浙江温州一个狗东西没完没了攻击老子服务器
閲覧: 151 回
最初の未読メッセージにスキップ
姚 飞
2014/05/19 8:26:132014/05/19
To: sh...@googlegroups.com
看了看记录,这是玩的哪一出?
May 19 20:05:52 atombox sshd[8523]: Failed password for invalid user admin from 61.174.51.215 port 26690 ssh2
May 19 20:05:52 atombox sshd[8523]: pam_unix(sshd:auth): check pass; user unknown
May 19 20:05:54 atombox sshd[8523]: Failed password for invalid user admin from 61.174.51.215 port 26690 ssh2
May 19 20:05:54 atombox sshd[8523]: Disconnecting: Too many authentication failures for admin [preauth]
May 19 20:05:54 atombox sshd[8523]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.215
May 19 20:05:54 atombox sshd[8523]: PAM service(sshd) ignoring max retries; 6 > 3
May 19 20:05:54 atombox sshd[8531]: Address 61.174.51.215 maps to 215.51.174.61.dial.wz.zj.dynamic.163data.com.cn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
May 19 20:05:54 atombox sshd[8531]: Invalid user admin from 61.174.51.215
May 19 20:05:54 atombox sshd[8531]: input_userauth_request: invalid user admin [preauth]
May 19 20:05:55 atombox sshd[8531]: pam_unix(sshd:auth): check pass; user unknown
May 19 20:05:55 atombox sshd[8531]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.215
May 19 20:05:57 atombox sshd[8531]: Failed password for invalid user admin from 61.174.51.215 port 32918 ssh2
May 19 20:05:57 atombox sshd[8531]: pam_unix(sshd:auth): check pass; user unknown
May 19 20:05:58 atombox sshd[8525]: message repeated 5 times: [ Failed password for root from 61.174.51.215 port 28464 ssh2]
May 19 20:05:58 atombox sshd[8525]: Disconnecting: Too many authentication failures for root [preauth]
May 19 20:05:58 atombox sshd[8525]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.215 user=root
May 19 20:05:58 atombox sshd[8525]: PAM service(sshd) ignoring max retries; 6 > 3
May 19 20:05:58 atombox sshd[8533]: Address 61.174.51.215 maps to 215.51.174.61.dial.wz.zj.dynamic.163data.com.cn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
May 19 20:05:58 atombox sshd[8533]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.215 user=root
May 19 20:05:59 atombox sshd[8531]: Failed password for invalid user admin from 61.174.51.215 port 32918 ssh2
May 19 20:05:59 atombox sshd[8531]: pam_unix(sshd:auth): check pass; user unknown
May 19 20:05:59 atombox sshd[8527]: message repeated 5 times: [ Failed password for root from 61.174.51.215 port 29537 ssh2]
May
May 19 20:05:52 atombox sshd[8523]: Failed password for invalid user admin from 61.174.51.215 port 26690 ssh2
May 19 20:05:52 atombox sshd[8523]: pam_unix(sshd:auth): check pass; user unknown
May 19 20:05:54 atombox sshd[8523]: Failed password for invalid user admin from 61.174.51.215 port 26690 ssh2
May 19 20:05:54 atombox sshd[8523]: Disconnecting: Too many authentication failures for admin [preauth]
May 19 20:05:54 atombox sshd[8523]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.215
May 19 20:05:54 atombox sshd[8523]: PAM service(sshd) ignoring max retries; 6 > 3
May 19 20:05:54 atombox sshd[8531]: Address 61.174.51.215 maps to 215.51.174.61.dial.wz.zj.dynamic.163data.com.cn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
May 19 20:05:54 atombox sshd[8531]: Invalid user admin from 61.174.51.215
