< OS 有关 > 阿里云 几个小时前 使用密钥替换 SSH 密码认证后, 发现主机正在被“攻击” 分析与应对

信息来源:

文件:/var/log/auth.log

因为在 sshd_config 配置文件中,已经定义 LogLevel INFO 

部分内容:

2025-01-27T18:18:55.682727+08:00 jpn sshd[15891]: Received disconnect from 45.194.37.171 port 58954:11: Bye Bye [preauth]
2025-01-27T18:18:55.682852+08:00 jpn sshd[15891]: Disconnected from invalid user es 45.194.37.171 port 58954 [preauth]
2025-01-27T18:19:30.861201+08:00 jpn sshd[15894]: Accepted publickey for root from **** port 37287 ssh2: ED25519 SHA256:jpUCXR/o4OM5+8TNsIYfpJyZWHLLxghIOe36RMVEx+0
2025-01-27T18:19:30.863454+08:00 jpn sshd[15894]: pam_unix(sshd:session): session opened for user root(uid=0) by root(uid=0)
2025-01-27T18:19:30.894649+08:00 jpn systemd-logind[834]: New session 68 of user root.
2025-01-27T18:19:30.936765+08:00 jpn (systemd): pam_unix(systemd-user:session): session opened for user root(uid=0) by root(uid=0)
2025-01-27T18:19:40.757504+08:00 jpn sudo:     root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/visudo
2025-01-27T18:19:40.758049+08:00 jpn sudo: pam_unix(sudo:session): session opened for user root(uid=0) by root(uid=0)
2025-01-27T18:19:48.862708+08:00 jpn sshd[16046]: Connection closed by 2.57.122.32 port 45270
2025-01-27T18:19:49.986155+08:00 jpn sudo: pam_unix(sudo:session): session closed for user root
2025-01-27T18:19:52.902680+08:00 jpn sudo:     root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/visudo
2025-01-27T18:19:52.904224+08:00 jpn sudo: pam_unix(sudo:session): session opened for user root(uid=0) by root(uid=0)
2025-01-27T18:19:59.817863+08:00 jpn sshd[16051]: Invalid user es from 103.27.36.57 port 52330
2025-01-27T18:19:59.927275+08:00 jpn sshd[16051]: Received disconnect from 103.27.36.57 port 52330:11: Bye Bye [preauth]
2025-01-27T18:19:59.927353+08:00 jpn sshd[16051]: Disconnected from invalid user es 103.27.36.57 port 52330 [preauth]
2025-01-27T18:20:22.627449+08:00 jpn sshd[16055]: Received disconnect from 218.92.0.229 port 27794:11:  [preauth]
2025-01-27T18:20:22.627596+08:00 jpn sshd[16055]: Disconnected from 218.92.0.229 port 27794 [preauth]
2025-01-27T18:20:22.745077+08:00 jpn sshd[16057]: Invalid user sammy from 45.194.37.171 port 45126
2025-01-27T18:20:22.812352+08:00 jpn sshd[16057]: Received disconnect from 45.194.37.171 port 45126:11: Bye Bye [preauth]
2025-01-27T18:20:22.812444+08:00 jpn sshd[16057]: Disconnected from invalid user sammy 45.194.37.171 port 45126 [preauth]
2025-01-27T18:20:26.370459+08:00 jpn sshd[16059]: Invalid user test from 185.213.165.222 port 41514
2025-01-27T18:20:26.709218+08:00 jpn sshd[16059]: Received disconnect from 185.213.165.222 port 41514:11: Bye Bye [preauth]
2025-01-27T18:20:26.709308+08:00 jpn sshd[16059]: Disconnected from invalid user test 185.213.165.222 port 41514 [preauth]
2025-01-27T18:20:42.828438+08:00 jpn sudo: pam_unix(sudo:session): session closed for user root
2025-01-27T18:21:23.015774+08:00 jpn sshd[16098]: Invalid user ftpuser from 103.27.36.57 port 58928
2025-01-27T18:21:23.118253+08:00 jpn sshd[16098]: Received disconnect from 103.27.36.57 port 58928:11: Bye Bye [preauth]
2025-01-27T18:21:23.118331+08:00 jpn sshd[16098]: Disconnected from invalid user ftpuser 103.27.36.57 port 58928 [preauth]
2025-01-27T18:21:40.835987+08:00 jpn sshd[16101]: Invalid user dev from 185.213.165.222 port 39898
