Ich sehe in reihenweise Protokolle wie diese /var/log/auth.log. Alle 2 Minuten erscheinen zehn Zeilen derselben Meldung. Ich würde gern die Remote-IP kennen, die diese Meldungen generiert hat.
Ich verwende Ubuntu 19.10 (das ist meine Remote-Workstation, ich führe nur regelmäßige Sicherheitsüberprüfungen durch).
61094 Jan 25 22:44:01 localhost sshd[10390]: error: kex_exchange_identification: Connection closed by remote host
61095 Jan 25 22:44:02 localhost sshd[10408]: error: kex_exchange_identification: Connection closed by remote host
61096 Jan 25 22:44:02 localhost sshd[10433]: error: kex_exchange_identification: Connection closed by remote host
61097 Jan 25 22:44:02 localhost sshd[10437]: error: kex_exchange_identification: Connection closed by remote host
61098 Jan 25 22:44:02 localhost sshd[10441]: error: kex_exchange_identification: Connection closed by remote host
61099 Jan 25 22:44:02 localhost sshd[10446]: error: kex_exchange_identification: Connection closed by remote host
61100 Jan 25 22:44:02 localhost sshd[10450]: error: kex_exchange_identification: Connection closed by remote host
61101 Jan 25 22:44:02 localhost sshd[10454]: error: kex_exchange_identification: Connection closed by remote host
61102 Jan 25 22:44:02 localhost sshd[10462]: error: kex_exchange_identification: Connection closed by remote host
61103 Jan 25 22:44:02 localhost sshd[10466]: error: kex_exchange_identification: Connection closed by remote host
61104 Jan 25 22:46:01 localhost sshd[12501]: error: kex_exchange_identification: Connection closed by remote host
61105 Jan 25 22:46:01 localhost sshd[12528]: error: kex_exchange_identification: Connection closed by remote host
61106 Jan 25 22:46:01 localhost sshd[12538]: error: kex_exchange_identification: Connection closed by remote host
61107 Jan 25 22:46:01 localhost sshd[12542]: error: kex_exchange_identification: Connection closed by remote host
61108 Jan 25 22:46:01 localhost sshd[12546]: error: kex_exchange_identification: Connection closed by remote host
61109 Jan 25 22:46:01 localhost sshd[12551]: error: kex_exchange_identification: Connection closed by remote host
61110 Jan 25 22:46:01 localhost sshd[12555]: error: kex_exchange_identification: Connection closed by remote host
61111 Jan 25 22:46:01 localhost sshd[12560]: error: kex_exchange_identification: Connection closed by remote host
61112 Jan 25 22:46:01 localhost sshd[12564]: error: kex_exchange_identification: Connection closed by remote host
61113 Jan 25 22:46:01 localhost sshd[12568]: error: kex_exchange_identification: Connection closed by remote host
61114 Jan 25 22:48:01 localhost sshd[14371]: error: kex_exchange_identification: Connection closed by remote host
61115 Jan 25 22:48:01 localhost sshd[14390]: error: kex_exchange_identification: Connection closed by remote host
61116 Jan 25 22:48:01 localhost sshd[14414]: error: kex_exchange_identification: Connection closed by remote host
61117 Jan 25 22:48:01 localhost sshd[14418]: error: kex_exchange_identification: Connection closed by remote host
61118 Jan 25 22:48:01 localhost sshd[14422]: error: kex_exchange_identification: Connection closed by remote host
61119 Jan 25 22:48:01 localhost sshd[14427]: error: kex_exchange_identification: Connection closed by remote host
61120 Jan 25 22:48:01 localhost sshd[14431]: error: kex_exchange_identification: Connection closed by remote host
61121 Jan 25 22:48:01 localhost sshd[14435]: error: kex_exchange_identification: Connection closed by remote host
61122 Jan 25 22:48:01 localhost sshd[14439]: error: kex_exchange_identification: Connection closed by remote host
61123 Jan 25 22:48:01 localhost sshd[14443]: error: kex_exchange_identification: Connection closed by remote host
61124 Jan 25 22:50:01 localhost sshd[16489]: error: kex_exchange_identification: Connection closed by remote host
61125 Jan 25 22:50:01 localhost sshd[16512]: error: kex_exchange_identification: Connection closed by remote host
61126 Jan 25 22:50:01 localhost sshd[16530]: error: kex_exchange_identification: Connection closed by remote host
61127 Jan 25 22:50:01 localhost sshd[16535]: error: kex_exchange_identification: Connection closed by remote host
61128 Jan 25 22:50:01 localhost sshd[16539]: error: kex_exchange_identification: Connection closed by remote host
61129 Jan 25 22:50:01 localhost sshd[16544]: error: kex_exchange_identification: Connection closed by remote host
61130 Jan 25 22:50:01 localhost sshd[16548]: error: kex_exchange_identification: Connection closed by remote host
61131 Jan 25 22:50:01 localhost sshd[16552]: error: kex_exchange_identification: Connection closed by remote host
61132 Jan 25 22:50:01 localhost sshd[16556]: error: kex_exchange_identification: Connection closed by remote host
61133 Jan 25 22:50:01 localhost sshd[16561]: error: kex_exchange_identification: Connection closed by remote host
61134 Jan 25 22:52:01 localhost sshd[18480]: error: kex_exchange_identification: Connection closed by remote host
61135 Jan 25 22:52:01 localhost sshd[18491]: error: kex_exchange_identification: Connection closed by remote host
61136 Jan 25 22:52:01 localhost sshd[18518]: error: kex_exchange_identification: Connection closed by remote host
61137 Jan 25 22:52:01 localhost sshd[18523]: error: kex_exchange_identification: Connection closed by remote host
61138 Jan 25 22:52:01 localhost sshd[18527]: error: kex_exchange_identification: Connection closed by remote host
61139 Jan 25 22:52:01 localhost sshd[18532]: error: kex_exchange_identification: Connection closed by remote host
61140 Jan 25 22:52:01 localhost sshd[18536]: error: kex_exchange_identification: Connection closed by remote host
auth.log-20200126-1579968001 61140,1 99%
Antwort1
tcpdumpVersuchen Sie, Folgendes auf Ihrem Port auszuführen ssh:
tcpdump -nn -s0 port 22
Wenn Sie bereits über angemeldet sind ssh, schließen Sie Ihre Quell-IP-Adresse aus (z. B. 203.202.1.1), damit Sie Ihr Terminal nicht mit Ihrem eigenen Datenverkehr überfluten:
tcpdump -nn -s0 port 22 and not src 203.202.1.1 and not dst 203.202.1.1
Sie können Netfilter auch verwenden, um Verbindungen ins Syslog zu protokollieren. Bedenken Sie jedoch, dass eine Flut von Verbindungen Ihren Server so stark belasten kann, dass er nicht mehr reagiert. Sie sollten dies daher nicht ausführen, ohne eine Art Protokollierungsbeschränkung festzulegen (wie gezeigt):
iptables -I INPUT -p tcp --dport 22 -m limit --limit 4/min --limit-burst 4 -j LOG --log-prefix "SSH_NOTIFY: "
Dadurch wird in Ihrem Syslog eine Meldung über den verbindenden Host abgelegt.
Antwort2
Überprüfen Sie die Berechtigungen für das /-Verzeichnis. Sie sollten etwa wie folgt lauten:
drwxr-sr-x 1 root root 512 Feb 12 21:12