-01-27T18:21:51.038467+08:00 jpn sshd[16103]: Received disconnect from 45.194.37.171 port 33420:11: Bye Bye [preauth]
2025-01-27T18:21:51.038551+08:00 jpn sshd[16103]: Disconnected from invalid user alex 45.194.37.171 port 33420 [preauth]
2025-01-27T18:22:00.498436+08:00 jpn sshd[16105]: Received disconnect from 218.92.0.221 port 29964:11:  [preauth]
2025-01-27T18:22:00.498537+08:00 jpn sshd[16105]: Disconnected from 218.92.0.221 port 29964 [preauth]
2025-01-27T18:22:03.387463+08:00 jpn sshd[16107]: Received disconnect from 218.92.0.222 port 57854:11:  [preauth]
2025-01-27T18:22:03.387564+08:00 jpn sshd[16107]: Disconnected from 218.92.0.222 port 57854 [preauth]
2025-01-27T18:22:46.297244+08:00 jpn sshd[16109]: Invalid user sammy from 103.27.36.57 port 51744
2025-01-27T18:22:46.409949+08:00 jpn sshd[16109]: Received disconnect from 103.27.36.57 port 51744:11: Bye Bye [preauth]
2025-01-27T18:22:46.410041+08:00 jpn sshd[16109]: Disconnected from invalid user sammy 103.27.36.57 port 51744 [preauth]
2025-01-27T18:23:03.386976+08:00 jpn sshd[16111]: Invalid user server from 185.213.165.222 port 39412
2025-01-27T18:23:03.736443+08:00 jpn sshd[16111]: Received disconnect from 185.213.165.222 port 39412:11: Bye Bye [preauth]
2025-01-27T18:23:03.736530+08:00 jpn sshd[16111]: Disconnected from invalid user server 185.213.165.222 port 39412 [preauth]
2025-01-27T18:23:24.999251+08:00 jpn sshd[16116]: Invalid user user1 from 45.194.37.171 port 37228
2025-01-27T18:23:25.063685+08:00 jpn sshd[16116]: Received disconnect from 45.194.37.171 port 37228:11: Bye Bye [preauth]
2025-01-27T18:23:25.063778+08:00 jpn sshd[16116]: Disconnected from invalid user user1 45.194.37.171 port 37228 [preauth]
2025-01-27T18:24:04.966112+08:00 jpn sshd[16120]: Received disconnect from 103.27.36.57 port 57388:11: Bye Bye [preauth]
2025-01-27T18:24:04.966269+08:00 jpn sshd[16120]: Disconnected from authenticating user admin 103.27.36.57 port 57388 [preauth]
2025-01-27T18:24:15.054187+08:00 jpn sshd[16122]: Invalid user smart from 185.213.165.222 port 39408
2025-01-27T18:24:15.377906+08:00 jpn sshd[16122]: Received disconnect from 185.213.165.222 port 39408:11: Bye Bye [preauth]
2025-01-27T18:24:15.378009+08:00 jpn sshd[16122]: Disconnected from invalid user smart 185.213.165.222 port 39408 [preauth]
2025-01-27T18:25:01.028050+08:00 jpn CRON[16125]: pam_unix(cron:session): session opened for user root(uid=0) by root(uid=0)
2025-01-27T18:25:01.030389+08:00 jpn CRON[16125]: pam_unix(cron:session): session closed for user root
2025-01-27T18:25:01.780947+08:00 jpn sshd[16128]: Invalid user smart from 45.194.37.171 port 54306
2025-01-27T18:25:01.841197+08:00 jpn sshd[16128]: Received disconnect from 45.194.37.171 port 54306:11: Bye Bye [preauth]
2025-01-27T18:25:01.841281+08:00 jpn sshd[16128]: Disconnected from invalid user smart 45.194.37.171 port 54306 [preauth]
2025-01-27T18:25:19.503142+08:00 jpn sshd[16130]: Invalid user test from 103.27.36.57 port 49936
2025-01-27T18:25:19.604616+08:00 jpn sshd[16130]: Received disconnect from 103.27.36.57 port 49936:11: Bye Bye [preauth]