2025-01-27T18:21:41.196305+08:00 jpn sshd[16101]: Received disconnect from 185.213.165.222 port 39898:11: Bye Bye [preauth]
2025-01-27T18:21:41.196384+08:00 jpn sshd[16101]: Disconnected from invalid user dev 185.213.165.222 port 39898 [preauth]
2025-01-27T18:21:50.976607+08:00 jpn sshd[16103]: Invalid user alex from 45.194.37.171 port 33420
2025-01-27T18:21:51.038467+08:00 jpn sshd[16103]: Received disconnect from 45.194.37.171 port 33420:11: Bye Bye [preauth]
2025-01-27T18:21:51.038551+08:00 jpn sshd[16103]: Disconnected from invalid user alex 45.194.37.171 port 33420 [preauth]
2025-01-27T18:22:00.498436+08:00 jpn sshd[16105]: Received disconnect from 218.92.0.221 port 29964:11:  [preauth]
2025-01-27T18:22:00.498537+08:00 jpn sshd[16105]: Disconnected from 218.92.0.221 port 29964 [preauth]
2025-01-27T18:22:03.387463+08:00 jpn sshd[16107]: Received disconnect from 218.92.0.222 port 57854:11:  [preauth]
2025-01-27T18:22:03.387564+08:00 jpn sshd[16107]: Disconnected from 218.92.0.222 port 57854 [preauth]
2025-01-27T18:22:46.297244+08:00 jpn sshd[16109]: Invalid user sammy from 103.27.36.57 port 51744
2025-01-27T18:22:46.409949+08:00 jpn sshd[16109]: Received disconnect from 103.27.36.57 port 51744:11: Bye Bye [preauth]
2025-01-27T18:22:46.410041+08:00 jpn sshd[16109]: Disconnected from invalid user sammy 103.27.36.57 port 51744 [preauth]
2025-01-27T18:23:03.386976+08:00 jpn sshd[16111]: Invalid user server from 185.213.165.222 port 39412
2025-01-27T18:23:03.736443+08:00 jpn sshd[16111]: Received disconnect from 185.213.165.222 port 39412:11: Bye Bye [preauth]
2025-01-27T18:23:03.736530+08:00 jpn sshd[16111]: Disconnected from invalid user server 185.213.165.222 port 39412 [preauth]
2025-01-27T18:23:24.999251+08:00 jpn sshd[16116]: Invalid user user1 from 45.194.37.171 port 37228
2025-01-27T18:23:25.063685+08:00 jpn sshd[16116]: Received disconnect from 45.194.37.171 port 37228:11: Bye Bye [preauth]
2025-01-27T18:23:25.063778+08:00 jpn sshd[16116]: Disconnected from invalid user user1 45.194.37.171 port 37228 [preauth]
2025-01-27T18:24:04.966112+08:00 jpn sshd[16120]: Received disconnect from 103.27.36.57 port 57388:11: Bye Bye [preauth]
2025-01-27T18:24:04.966269+08:00 jpn sshd[16120]: Disconnected from authenticating user admin 103.27.36.57 port 57388 [preauth]
2025-01-27T18:24:15.054187+08:00 jpn sshd[16122]: Invalid user smart from 185.213.165.222 port 39408
2025-01-27T18:24:15.377906+08:00 jpn sshd[16122]: Received disconnect from 185.213.165.222 port 39408:11: Bye Bye [preauth]
2025-01-27T18:24:15.378009+08:00 jpn sshd[16122]: Disconnected from invalid user smart 185.213.165.222 port 39408 [preauth]
2025-01-27T18:25:01.028050+08:00 jpn CRON[16125]: pam_unix(cron:session): session opened for user root(uid=0) by root(uid=0)
2025-01-27T18:25:01.030389+08:00 jpn CRON[16125]: pam_unix(cron:session): session closed for user root
2025-01-27T18:25:01.780947+08:00 jpn sshd[16128]: Invalid user smart from 45.194.37.171 port 54306
2025-01-27T18:25:01.841197+08:00 jpn sshd[16128]: Received disconnect from 45.194.37.171 port 54306:11: Bye Bye [preauth]
2025-01-27T18:25:01.841281+08:00 jpn sshd[16128]: Disconnected from invalid user smart 45.194.37.171 port 54306 [preauth]
2025-01-27T18:25:19.503142+08:00 jpn sshd[16130]: Invalid user test from 103.27.36.57 port 49936
