這些日誌是什麼意思?有人試圖透過 ssh 侵入我的伺服器嗎?

tag-icon tag-icon ssh logging ddos
這些日誌是什麼意思?有人試圖透過 ssh 侵入我的伺服器嗎?

今天我醒來時發現了大量的日誌ssh,我只能假設有人正在嘗試存取我的 Linux 伺服器。

這是日誌

-- Logs begin at Wed 2023-08-02 08:59:10 EEST, end at Wed 2024-01-24 08:57:36 EET. --
ian 24 08:53:49 Linux-Server sshd[372712]: Invalid user mireielle from 201.184.50.251 port 59440
ian 24 08:53:49 Linux-Server sshd[372712]: pam_unix(sshd:auth): check pass; user unknown
ian 24 08:53:49 Linux-Server sshd[372712]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.184.50.251
ian 24 08:53:51 Linux-Server sshd[372712]: Failed password for invalid user mireielle from 201.184.50.251 port 59440 ssh2
ian 24 08:53:51 Linux-Server sshd[372712]: Received disconnect from 201.184.50.251 port 59440:11: Bye Bye [preauth]
ian 24 08:53:51 Linux-Server sshd[372712]: Disconnected from invalid user mireielle 201.184.50.251 port 59440 [preauth]
ian 24 08:54:08 Linux-Server sshd[372726]: User root from 218.92.0.29 not allowed because not listed in AllowUsers
ian 24 08:54:09 Linux-Server sshd[372726]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.29  user=root
ian 24 08:54:11 Linux-Server sshd[372726]: Failed password for invalid user root from 218.92.0.29 port 41135 ssh2
ian 24 08:54:14 Linux-Server sshd[372726]: Failed password for invalid user root from 218.92.0.29 port 41135 ssh2
ian 24 08:54:14 Linux-Server sshd[372731]: Invalid user hawkos from 118.163.63.23 port 33902
ian 24 08:54:14 Linux-Server sshd[372731]: pam_unix(sshd:auth): check pass; user unknown
ian 24 08:54:14 Linux-Server sshd[372731]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.163.63.23
ian 24 08:54:16 Linux-Server sshd[372731]: Failed password for invalid user hawkos from 118.163.63.23 port 33902 ssh2
ian 24 08:54:16 Linux-Server sshd[372731]: Received disconnect from 118.163.63.23 port 33902:11: Bye Bye [preauth]
ian 24 08:54:16 Linux-Server sshd[372731]: Disconnected from invalid user hawkos 118.163.63.23 port 33902 [preauth]
ian 24 08:54:18 Linux-Server sshd[372726]: Failed password for invalid user root from 218.92.0.29 port 41135 ssh2
ian 24 08:54:20 Linux-Server sshd[372726]: Received disconnect from 218.92.0.29 port 41135:11:  [preauth]
ian 24 08:54:20 Linux-Server sshd[372726]: Disconnected from invalid user root 218.92.0.29 port 41135 [preauth]
ian 24 08:54:20 Linux-Server sshd[372726]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.29  user=root
ian 24 08:54:50 Linux-Server sshd[372743]: User root from 218.92.0.29 not allowed because not listed in AllowUsers
ian 24 08:54:50 Linux-Server sshd[372743]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.29  user=root
ian 24 08:54:52 Linux-Server sshd[372743]: Failed password for invalid user root from 218.92.0.29 port 23264 ssh2
ian 24 08:54:54 Linux-Server sshd[372743]: Failed password for invalid user root from 218.92.0.29 port 23264 ssh2
ian 24 08:54:55 Linux-Server sshd[372745]: Invalid user skaret from 201.184.50.251 port 51582
ian 24 08:54:55 Linux-Server sshd[372745]: pam_unix(sshd:auth): check pass; user unknown
ian 24 08:54:55 Linux-Server sshd[372745]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.184.50.251
ian 24 08:54:57 Linux-Server sshd[372743]: Failed password for invalid user root from 218.92.0.29 port 23264 ssh2
