¿Qué significan estos registros? ¿Alguien está intentando hackear mi servidor a través de ssh?

tag-icon tag-icon ssh logging ddos
¿Qué significan estos registros? ¿Alguien está intentando hackear mi servidor a través de ssh?

Hoy me desperté con una gran cantidad de registros de ssh, y solo puedo asumir que alguien está intentando obtener acceso a mi servidor Linux.

Aquí están los registros

-- Logs begin at Wed 2023-08-02 08:59:10 EEST, end at Wed 2024-01-24 08:57:36 EET. --
ian 24 08:53:49 Linux-Server sshd[372712]: Invalid user mireielle from 201.184.50.251 port 59440
ian 24 08:53:49 Linux-Server sshd[372712]: pam_unix(sshd:auth): check pass; user unknown
ian 24 08:53:49 Linux-Server sshd[372712]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.184.50.251
ian 24 08:53:51 Linux-Server sshd[372712]: Failed password for invalid user mireielle from 201.184.50.251 port 59440 ssh2
ian 24 08:53:51 Linux-Server sshd[372712]: Received disconnect from 201.184.50.251 port 59440:11: Bye Bye [preauth]
ian 24 08:53:51 Linux-Server sshd[372712]: Disconnected from invalid user mireielle 201.184.50.251 port 59440 [preauth]
ian 24 08:54:08 Linux-Server sshd[372726]: User root from 218.92.0.29 not allowed because not listed in AllowUsers
ian 24 08:54:09 Linux-Server sshd[372726]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.29  user=root
ian 24 08:54:11 Linux-Server sshd[372726]: Failed password for invalid user root from 218.92.0.29 port 41135 ssh2
ian 24 08:54:14 Linux-Server sshd[372726]: Failed password for invalid user root from 218.92.0.29 port 41135 ssh2
ian 24 08:54:14 Linux-Server sshd[372731]: Invalid user hawkos from 118.163.63.23 port 33902
ian 24 08:54:14 Linux-Server sshd[372731]: pam_unix(sshd:auth): check pass; user unknown
ian 24 08:54:14 Linux-Server sshd[372731]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.163.63.23
ian 24 08:54:16 Linux-Server sshd[372731]: Failed password for invalid user hawkos from 118.163.63.23 port 33902 ssh2
ian 24 08:54:16 Linux-Server sshd[372731]: Received disconnect from 118.163.63.23 port 33902:11: Bye Bye [preauth]
ian 24 08:54:16 Linux-Server sshd[372731]: Disconnected from invalid user hawkos 118.163.63.23 port 33902 [preauth]
ian 24 08:54:18 Linux-Server sshd[372726]: Failed password for invalid user root from 218.92.0.29 port 41135 ssh2
ian 24 08:54:20 Linux-Server sshd[372726]: Received disconnect from 218.92.0.29 port 41135:11:  [preauth]
ian 24 08:54:20 Linux-Server sshd[372726]: Disconnected from invalid user root 218.92.0.29 port 41135 [preauth]
ian 24 08:54:20 Linux-Server sshd[372726]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.29  user=root
ian 24 08:54:50 Linux-Server sshd[372743]: User root from 218.92.0.29 not allowed because not listed in AllowUsers
ian 24 08:54:50 Linux-Server sshd[372743]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.29  user=root
ian 24 08:54:52 Linux-Server sshd[372743]: Failed password for invalid user root from 218.92.0.29 port 23264 ssh2
ian 24 08:54:54 Linux-Server sshd[372743]: Failed password for invalid user root from 218.92.0.29 port 23264 ssh2
ian 24 08:54:55 Linux-Server sshd[372745]: Invalid user skaret from 201.184.50.251 port 51582
ian 24 08:54:55 Linux-Server sshd[372745]: pam_unix(sshd:auth): check pass; user unknown
ian 24 08:54:55 Linux-Server sshd[372745]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.184.50.251
ian 24 08:54:57 Linux-Server sshd[372743]: Failed password for invalid user root from 218.92.0.29 port 23264 ssh2
ian 24 08:54:57 Linux-Server sshd[372745]: Failed password for invalid user skaret from 201.184.50.251 port 51582 ssh2
ian 24 08:54:59 Linux-Server sshd[372743]: Received disconnect from 218.92.0.29 port 23264:11:  [preauth]
ian 24 08:54:59 Linux-Server sshd[372743]: Disconnected from invalid user root 218.92.0.29 port 23264 [preauth]
ian 24 08:54:59 Linux-Server sshd[372743]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.29  user=root
ian 24 08:54:59 Linux-Server sshd[372745]: Received disconnect from 201.184.50.251 port 51582:11: Bye Bye [preauth]
ian 24 08:54:59 Linux-Server sshd[372745]: Disconnected from invalid user skaret 201.184.50.251 port 51582 [preauth]
ian 24 08:55:13 Linux-Server sshd[372748]: User root from 180.101.88.221 not allowed because not listed in AllowUsers
ian 24 08:55:13 Linux-Server sshd[372748]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=180.101.88.221  user=root
ian 24 08:55:15 Linux-Server sshd[372748]: Failed password for invalid user root from 180.101.88.221 port 62046 ssh2
ian 24 08:55:18 Linux-Server sshd[372748]: Failed password for invalid user root from 180.101.88.221 port 62046 ssh2
ian 24 08:55:21 Linux-Server sshd[372748]: Failed password for invalid user root from 180.101.88.221 port 62046 ssh2
ian 24 08:55:23 Linux-Server sshd[372748]: Received disconnect from 180.101.88.221 port 62046:11:  [preauth]
ian 24 08:55:23 Linux-Server sshd[372748]: Disconnected from invalid user root 180.101.88.221 port 62046 [preauth]
ian 24 08:55:23 Linux-Server sshd[372748]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=180.101.88.221  user=root
ian 24 08:56:04 Linux-Server sshd[372762]: Invalid user ubuntu from 201.184.50.251 port 43720
ian 24 08:56:04 Linux-Server sshd[372762]: pam_unix(sshd:auth): check pass; user unknown
ian 24 08:56:04 Linux-Server sshd[372762]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.184.50.251
ian 24 08:56:06 Linux-Server sshd[372762]: Failed password for invalid user ubuntu from 201.184.50.251 port 43720 ssh2
ian 24 08:56:08 Linux-Server sshd[372762]: Received disconnect from 201.184.50.251 port 43720:11: Bye Bye [preauth]
ian 24 08:56:08 Linux-Server sshd[372762]: Disconnected from invalid user ubuntu 201.184.50.251 port 43720 [preauth]
ian 24 08:56:48 Linux-Server sshd[372771]: Invalid user alberik from 118.163.63.23 port 38078
ian 24 08:56:48 Linux-Server sshd[372771]: pam_unix(sshd:auth): check pass; user unknown
ian 24 08:56:48 Linux-Server sshd[372771]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.163.63.23
ian 24 08:56:50 Linux-Server sshd[372771]: Failed password for invalid user alberik from 118.163.63.23 port 38078 ssh2
ian 24 08:56:51 Linux-Server sshd[372771]: Received disconnect from 118.163.63.23 port 38078:11: Bye Bye [preauth]