2025-01-27T18:25:19.604616+08:00 jpn sshd[16130]: Received disconnect from 103.27.36.57 port 49936:11: Bye Bye [preauth]
2025-01-27T18:25:19.604710+08:00 jpn sshd[16130]: Disconnected from invalid user test 103.27.36.57 port 49936 [preauth]
2025-01-27T18:25:21.589372+08:00 jpn sshd[16132]: Invalid user steam from 185.213.165.222 port 58956
2025-01-27T18:25:21.937081+08:00 jpn sshd[16132]: Received disconnect from 185.213.165.222 port 58956:11: Bye Bye [preauth]
2025-01-27T18:25:21.937164+08:00 jpn sshd[16132]: Disconnected from invalid user steam 185.213.165.222 port 58956 [preauth]
2025-01-27T18:26:27.432529+08:00 jpn sshd[16136]: Invalid user deploy from 185.213.165.222 port 43124
2025-01-27T18:26:27.766964+08:00 jpn sshd[16136]: Received disconnect from 185.213.165.222 port 43124:11: Bye Bye [preauth]
2025-01-27T18:26:27.767062+08:00 jpn sshd[16136]: Disconnected from invalid user deploy 185.213.165.222 port 43124 [preauth]
2025-01-27T18:26:36.494292+08:00 jpn sshd[16138]: Invalid user dev from 103.27.36.57 port 50164
2025-01-27T18:26:36.595899+08:00 jpn sshd[16138]: Received disconnect from 103.27.36.57 port 50164:11: Bye Bye [preauth]
2025-01-27T18:26:36.596008+08:00 jpn sshd[16138]: Disconnected from invalid user dev 103.27.36.57 port 50164 [preauth]
2025-01-27T18:26:37.148520+08:00 jpn sshd[16141]: Received disconnect from 45.194.37.171 port 43148:11: Bye Bye [preauth]
2025-01-27T18:26:37.148638+08:00 jpn sshd[16141]: Disconnected from authenticating user admin 45.194.37.171 port 43148 [preauth]
2025-01-27T18:27:19.961834+08:00 jpn sshd[16144]: Invalid user udatabase from 139.19.117.130 port 34824
2025-01-27T18:27:19.962218+08:00 jpn sshd[16144]: userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
2025-01-27T18:27:28.842456+08:00 jpn sshd[16144]: Connection closed by invalid user udatabase 139.19.117.130 port 34824 [preauth]
2025-01-27T18:27:35.048858+08:00 jpn sshd[16146]: Invalid user user from 185.213.165.222 port 35672
2025-01-27T18:27:35.388298+08:00 jpn sshd[16146]: Received disconnect from 185.213.165.222 port 35672:11: Bye Bye [preauth]
2025-01-27T18:27:35.388373+08:00 jpn sshd[16146]: Disconnected from invalid user user 185.213.165.222 port 35672 [preauth]
2025-01-27T18:27:52.749556+08:00 jpn sshd[16148]: Invalid user debian from 103.27.36.57 port 33168
2025-01-27T18:27:52.856125+08:00 jpn sshd[16148]: Received disconnect from 103.27.36.57 port 33168:11: Bye Bye [preauth]
2025-01-27T18:27:52.856215+08:00 jpn sshd[16148]: Disconnected from invalid user debian 103.27.36.57 port 33168 [preauth]
2025-01-27T18:27:58.680968+08:00 jpn sshd[16150]: Invalid user sammy from 190.181.4.12 port 53132
2025-01-27T18:27:58.945670+08:00 jpn sshd[16150]: Received disconnect from 190.181.4.12 port 53132:11: Bye Bye [preauth]
2025-01-27T18:27:58.945810+08:00 jpn sshd[16150]: Disconnected from invalid user sammy 190.181.4.12 port 53132 [preauth]
2025-01-27T18:28:17.065155+08:00 jpn sshd[16152]: Invalid user deploy from 45.194.37.171 port 36046
2025-01-27T18:28:17.129274+08:00 jpn sshd[16152]: Received disconnect from 45.194.37.171 port 36046:11: Bye Bye [preauth]
2025-01-27T18:28:17.129355+08:00 jpn sshd[16152]: Disconnected from invalid user deploy 45.194.37.171 port 36046 [preauth]
root@jpn:~# cat /var/log/auth.logcat /var/log/auth.log