2025-01-27T18:25:19.604710+08:00 jpn sshd[16130]: Disconnected from invalid user test 103.27.36.57 port 49936 [preauth]
2025-01-27T18:25:21.589372+08:00 jpn sshd[16132]: Invalid user steam from 185.213.165.222 port 58956
2025-01-27T18:25:21.937081+08:00 jpn sshd[16132]: Received disconnect from 185.213.165.222 port 58956:11: Bye Bye [preauth]
2025-01-27T18:25:21.937164+08:00 jpn sshd[16132]: Disconnected from invalid user steam 185.213.165.222 port 58956 [preauth]
2025-01-27T18:26:27.432529+08:00 jpn sshd[16136]: Invalid user deploy from 185.213.165.222 port 43124
2025-01-27T18:26:27.766964+08:00 jpn sshd[16136]: Received disconnect from 185.213.165.222 port 43124:11: Bye Bye [preauth]
2025-01-27T18:26:27.767062+08:00 jpn sshd[16136]: Disconnected from invalid user deploy 185.213.165.222 port 43124 [preauth]
2025-01-27T18:26:36.494292+08:00 jpn sshd[16138]: Invalid user dev from 103.27.36.57 port 50164
2025-01-27T18:26:36.595899+08:00 jpn sshd[16138]: Received disconnect from 103.27.36.57 port 50164:11: Bye Bye [preauth]
2025-01-27T18:26:36.596008+08:00 jpn sshd[16138]: Disconnected from invalid user dev 103.27.36.57 port 50164 [preauth]
2025-01-27T18:26:37.148520+08:00 jpn sshd[16141]: Received disconnect from 45.194.37.171 port 43148:11: Bye Bye [preauth]
2025-01-27T18:26:37.148638+08:00 jpn sshd[16141]: Disconnected from authenticating user admin 45.194.37.171 port 43148 [preauth]
2025-01-27T18:27:19.961834+08:00 jpn sshd[16144]: Invalid user udatabase from 139.19.117.130 port 34824
2025-01-27T18:27:19.962218+08:00 jpn sshd[16144]: userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
2025-01-27T18:27:28.842456+08:00 jpn sshd[16144]: Connection closed by invalid user udatabase 139.19.117.130 port 34824 [preauth]
2025-01-27T18:27:35.048858+08:00 jpn sshd[16146]: Invalid user user from 185.213.165.222 port 35672
2025-01-27T18:27:35.388298+08:00 jpn sshd[16146]: Received disconnect from 185.213.165.222 port 35672:11: Bye Bye [preauth]
2025-01-27T18:27:35.388373+08:00 jpn sshd[16146]: Disconnected from invalid user user 185.213.165.222 port 35672 [preauth]
2025-01-27T18:27:52.749556+08:00 jpn sshd[16148]: Invalid user debian from 103.27.36.57 port 33168
2025-01-27T18:27:52.856125+08:00 jpn sshd[16148]: Received disconnect from 103.27.36.57 port 33168:11: Bye Bye [preauth]
2025-01-27T18:27:52.856215+08:00 jpn sshd[16148]: Disconnected from invalid user debian 103.27.36.57 port 33168 [preauth]
2025-01-27T18:27:58.680968+08:00 jpn sshd[16150]: Invalid user sammy from 190.181.4.12 port 53132
2025-01-27T18:27:58.945670+08:00 jpn sshd[16150]: Received disconnect from 190.181.4.12 port 53132:11: Bye Bye [preauth]
2025-01-27T18:27:58.945810+08:00 jpn sshd[16150]: Disconnected from invalid user sammy 190.181.4.12 port 53132 [preauth]
2025-01-27T18:28:17.065155+08:00 jpn sshd[16152]: Invalid user deploy from 45.194.37.171 port 36046
2025-01-27T18:28:17.129274+08:00 jpn sshd[16152]: Received disconnect from 45.194.37.171 port 36046:11: Bye Bye [preauth]
2025-01-27T18:28:17.129355+08:00 jpn sshd[16152]: Disconnected from invalid user deploy 45.194.37.171 port 36046 [preauth]
root@jpn:~# cat /var/log/auth.logcat /var/log/auth.log