May 19 20:05:54 atombox sshd[8531]: input_userauth_request: invalid user admin [preauth]
May 19 20:05:55 atombox sshd[8531]: pam_unix(sshd:auth): check pass; user unknown
May 19 20:05:55 atombox sshd[8531]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.215
May 19 20:05:57 atombox sshd[8531]: Failed password for invalid user admin from 61.174.51.215 port 32918 ssh2
May 19 20:05:57 atombox sshd[8531]: pam_unix(sshd:auth): check pass; user unknown
May 19 20:05:58 atombox sshd[8525]: message repeated 5 times: [ Failed password for root from 61.174.51.215 port 28464 ssh2]
May 19 20:05:58 atombox sshd[8525]: Disconnecting: Too many authentication failures for root [preauth]
May 19 20:05:58 atombox sshd[8525]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.215 user=root
May 19 20:05:58 atombox sshd[8525]: PAM service(sshd) ignoring max retries; 6 > 3
May 19 20:05:58 atombox sshd[8533]: Address 61.174.51.215 maps to 215.51.174.61.dial.wz.zj.dynamic.163data.com.cn, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
May 19 20:05:58 atombox sshd[8533]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.174.51.215 user=root
May 19 20:05:59 atombox sshd[8531]: Failed password for invalid user admin from 61.174.51.215 port 32918 ssh2
May 19 20:05:59 atombox sshd[8531]: pam_unix(sshd:auth): check pass; user unknown
May 19 20:05:59 atombox sshd[8527]: message repeated 5 times: [ Failed password for root from 61.174.51.215 port 29537 ssh2]
May
none_nobody
2014/05/19 8:36:292014/05/19
To: sh...@googlegroups.com
在网上公开IP地址,谁还不碰到几次密码扫描的。
嫌烦,直接iptables drop source 就好了么。要不 mirror 回去也挺好的。
On Monday, May 19, 2014 8:26:13 PM UTC+8, 姚飞 wrote:
嫌烦,直接iptables drop source 就好了么。要不 mirror 回去也挺好的。
On Monday, May 19, 2014 8:26:13 PM UTC+8, 姚飞 wrote:
看了看记录,这是玩的哪一出?
none_nobody
2014/05/19 8:44:342014/05/19
To: sh...@googlegroups.com
看我的记录,也有很多,汪济汪济,还跟你差不多段ip的。
May 19 15:57:19 debian sshd[30892]: Failed password for root from 61.174.51.214 port 29759 ssh2
May 19 15:57:20 debian sshd[30894]: Address 61.174.51.214 maps to
May 19 15:57:19 debian sshd[30892]: Failed password for root from 61.174.51.214 port 29759 ssh2
May 19 15:57:20 debian sshd[30894]: Address 61.174.51.214 maps to
but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
May 19 15:57:20 debian sshd[30890]: Failed password for root from 61.174.51.214 port 26527 ssh2
May 19 15:57:20 debian sshd[30894]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh rus
er= rhost=61.174.51.214 user=root
May 19 15:57:21 debian sshd[30888]: Failed password for invalid user admin from 61.174.51.214 port 24518 ssh2
May 19 15:57:21 debian sshd[30888]: pam_unix(sshd:auth): check pass; user unknown
May 19 15:57:21 debian sshd[30892]: Failed password for root from 61.174.51.214 port 29759 ssh2
May 19 15:57:22 debian sshd[30894]: Failed password for root from 61.174.51.214 port 31685 ssh2
May 19 15:57:23 debian sshd[30888]: Failed password for invalid user admin from 61.174.51.214 port 24518 ssh2
May 19 15:57:23 debian sshd[30890]: Failed password for root from 61.174.51.214 port 26527 ssh2
May 19 15:57:23 debian sshd[30890]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost
=61.174.51.214 user=root
May 19 15:57:23 debian sshd[30890]: PAM service(sshd) ignoring max retries; 6 > 3