分析日志:

密集的暴力破解尝试,主要来自以下IP:

185.213.165.222:尝试 test, dev, server, smart, steam, deploy, user 等用户名
45.194.37.171:尝试 sammy, alex, user1, smart, deploy 等用户名
103.27.36.57:尝试 es, ftpuser, sammy, dev, debian 等用户名
139.19.117.130:使用了失效的 ssh-rsa 算法尝试登录
190.181.4.12:尝试 sammy 用户名
203.23.199.89
85.208.253.163

IP 也分布在世界各地。

应对方案:

要么更改 端口,还有用 fail2ban 来封禁频繁失败的 IP。

这里记录用 fail2ban

1. 安装 fail2ban

apt update
apt install fail2ban -y

2. 阿里云的 apt 服务器连不上

3. 更新 /etc/apt/sources.list

root@jpn:~# cat /etc/apt/sources.list
deb http://jp.archive.ubuntu.com/ubuntu/ noble main restricted universe multiverse
deb http://jp.archive.ubuntu.com/ubuntu/ noble-updates main restricted universe multiverse
deb http://jp.archive.ubuntu.com/ubuntu/ noble-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu/ noble-security main restricted universe multiverse

4. 继续安装 fail2ban

sudo apt update && sudo apt upgrade -y
apt install fail2ban -y

5. 创建配置文件

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

6. 编辑配置文件 /etc/fail2ban/jail.local

原内容:

我改后的内容:

策略:5分钟内失败3次就封1小时

7. 设置开机自启、启动服务

systemctl enable fail2ban
systemctl start fail2ban

如果配置有修改,重启服务

systemctl restart fail2ban

8. 如何 检查状态和查看封禁列表

1) 查看服务状态

2) 查看 sshd 的详细状态 封禁列表

3)检查配置命令
fail2ban-client get sshd bantime
fail2ban-client get sshd findtime
fail2ban-client get sshd maxretry

结束语:

这两晚在看阿里云的性能宕机问题,从删除阿里云服务, 使用密钥验证时增加ssh输出, 突然发现日志中有重试登录 IP。 现在安装 f2b来解决。

20年前的知识,还在能用上

这么会儿功夫,关了 8只

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:/a/961201.html

如若内容造成侵权/违法违规/事实不符,请联系我们进行投诉反馈qq邮箱809451989@qq.com,一经查实,立即删除!

相关文章

Effective Objective-C 2.0 读书笔记—— objc_msgSend

Effective Objective-C 2.0 读书笔记—— objc_msgSend

Effective Objective-C 2.0 读书笔记—— objc_msgSend 文章目录 Effective Objective-C 2.0 读书笔记—— objc_msgSend引入——静态绑定和动态绑定OC之中动态绑定的实现方法签名方法列表 其他方法objc_msgSend_stretobjc_msgSend_fpretobjc_msgSendSuper 尾调用优化总结参考文…
阅读更多...
C# OpenCV机器视觉:车道检测

C# OpenCV机器视觉:车道检测

年关将至,春运的大幕轰轰烈烈地拉开,全国的公路就像一条条汹涌澎湃的 “车河”,各类车辆密密麻麻、川流不息,都朝着家的方向奔腾而去。阿强也裹挟在这归家的大军之中,开着他那辆被塞得满满当当、连后视镜视野都窄了几分…
阅读更多...
在win11系统笔记本中使用Ollama部署deepseek制作一个本地AI小助手!原来如此简单!!!