分析日志:

密集的暴力破解尝试,主要来自以下IP:

185.213.165.222:尝试 test, dev, server, smart, steam, deploy, user 等用户名
45.194.37.171:尝试 sammy, alex, user1, smart, deploy 等用户名
103.27.36.57:尝试 es, ftpuser, sammy, dev, debian 等用户名
139.19.117.130:使用了失效的 ssh-rsa 算法尝试登录
190.181.4.12:尝试 sammy 用户名
203.23.199.89
85.208.253.163

IP 也分布在世界各地。

应对方案:

要么更改 端口,还有用 fail2ban 来封禁频繁失败的 IP。

这里记录用 fail2ban

1. 安装 fail2ban

apt update
apt install fail2ban -y

2. 阿里云的 apt 服务器连不上

3. 更新 /etc/apt/sources.list

root@jpn:~# cat /etc/apt/sources.list
deb http://jp.archive.ubuntu.com/ubuntu/ noble main restricted universe multiverse
deb http://jp.archive.ubuntu.com/ubuntu/ noble-updates main restricted universe multiverse
deb http://jp.archive.ubuntu.com/ubuntu/ noble-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu/ noble-security main restricted universe multiverse

4. 继续安装 fail2ban

sudo apt update && sudo apt upgrade -y
apt install fail2ban -y

5. 创建配置文件

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

6. 编辑配置文件 /etc/fail2ban/jail.local

原内容:

我改后的内容:

策略:5分钟内失败3次就封1小时

7. 设置开机自启、启动服务

systemctl enable fail2ban
systemctl start fail2ban

如果配置有修改,重启服务

systemctl restart fail2ban

8. 如何 检查状态和查看封禁列表

1) 查看服务状态

2) 查看 sshd 的详细状态 封禁列表

3)检查配置命令
fail2ban-client get sshd bantime
fail2ban-client get sshd findtime
fail2ban-client get sshd maxretry

结束语:

这两晚在看阿里云的性能宕机问题,从删除阿里云服务, 使用密钥验证时增加ssh输出, 突然发现日志中有重试登录 IP。 现在安装 f2b来解决。

20年前的知识,还在能用上

这么会儿功夫,关了 8只

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/bicheng/69617.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

解决幂等问题的4种方案

解决幂等问题的4种方案

幂等问题引入与准备工作 幂等概念:幂等指多次操作影响仅与首次执行结果相同,重复执行不会对系统造成额外变化。业务场景问题:以网站金币充值为例,因网络不稳定,支付宝支付成功的异步通知可能多次发送,若商家…
阅读更多...
LitServe - 闪电般快速服务AI模型⚡

LitServe - 闪电般快速服务AI模型⚡

文章目录 一、关于 LitServe二、快速启动定义服务器测试服务器LLM 服务小结 三、特色示例功能特点 四、性能表现五、托管选项 一、关于 LitServe LitServe是一个易于使用、灵活的服务引擎,适用于基于FastAPI构建的AI模型。批处理、流式传输和GPU自动缩放等功能消除…
阅读更多...
小程序电商运营内容真实性增强策略及开源链动2+1模式AI智能名片S2B2C商城系统源码的应用探索

小程序电商运营内容真实性增强策略及开源链动2+1模式AI智能名片S2B2C商城系统源码的应用探索

摘要:随着互联网技术的不断发展,小程序电商已成为现代商业的重要组成部分。然而,如何在竞争激烈的市场中增强小程序内容的真实性,提高用户信任度,成为电商运营者面临的一大挑战。本文首先探讨了通过图片、视频等方式增…
阅读更多...
【HarmonyOS之旅】基于ArkTS开发(三) -> 兼容JS的类Web开发(三)

【HarmonyOS之旅】基于ArkTS开发(三) -> 兼容JS的类Web开发(三)

目录 1 -> 生命周期 1.1 -> 应用生命周期 1.2 -> 页面生命周期 2 -> 资源限定与访问 2.1 -> 资源限定词 2.2 -> 资源限定词的命名要求 2.3 -> 限定词与设备状态的匹配规则 2.4 -> 引用JS模块内resources资源 3 -> 多语言支持 3.1 -> 定…
阅读更多...
Linux网络 | 理解TCP面向字节流、打通socket与文件的关系

Linux网络 | 理解TCP面向字节流、打通socket与文件的关系

前言:我们经常说TCP是面向字节流的, TCP是面向字节流的。 但是, 到底是什么事面向字节流呢? 另外, 我们知道sockfd其实就是文件fd。 但是,为什么sockfd是文件fd呢? 这些问题都在本节内容中的到回…
阅读更多...
FireFox | Google Chrome | Microsoft Edge 禁用更新 final版

FireFox | Google Chrome | Microsoft Edge 禁用更新 final版

之前的方式要么失效,要么对设备有要求,这次梳理一下对设备、环境几乎没有要求的通用方式,universal & final 版。 1.Firefox 方式 FireFox火狐浏览器企业策略禁止更新_火狐浏览器禁止更新-CSDN博客 这应该是目前最好用的方式。火狐也…
阅读更多...
大数据学习之Kafka消息队列、Spark分布式计算框架一

大数据学习之Kafka消息队列、Spark分布式计算框架一

Kafka消息队列 章节一.kafka入门 4.kafka入门_消息队列两种模式 5.kafka入门_架构相关名词 Kafka 入门 _ 架构相关名词 事件 记录了世界或您的业务中 “ 发生了某事 ” 的事实。在文档中 也称为记录或消息。当您向 Kafka 读取或写入数据时,您以事件的 形式执行…
阅读更多...
深度学习指标可视化案例

深度学习指标可视化案例

TensorBoard 代码案例:from torch.utils.tensorboard import SummaryWriter import torch import torchvision from torchvision import datasets, transforms# 设置TensorBoard日志路径 writer SummaryWriter(runs/mnist)# 加载数据集 transform transforms.Comp…
阅读更多...
Linux文件原生操作

Linux文件原生操作

Linux 中一切皆文件,那么 Linux 文件是什么? 在 Linux 中的文件 可以是:传统意义上的有序数据集合,即:文件系统中的物理文件 也可以是:设备,管道,内存。。。(Linux 管理的一切对象…
阅读更多...
基于springboot+vue的流浪动物救助系统的设计与实现

基于springboot+vue的流浪动物救助系统的设计与实现

开发语言:Java框架:springbootJDK版本:JDK1.8服务器:tomcat7数据库:mysql 5.7(一定要5.7版本)数据库工具:Navicat11开发软件:eclipse/myeclipse/ideaMaven包:…
阅读更多...
提供一种刷新X410内部EMMC存储器的方法

提供一种刷新X410内部EMMC存储器的方法

USRP X410内部采用了16G的EMMC存储器,内有内核和文件系统。官方站[注1]提供了多个版本的EMMC映像文件,并提供了多种刷新方法[注2]。 1,如果内核还能运行只是文件系统破坏,可以从外接USB盘,之后使用mount挂载U盘&#…
阅读更多...
CTFSHOW-WEB入门-命令执行29-32

CTFSHOW-WEB入门-命令执行29-32

题目:web 29 题目:解题思路:分析代码: error_reporting(0); if(isset($_GET[c])){//get一个c的参数$c $_GET[c];//赋值给Cif(!preg_match("/flag/i", $c)){eval($c);//if C变量里面没有flag,那么就执行C…
阅读更多...
探索AI(chatgpt、文心一言、kimi等)提示词的奥秘