ian 24 08:54:57 Linux-Server sshd[372745]: Failed password for invalid user skaret from 201.184.50.251 port 51582 ssh2
ian 24 08:54:59 Linux-Server sshd[372743]: Received disconnect from 218.92.0.29 port 23264:11:  [preauth]
ian 24 08:54:59 Linux-Server sshd[372743]: Disconnected from invalid user root 218.92.0.29 port 23264 [preauth]
ian 24 08:54:59 Linux-Server sshd[372743]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.29  user=root
ian 24 08:54:59 Linux-Server sshd[372745]: Received disconnect from 201.184.50.251 port 51582:11: Bye Bye [preauth]
ian 24 08:54:59 Linux-Server sshd[372745]: Disconnected from invalid user skaret 201.184.50.251 port 51582 [preauth]
ian 24 08:55:13 Linux-Server sshd[372748]: User root from 180.101.88.221 not allowed because not listed in AllowUsers
ian 24 08:55:13 Linux-Server sshd[372748]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=180.101.88.221  user=root
ian 24 08:55:15 Linux-Server sshd[372748]: Failed password for invalid user root from 180.101.88.221 port 62046 ssh2
ian 24 08:55:18 Linux-Server sshd[372748]: Failed password for invalid user root from 180.101.88.221 port 62046 ssh2
ian 24 08:55:21 Linux-Server sshd[372748]: Failed password for invalid user root from 180.101.88.221 port 62046 ssh2
ian 24 08:55:23 Linux-Server sshd[372748]: Received disconnect from 180.101.88.221 port 62046:11:  [preauth]
ian 24 08:55:23 Linux-Server sshd[372748]: Disconnected from invalid user root 180.101.88.221 port 62046 [preauth]
ian 24 08:55:23 Linux-Server sshd[372748]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=180.101.88.221  user=root
ian 24 08:56:04 Linux-Server sshd[372762]: Invalid user ubuntu from 201.184.50.251 port 43720
ian 24 08:56:04 Linux-Server sshd[372762]: pam_unix(sshd:auth): check pass; user unknown
ian 24 08:56:04 Linux-Server sshd[372762]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.184.50.251
ian 24 08:56:06 Linux-Server sshd[372762]: Failed password for invalid user ubuntu from 201.184.50.251 port 43720 ssh2
ian 24 08:56:08 Linux-Server sshd[372762]: Received disconnect from 201.184.50.251 port 43720:11: Bye Bye [preauth]
ian 24 08:56:08 Linux-Server sshd[372762]: Disconnected from invalid user ubuntu 201.184.50.251 port 43720 [preauth]
ian 24 08:56:48 Linux-Server sshd[372771]: Invalid user alberik from 118.163.63.23 port 38078
ian 24 08:56:48 Linux-Server sshd[372771]: pam_unix(sshd:auth): check pass; user unknown
ian 24 08:56:48 Linux-Server sshd[372771]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=118.163.63.23
ian 24 08:56:50 Linux-Server sshd[372771]: Failed password for invalid user alberik from 118.163.63.23 port 38078 ssh2
ian 24 08:56:51 Linux-Server sshd[372771]: Received disconnect from 118.163.63.23 port 38078:11: Bye Bye [preauth]

這些是最近 5 分鐘的日誌。

我將它們追溯到 開始Octomber 23, 00:00:42 AM。而且它們看起來真的很可疑。

我有什麼好擔心的嗎?我有 5 個不同的允許 ssh 用戶,其中 2 個我包含在 SSH 監獄中,只能存取以下資料夾:

bin  dev  etc  lib  lib64  proc  run  sbin  share  sys  tmp  usr

共用只是一個中間目錄,允許特定使用者存取特定資料夾。

那我是不是被黑了?這是潛在的 DDoS 攻擊嗎?我能做些什麼?

我將不勝感激任何建議!

答案1

當您向互聯網開放服務時,您可以確信用不了多久就會有殭屍網路發現它並開始嘗試尋找安全漏洞。

  • 讓您的伺服器保持最新狀態
  • 停用已知使用者名稱登入 ( root)
  • 停用密碼登錄,僅使用公鑰身份驗證
  • 如果可以,請透過防火牆將對服務的存取限制為特定 IP 位址或子網路。
  • 設定fail2ban以使其更難探測您的伺服器

相關內容