vps服务器差点被入侵

2013-07-08 08:48:07 +08:00
 jamesxu
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240 user=root
Failed password for root from 61.160.207.240 port 52296 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
Invalid user oracle from 61.160.207.240
input_userauth_request: invalid user oracle
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240
pam_succeed_if(sshd:auth): error retrieving information about user oracle
Failed password for invalid user oracle from 61.160.207.240 port 53392 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240 user=adm
Failed password for adm from 61.160.207.240 port 43603 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240 user=adm
Failed password for adm from 61.160.207.240 port 44703 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240 user=adm
Failed password for adm from 61.160.207.240 port 45640 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240
pam_succeed_if(sshd:auth): error retrieving information about user testuser
Failed password for invalid user testuser from 61.160.207.240 port 50198 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
Invalid user testuser from 61.160.207.240
input_userauth_request: invalid user testuser
input_userauth_request: invalid user linux
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240
pam_succeed_if(sshd:auth): error retrieving information about user linux
Failed password for invalid user linux from 61.160.207.240 port 54636 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
Invalid user info from 61.160.207.240
input_userauth_request: invalid user info
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240
pam_succeed_if(sshd:auth): error retrieving information about user info
Failed password for invalid user info from 61.160.207.240 port 59143 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
Invalid user alex from 61.160.207.240
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240
pam_succeed_if(sshd:auth): error retrieving information about user alex
Failed password for invalid user alex from 61.160.207.240 port 34503 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
Invalid user jack from 61.160.207.240
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240
pam_succeed_if(sshd:auth): error retrieving information about user jack
Failed password for invalid user jack from 61.160.207.240 port 35282 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
Invalid user jack from 61.160.207.240
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240
pam_succeed_if(sshd:auth): error retrieving information about user john
Failed password for invalid user john from 61.160.207.240 port 39991 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
Invalid user john from 61.160.207.240
input_userauth_request: invalid user john
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240
pam_succeed_if(sshd:auth): error retrieving information about user roy
Failed password for invalid user roy from 61.160.207.240 port 43520 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
Invalid user roy from 61.160.207.240
input_userauth_request: invalid user roy
input_userauth_request: invalid user source
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240
pam_succeed_if(sshd:auth): error retrieving information about user source
Failed password for invalid user source from 61.160.207.240 port 45495 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240
pam_succeed_if(sshd:auth): error retrieving information about user sales
Failed password for invalid user sales from 61.160.207.240 port 46570 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
Invalid user sales from 61.160.207.240
input_userauth_request: invalid user sales
input_userauth_request: invalid user test
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240
pam_succeed_if(sshd:auth): error retrieving information about user test
Failed password for invalid user test from 61.160.207.240 port 49939 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
Invalid user tester from 61.160.207.240
input_userauth_request: invalid user tester
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240
pam_succeed_if(sshd:auth): error retrieving information about user tester
Failed password for invalid user tester from 61.160.207.240 port 51042 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
Invalid user testing from 61.160.207.240
input_userauth_request: invalid user testing
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240
pam_succeed_if(sshd:auth): error retrieving information about user testing
Failed password for invalid user testing from 61.160.207.240 port 52126 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
Invalid user mysql from 61.160.207.240
input_userauth_request: invalid user mysql
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240
pam_succeed_if(sshd:auth): error retrieving information about user mysql
Failed password for invalid user mysql from 61.160.207.240 port 53138 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=250fy4ouo.ni.net.tr user=root
Failed password for root from 94.102.5.250 port 46965 ssh2
Received disconnect from 94.102.5.250: 11: Bye Bye
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=250fy4ouo.ni.net.tr user=root
Failed password for root from 94.102.5.250 port 47261 ssh2
Received disconnect from 94.102.5.250: 11: Bye Bye
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=250fy4ouo.ni.net.tr user=root
Failed password for root from 94.102.5.250 port 47605 ssh2
Received disconnect from 94.102.5.250: 11: Bye Bye
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=250fy4ouo.ni.net.tr user=root
Failed password for root from 94.102.5.250 port 47927 ssh2
Received disconnect from 94.102.5.250: 11: Bye Bye
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=250fy4ouo.ni.net.tr user=root
Failed password for root from 94.102.5.250 port 48289 ssh2
Received disconnect from 94.102.5.250: 11: Bye Bye
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=250fy4ouo.ni.net.tr user=root
Failed password for root from 94.102.5.250 port 48585 ssh2
Received disconnect from 94.102.5.250: 11: Bye Bye
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=250fy4ouo.ni.net.tr user=root
Failed password for root from 94.102.5.250 port 48925 ssh2
Received disconnect from 94.102.5.250: 11: Bye Bye
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=250fy4ouo.ni.net.tr user=root
Failed password for root from 94.102.5.250 port 49203 ssh2
Received disconnect from 94.102.5.250: 11: Bye Bye
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=250fy4ouo.ni.net.tr user=root
Failed password for root from 94.102.5.250 port 49564 ssh2
Received disconnect from 94.102.5.250: 11: Bye Bye
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=250fy4ouo.ni.net.tr user=root
Failed password for root from 94.102.5.250 port 49869 ssh2
Received disconnect from 94.102.5.250: 11: Bye Bye