探索AI(chatgpt、文心一言、kimi等)提示词的奥秘

大家好,我是老六哥,我正在共享使用AI提高工作效率的技巧。欢迎关注我,共同提高使用AI的技能,让AI成功你的个人助理。 "AI提示词究竟是什么?" 这是许多初学者在接触AI时的共同疑问。 "我阅读了大量关于…
阅读更多...
【CS61A 2024秋】Python入门课,全过程记录P4(Week7 Generators开始,更新于2025/1/29)

【CS61A 2024秋】Python入门课,全过程记录P4(Week7 Generators开始,更新于2025/1/29)

文章目录 关于基本介绍👋新的问题更好的解决方案Week7Mon Generators阅读材料Lab 05: Iterators, MutabilityQ1: WWPD: List-MutationQ2: Insert Items 关于 个人博客,里面偶尔更新,最近比较忙。发一些总结的帖子和思考。 江湖有缘相见&…
阅读更多...
使用 OpenResty 构建高效的动态图片水印代理服务20250127

使用 OpenResty 构建高效的动态图片水印代理服务20250127

使用 OpenResty 构建高效的动态图片水印代理服务 在当今数字化的时代,图片在各种业务场景中广泛应用。为了保护版权、统一品牌形象,动态图片水印功能显得尤为重要。然而,直接在后端服务中集成水印功能,往往会带来代码复杂度增加、…
阅读更多...
【MySQL — 数据库增删改查操作】深入解析MySQL的 Update 和 Delete 操作

【MySQL — 数据库增删改查操作】深入解析MySQL的 Update 和 Delete 操作

1. 测试数据 mysql> select* from exam1; ----------------------------------------- | id | name | Chinese | Math | English | ----------------------------------------- | 1 | 唐三藏 | 67.0 | 98.0 | 56.0 | | 2 | 孙悟空 | 87.0 | 78.…
阅读更多...
webAPI -DOM 相关知识点总结(非常细)

webAPI -DOM 相关知识点总结(非常细)

title: WebAPI语法 date: 2025-01-28 12:00:00 tags:- 前端 categories:- 前端WEB API 了解DOM的结构并掌握其基本的操作,体验 DOM 在开发中的作用 API简介 就是使用js来操作html和浏览器 什么是DOM? 就是一个文档对象模型,是用来呈现预计于任意htm…
阅读更多...
图论——最小生成树的扩展应用

图论——最小生成树的扩展应用

最小生成树相关原理 acwing1146.新的开始 假设存在一个“超级发电站” 在每一个矿井修发电站相当于从这个“超级发电站”到各个矿井连一条长度为 v [ i ] v[i] v[i]的边。 这样一来这就是一个最短路的模板题。 #include <iostream> #include <cstring> using na…
阅读更多...
K8S中高级存储之PV和PVC

K8S中高级存储之PV和PVC

高级存储 PV和PVC 由于kubernetes支持的存储系统有很多&#xff0c;要求客户全都掌握&#xff0c;显然不现实。为了能够屏蔽底层存储实现的细节&#xff0c;方便用户使用&#xff0c; kubernetes引入PV和PVC两种资源对象。 PV&#xff08;Persistent Volume&#xff09; PV是…
阅读更多...
宝塔面板SSL加密访问设置教程

宝塔面板SSL加密访问设置教程

参考:https://www.bt.cn/bbs/thread-117246-1-1.html 如何快速使用证书加密访问面板 因早期默认未开启https访问所以没有相关的风险提醒&#xff0c;现面板默认已开启https加密访问、提升安全性 由于采用的是服务器内部本身签发证书&#xff0c;不被公网浏览器信任请参考以下步…
阅读更多...
推荐文章
最新文章

Copyright @ 2022~2023