Estos son los registros de los últimos 5 minutos.

Los rastreé hasta el principio Octomber 23, 00:00:42 AM. Y parecen realmente sospechosos.

¿Tengo algo de qué preocuparme? Tengo 5 usuarios ssh diferentes permitidos, 2 de los cuales los contuve en una cárcel SSH, con acceso solo a las siguientes carpetas:

bin  dev  etc  lib  lib64  proc  run  sbin  share  sys  tmp  usr

Compartir es solo un directorio intermediario para permitir que usuarios específicos accedan a carpetas específicas.

Entonces, ¿me están pirateando? ¿Es este un posible ataque DDoS? ¿Qué puedo hacer?

¡Estaré agradecido por cualquier consejo!

Respuesta1

Cuando abres un servicio en Internet, puedes estar seguro de que no pasará mucho tiempo hasta que alguna botnet lo encuentre y comience a intentar encontrar agujeros de seguridad.

  • mantén tu servidor actualizado
  • deshabilitar el inicio de sesión con nombres de usuario conocidos ( root)
  • deshabilite el inicio de sesión con contraseña, use solo autenticación de clave pública
  • Si puede, limite el acceso al servicio a direcciones IP o subredes específicas a través de un firewall.
  • configure fail2ban para que sea más difícil probar su servidor

información relacionada