在win11系统笔记本中使用Ollama部署deepseek制作一个本地AI小助手!原来如此简单!!!

大家新年好啊,明天就是蛇年啦,蛇年快乐! 最近DeepSeek真的太火了,我也跟随B站,使用Ollama在一台Win11系统的笔记本电脑部署了DeepSeek。由于我的云服务器性能很差,虽然笔记本的性能也一般,但是…
阅读更多...
省级数字经济发展水平数据(2011-2022年)-社科数据

省级数字经济发展水平数据(2011-2022年)-社科数据

省级数字经济发展水平数据(2011-2022年)-社科数据https://download.csdn.net/download/paofuluolijiang/90028602 https://download.csdn.net/download/paofuluolijiang/90028602 数字经济是指以数据资源为关键要素、以现代信息网络为主要载体、以信息…
阅读更多...
Excel分区间统计分析(等步长、不等步长、多维度)

Excel分区间统计分析(等步长、不等步长、多维度)

在数据分析过程中,可能会需要统计不同数据区间的人数、某个数据区间的平均值或者进行分组区间统计,本文从excel函数到数据透视表的方法,从简单需求到复杂需求,采用不同的方法进行讲解,尤其是通过数据透视表的强大功能大…
阅读更多...
线程局部存储tls的原理和使用

线程局部存储tls的原理和使用

一、背景 tls即Thread Local Storage,也就是线程局部存储,可在进程内,多线程按照各个线程分开进行存储。对于一些与线程上下文相关的变量,可放到tls中,减少多线程之间的数据同步的开销。 有人可能会问,我…
阅读更多...
【R语言】数学运算

【R语言】数学运算

一、基础运算 R语言中能实现加、减、乘、除、求模、取整、取绝对值、指数、对数等运算。 x <- 2 y <- 10 # 求模 y %% x # 整除 y %/% x # 取绝对值 abs(-x) # 指数运算 y ^x y^1/x #对数运算 log(x) #log()函数默认情况下以 e 为底 双等号“”的作用等同于identical(…
阅读更多...
2024年度总结——理想的风,吹进现实

2024年度总结——理想的风,吹进现实

2024年悄然过去&#xff0c;留下了太多美好的回忆&#xff0c;不得不感慨一声时间过得真快啊&#xff01;旧年风雪尽&#xff0c;新岁星河明。写下这篇博客&#xff0c;记录我独一无二的2024年。这一年&#xff0c;理想的风终于吹进现实&#xff01; 如果用一句话总结这一年&am…
阅读更多...
基于RIP的MGRE VPN综合实验

基于RIP的MGRE VPN综合实验

实验拓扑 实验需求 1、R5为ISP&#xff0c;只能进行IP地址配置&#xff0c;其所有地址均配为公有IP地址&#xff1b; 2、R1和R5间使用PPP的PAP认证&#xff0c;R5为主认证方&#xff1b; R2与R5之间使用ppp的CHAP认证&#xff0c;R5为主认证方&#xff1b; R3与R5之间使用HDLC封…
阅读更多...
ROS应用之SwarmSim在ROS 中的协同路径规划

ROS应用之SwarmSim在ROS 中的协同路径规划

SwarmSim 在 ROS 中的协同路径规划 前言 在多机器人系统&#xff08;Multi-Robot Systems, MRS&#xff09;中&#xff0c;SwarmSim 是一个常用的模拟工具&#xff0c;可以对多机器人进行仿真以实现复杂任务的协同。除了任务分配逻辑以外&#xff0c;SwarmSim 在协同路径规划方…
阅读更多...
Jenkins上生成的allure report打不开怎么处理

Jenkins上生成的allure report打不开怎么处理

目录 问题背景&#xff1a; 原因&#xff1a; 解决方案&#xff1a; Jenkins上修改配置 通过Groovy脚本在Script Console中设置和修改系统属性 步骤 验证是否清空成功 进一步的定制 也可以使用Nginx去解决 使用逆向代理服务器Nginx&#xff1a; 通过合理调整CSP配置&a…
阅读更多...
unity制作动画的技巧相关注意点

unity制作动画的技巧相关注意点

1.如果不想人物执行这个动作过程中被打断&#xff0c;必须执行完这一次&#xff0c;比如人物死亡&#xff0c;就取消勾选 2.如果在制作攻击动画&#xff0c;当该动画权重默认是最大&#xff0c;我们可以给他加一个null动作&#xff0c;防止和其他动作有冲突 3.可以创建子状态机…
阅读更多...
如何根据壁纸主题选择合适的主色调?