翻了下/var/log/secure,发现来自江苏省常州市 电信的61.160.207.240估计是个惯犯,而来自土耳其的94.102.5.250一直试图攻破root密码,还好我在sshd_config中将root远程登录关闭了。

今天登录查看日志后,立马又将root密码改复杂了,另外将远程登录的用户名和密码也改复杂了,又查了下vps开启的服务和端口,发现大部分都管闭了,只运行了一些必要的服务。之后又将系统更新到最新。

大家还有什么经验要分享的吗?
4270 次点击
所在节点    Linode
53 条回复
BOYPT
2013-07-08 13:22:59 +08:00
楼上亮了。
colorday
2013-07-08 13:23:13 +08:00
fail2ban+1
xunyu
2013-07-08 13:36:09 +08:00
在上面跑个虚拟机,做个蜜罐,看看这厮要怎样
chenshaoju
2013-07-08 13:50:29 +08:00
@ivanlw 挂了……

@Zhang SSH是加密的,除非你手动指定不加密(一般不允许)。
DreaMQ
2013-07-08 13:50:33 +08:00
禁用SSH,用VNC控制
Zhang
2013-07-08 13:53:52 +08:00
@chenshaoju 握手阶段还是明文
ooxxcc
2013-07-08 14:18:13 +08:00
denyhosts。。
chenshaoju
2013-07-08 14:44:38 +08:00
@Zhang 握手结束后才会传输认证信息,理论上能确认服务器的公钥正确的情况下,无需担心密码被第三方破译。
HiVPS
2013-07-08 14:45:02 +08:00
@juicy 你太忽视一些人爱用用“123abc”做密码的习惯了,并且他们觉得这个密码还不错哦
PrideChung
2013-07-08 15:21:19 +08:00
禁止root登陆 √
公钥验证登陆 √
修改SSH默认端口 √
fail2ban √
用ufw关闭所有不使用的端口号 √
自动安装安全更新 √
Logwatch每天日报 √

每天都有人来扫我的VPS,不过还没看见有什么威胁。
bearqq
2013-07-08 16:10:31 +08:00
让他攻击好了,给他个蜜罐,让他什么也得不到
比如:

RKTECH:~# w
00:33:54 up 5 days, 19:02, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 172.158.34.148 00:33 0.00s 0.00s 0.00s w
RKTECH:~# uname -a
Linux RKTECH 2.6.26-2-686 #1 SMP Wed Nov 4 20:45:37 UTC 2009 i686 GNU/Linux
RKTECH:~# php -v
bash: php: command not found
RKTECH:~# cat /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 23
model name : Intel(R) Core(TM)2 Duo CPU E8200 @ 2.66GHz
stepping : 6
cpu MHz : 2133.305
cache size : 6144 KB
physical id : 0
siblings : 2
core id : 0
cpu cores : 2
apicid : 0
initial apicid : 0
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good pni monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr sse4_1 lahf_lm
bogomips : 4270.03
clflush size : 64
cache_alignment : 64
address sizes : 36 bits physical, 48 bits virtual
power management:

processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 23
model name : Intel(R) Core(TM)2 Duo CPU E8200 @ 2.66GHz
stepping : 6
cpu MHz : 2133.305
cache size : 6144 KB
physical id : 0
siblings : 2
core id : 1
cpu cores : 2
apicid : 1
initial apicid : 1
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good pni monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr sse4_1 lahf_lm
bogomips : 4266.61
clflush size : 64
cache_alignment : 64
address sizes : 36 bits physical, 48 bits virtual
power management:

RKTECH:~# ps x
PID TTY STAT TIME COMMAND
1 ? Ss 0:07 init [2]
2 ? S< 0:00 [kthreadd]
3 ? S< 0:00 [migration/0]
4 ? S< 0:00 [ksoftirqd/0]
5 ? S< 0:00 [watchdog/0]
6 ? S< 0:17 [events/0]
7 ? S< 0:00 [khelper]
39 ? S< 0:00 [kblockd/0]
41 ? S< 0:00 [kacpid]
42 ? S< 0:00 [kacpi_notify]
170 ? S< 0:00 [kseriod]
207 ? S 0:01 [pdflush]
208 ? S 0:00 [pdflush]
209 ? S< 0:00 [kswapd0]
210 ? S< 0:00 [aio/0]
748 ? S< 0:00 [ata/0]
749 ? S< 0:00 [ata_aux]
929 ? S< 0:00 [scsi_eh_0]
1014 ? D< 0:03 [kjournald]
1087 ? S<s 0:00 udevd --daemon
1553 ? S< 0:00 [kpsmoused]
2054 ? Sl 0:01 /usr/sbin/rsyslogd -c3
2103 tty1 Ss 0:00 /bin/login --
2105 tty2 Ss+ 0:00 /sbin/getty 38400 tty2
2107 tty3 Ss+ 0:00 /sbin/getty 38400 tty3
2109 tty4 Ss+ 0:00 /sbin/getty 38400 tty4
2110 tty5 Ss+ 0:00 /sbin/getty 38400 tty5
2112 tty6 Ss+ 0:00 /sbin/getty 38400 tty6
2133 ? S<s 0:00 dhclient3 -pf /var/run/dhclient.eth0.pid -lf /var/lib
4969 ? Ss 0:00 /usr/sbin/sshd: root@pts/0
5673 pts/0 Ss 0:00 -bash
5679 pts/0 R+ 0:00 ps x
RKTECH:~# unset ; rm -rf /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog ; touch /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog ; unset HISTFILE ; unset HISTSAVE ; unset HISTLOG ; history -n ; unset WATCH ; export HISTFILE=/dev/null ; export HISTFILE=/dev/null
1 w
2 uname -a
3 php -v
4 cat /proc/cpuinfo
5 ps x
6 unset ; rm -rf /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog ; touch /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog ; unset HISTFILE ; unset HISTSAVE ; unset HISTLOG ; history -n ; unset WATCH ; export HISTFILE=/dev/null ; export HISTFILE=/dev/null
RKTECH:~#
andybest
2013-07-08 16:13:07 +08:00
有没有办法可以在日志里看到攻击者尝试登录的密码是什么?
swulling
2013-07-08 16:15:21 +08:00
@Zhang 握手阶段又不传密码

只能做中间人攻击,而中间人攻击会改变服务器的签名,客户端直接连不上的
chshouyu
2013-07-08 16:43:06 +08:00
@liheng 这样基本上就很安全了
annielong
2013-07-08 16:57:59 +08:00
都有,windows的也是经常有错误密码登陆的错误提示,
shierji
2013-07-08 17:16:39 +08:00
很正常 我用的denyhosts
cicku
2013-07-08 18:13:36 +08:00
@andybest 没有的(曾经的我一样天真)

楼主用 @shierji 说的,基本就可以了。我的设置的是只要密码输入错了1次,就直接封禁永久。

还有,如果你的VPS没有重要数据,你可以使用密码登录,否则最好用证书登录。

我的服务器进去了是蜜罐,所以不在乎。禁用 root 登录,采用 sudo 提升权限维护服务器的方法是最好的,但是这全看你个人。
yangzh
2013-07-08 19:25:00 +08:00
@bearqq
@cicku

蜜罐这个高端啊,有什么好的架设介绍?比如说我有个放网站的 vps,怎样架设一个蜜罐上去?用一些开源软件?
bearqq
2013-07-08 21:30:50 +08:00
@yangzh 我用kippo
alexrezit
2013-07-08 22:23:01 +08:00
我 I 进来 came in 就是 just 为了 for 吐槽: VPS 的 S 就是服务器的意思.

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/75094

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX