可疑 IP 嘗試連接伺服器

tag-icon tag-icon networking security ufw
可疑 IP 嘗試連接伺服器

我收到訊息 suspicious ip [x.x.x.x] attempt to connect server 我必須針對此問題採取什麼措施?受影響的伺服器是 Ubuntu 14.04 伺服器,並且具有ufw公用 IP。

ufw日誌:

Nov  3 12:12:55  kernel: [358619.800870] [UFW BLOCK] IN=eth0 OUT= MAC=08:24:14:33:18:01:08:00 SRC=37.139.191.161 DST=10.0.0.12 LEN=44 TOS=0x00 PREC=0x00 TTL=44 ID=8329 PROTO=TCP SPT=43730 DPT=23 WINDOW=23100 RES=0x00 SYN URGP=0
Nov  3 12:14:08  kernel: [358692.822316] [UFW BLOCK] IN=eth0 OUT= MAC=08:24:14:33:18:01:08:00 SRC=122.114.182.64 DST=10.0.0.12 LEN=40 TOS=0x00 PREC=0x00 TTL=233 ID=48132 PROTO=TCP SPT=54910 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0
Nov  3 12:14:11  kernel: [358696.027769] [UFW BLOCK] IN=eth0 OUT= MAC=08:24:14:33:18:01:08:00 SRC=89.248.172.16 DST=10.0.0.12 LEN=40 TOS=0x00 PREC=0x00 TTL=113 ID=52590 PROTO=TCP SPT=46640 DPT=8009 WINDOW=62657 RES=0x00 SYN URGP=0
Nov  3 12:14:43  kernel: [358727.590448] [UFW BLOCK] IN=eth0 OUT= MAC=08:24:14:33:18:01:08:00 SRC=123.249.3.172 DST=10.0.0.12 LEN=40 TOS=0x00 PREC=0x00 TTL=107 ID=256 PROTO=TCP SPT=37365 DPT=8080 WINDOW=16384 RES=0x00 SYN URGP=0
Nov  3 12:14:45  kernel: [358729.683181] [UFW BLOCK] IN=eth0 OUT= MAC=08:24:14:33:18:01:08:00 SRC=218.29.142.44 DST=10.0.0.12 LEN=44 TOS=0x00 PREC=0x00 TTL=234 ID=44905 PROTO=TCP SPT=50889 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0
Nov  3 12:16:01  kernel: [358806.142162] [UFW BLOCK] IN=eth0 OUT= MAC=08:24:14:33:18:01:08:00 SRC=176.109.226.160 DST=10.0.0.12 LEN=44 TOS=0x00 PREC=0x00 TTL=47 ID=8329 PROTO=TCP SPT=43730 DPT=23 WINDOW=23100 RES=0x00 SYN URGP=0
Nov  3 12:16:24  kernel: [358829.214991] [UFW BLOCK] IN=eth0 OUT= MAC=08:24:14:33:18:01:08:00 SRC=212.142.159.191 DST=10.0.0.12 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=35874 PROTO=TCP SPT=13461 DPT=23 WINDOW=9861 RES=0x00 SYN URGP=0
Nov  3 12:17:16  kernel: [358881.046988] [UFW BLOCK] IN=eth0 OUT= MAC=08:24:14:33:18:01:08:00 SRC=45.55.29.228 DST=10.0.0.12 LEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=54321 PROTO=TCP SPT=57539 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0

驗證日誌

/var/log$ tailf auth.log

Nov  3 12:47:55  sshd[10102]: Failed password for root from 58.218.198.146 port 50077 ssh2
Nov  3 12:48:00  sshd[10102]: message repeated 2 times: [ Failed password for root from 58.218.198.146 port 50077 ssh2]
Nov  3 12:48:01  sshd[10102]: Received disconnect from 58.218.198.146: 11:  [preauth]
Nov  3 12:48:01  sshd[10102]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.198.146  user=root
Nov  3 12:48:17  sshd[10104]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.198.146  user=root
Nov  3 12:48:19  sshd[10104]: Failed password for root from 58.218.198.146 port 27919 ssh2
Nov  3 12:48:24  sshd[10104]: message repeated 2 times: [ Failed password for root from 58.218.198.146 port 27919 ssh2]
Nov  3 12:48:24  sshd[10104]: Received disconnect from 58.218.198.146: 11:  [preauth]
Nov  3 12:48:24  sshd[10104]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.198.146  user=root
Nov  3 12:48:37  sshd[10108]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.198.146  user=root
Nov  3 12:48:39  sshd[10108]: Failed password for root from 58.218.198.146 port 43229 ssh2
Nov  3 12:48:43  sshd[10108]: message repeated 2 times: [ Failed password for root from 58.218.198.146 port 43229 ssh2]
Nov  3 12:48:43  sshd[10108]: Received disconnect from 58.218.198.146: 11:  [preauth]
Nov  3 12:48:43  sshd[10108]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.198.146  user=root

答案1

這些是自動嘗試破解您的 ssh 伺服器並且非常常見。

IMO 您需要採取的最重要的行動是:

  1. 只允許透過密鑰 ssh 登錄,停用密碼。

  2. 不允許 root 登入。

你不需要安裝任何額外的服務,用 iptables 就可以解決這個問題。

先安裝 iptables-persistent

sudo apt-get install iptables-persistent

然後

sudo iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource

sudo iptables -A INPUT -m recent --update --rchedk --seconds 600 --hitcount 8 --rttl --name SSH --rsource -j --reject-with icmp-host-prohibited 

sudo iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

“--hit count”是新連線的數量。請記住,每個新連線都會提供多次輸入密碼的機會。如果您使用 scp,請使用更高的命中計數,因為每個檔案都將是一個新的 ssh 會話。

“--seconds” IP 位址將被列入黑名單的時間。 10 分鐘通常足以阻止大多數「腳本小子」。

如需更多資訊/建議,請參閱http://bodhizazen.com/Tutorials/SSH_security

相關內容