如何根据壁纸主题选择合适的主色调?

选择合适的主色调是壁纸设计中的关键步骤&#xff0c;它直接影响到壁纸的整体风格和情感传达。以下是一些根据壁纸主题选择主色调的技巧和建议&#xff1a; 一、明确壁纸主题 浪漫风格&#xff1a; 主题&#xff1a;营造温馨、梦幻的氛围。 主色调&#xff1a;粉色、紫色、浅蓝…
阅读更多...
Python 数据分析 - Matplotlib 绘图

Python 数据分析 - Matplotlib 绘图

Python 数据分析 - Matplotlib 绘图 简介绘图折线图单线多线子图 散点图直方图条形图纵置横置多条 饼图 简介 Matplotlib 是 Python 提供的一个绘图库&#xff0c;通过该库我们可以很容易的绘制出折线图、直方图、散点图、饼图等丰富的统计图&#xff0c;安装使用 pip install…
阅读更多...
C语言练习(29)

C语言练习(29)

13个人围成一圈&#xff0c;从第1个人开始顺序报号1、2、3。凡报到“3”者退出圈子&#xff0c;找出最后留在圈子中的人原来的序号。本题要求用链表实现。 #include <stdio.h> #include <stdlib.h>// 定义链表节点结构体 typedef struct Node {int num;struct Nod…
阅读更多...
this、self、window、top 在 JavaScript 中的区别深入研究

this、self、window、top 在 JavaScript 中的区别深入研究

在 JavaScript 开发中&#xff0c;this、self、window、top 是四个常用的概念&#xff0c;它们在不同的上下文中有着不同的用途和含义。理解它们的区别对于编写健壮的 JavaScript 代码至关重要。本文将详细解释这四个概念的区别&#xff0c;并通过代码示例进行验证。 一、this …
阅读更多...
C++ | 红黑树

C++ | 红黑树

前言 本篇博客讲解c中数据结构红黑树&#xff0c;看这篇博客之前请先去看&#xff1a; C | AVL树_c avl树能有重复节点吗-CSDN博客 &#x1f493; 个人主页&#xff1a;普通young man-CSDN博客 ⏩ 文章专栏&#xff1a;C_普通young man的博客-CSDN博客 ⏩ 本人giee: 普通小青…
阅读更多...
Linux 学习笔记__Day3

Linux 学习笔记__Day3

十八、设置虚拟机的静态IP 1、VMware的三种网络模式 安装VMware Workstation Pro之后&#xff0c;会在Windows系统中虚拟出两个虚拟网卡&#xff0c;如下&#xff1a; VMware提供了三种网络模式&#xff0c;分别是&#xff1a;桥接模式&#xff08;Bridged&#xff09;、NAT…
阅读更多...
运算放大器应用电路设计笔记(六)

运算放大器应用电路设计笔记(六)

6.1输出失调电压发生的原因与计算 6.1.1用噪声增益进行评价 若运算放大器两个输入端接地&#xff0c;则理想运放输出为零&#xff0c;但实际的运放输出不为零&#xff0c;有一定的直流输出电压。这种直流电压称为输出失调电压。发生的原因是&#xff0c;运算放大器内部元件尤…
阅读更多...
基于springboot+vue的流浪动物救助系统的设计与实现

基于springboot+vue的流浪动物救助系统的设计与实现

开发语言&#xff1a;Java框架&#xff1a;springbootJDK版本&#xff1a;JDK1.8服务器&#xff1a;tomcat7数据库&#xff1a;mysql 5.7&#xff08;一定要5.7版本&#xff09;数据库工具&#xff1a;Navicat11开发软件&#xff1a;eclipse/myeclipse/ideaMaven包&#xff1a;…
阅读更多...
最新文章

Copyright @ 2022~2023