May 19 15:57:23 debian sshd[30888]: pam_unix(sshd:auth): check pass; user unknown
May 19 15:57:24 debian sshd[30892]: Failed password for root from 61.174.51.214 port 29759 ssh2
May 19 15:57:24 debian sshd[30894]: Failed password for root from 61.174.51.214 port 31685 ssh2
May 19 15:57:25 debian sshd[30888]: Failed password for invalid user admin from 61.174.51.214 port 24518 ssh2
May 19 15:57:26 debian sshd[30888]: pam_unix(sshd:auth): check pass; user unknown
May 19 15:57:26 debian sshd[30896]: Address 61.174.51.214 maps to 214.51.174.61.dial.wz.zj.dynamic.163data.com.cn,
May 19 15:57:20 debian sshd[30894]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh rus
er= rhost=61.174.51.214 user=root
May 19 15:57:21 debian sshd[30888]: Failed password for invalid user admin from 61.174.51.214 port 24518 ssh2
May 19 15:57:21 debian sshd[30888]: pam_unix(sshd:auth): check pass; user unknown
May 19 15:57:21 debian sshd[30892]: Failed password for root from 61.174.51.214 port 29759 ssh2
May 19 15:57:22 debian sshd[30894]: Failed password for root from 61.174.51.214 port 31685 ssh2
May 19 15:57:23 debian sshd[30888]: Failed password for invalid user admin from 61.174.51.214 port 24518 ssh2
May 19 15:57:23 debian sshd[30890]: Failed password for root from 61.174.51.214 port 26527 ssh2
May 19 15:57:23 debian sshd[30890]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost
=61.174.51.214 user=root
May 19 15:57:23 debian sshd[30890]: PAM service(sshd) ignoring max retries; 6 > 3
May 19 15:57:23 debian sshd[30888]: pam_unix(sshd:auth): check pass; user unknown
May 19 15:57:24 debian sshd[30892]: Failed password for root from 61.174.51.214 port 29759 ssh2
May 19 15:57:24 debian sshd[30894]: Failed password for root from 61.174.51.214 port 31685 ssh2
May 19 15:57:25 debian sshd[30888]: Failed password for invalid user admin from 61.174.51.214 port 24518 ssh2
May 19 15:57:26 debian sshd[30888]: pam_unix(sshd:auth): check pass; user unknown
May 19 15:57:26 debian sshd[30896]: Address 61.174.51.214 maps to 214.51.174.61.dial.wz.zj.dynamic.163data.com.cn,
but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
On Monday, May 19, 2014 8:26:13 PM UTC+8, 姚飞 wrote:
看了看记录,这是玩的哪一出?
May
依云
2014/05/19 8:56:422014/05/19
To: sh...@googlegroups.com
On Mon, May 19, 2014 at 05:36:29AM -0700, none_nobody wrote:
> 在网上公开IP地址,谁还不碰到几次密码扫描的。
>
> 嫌烦,直接iptables drop source 就好了么。要不 mirror 回去也挺好的。
这东西不仅烦,日志文件占空间,有些扫描器还会同时建立不少连接,使得 ssh
> 在网上公开IP地址,谁还不碰到几次密码扫描的。
>
> 嫌烦,直接iptables drop source 就好了么。要不 mirror 回去也挺好的。
连接数达到上限,自己正常使用的时候都可能被某个 PAM 模块给拒绝……
我喜欢这个:
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
如果可以的话,换端口号也挺有效的。
还有 denyhosts 和 fail2ban 之类的解决方案。
--
Best regards,
lilydjwg
Linux Vim Python 我的博客:
http://lilydjwg.is-programmer.com/
--
A: Because it obfuscates the reading.
Q: Why is top posting so bad?
单栋
2014/05/19 10:47:582014/05/19
To: sh...@googlegroups.com
噗……笑死了……
您收到此邮件是因为您订阅了 Google 网上论坛的“Shanghai Linux User Group”论坛。
--
-- You received this message because you are subscribed to the Google Groups Shanghai Linux User Group group. To post to this group, send email to sh...@googlegroups.com. To unsubscribe from this group, send email to shlug+un...@googlegroups.com. For more options, visit this group at https://groups.google.com/d/forum/shlug?hl=zh-CN
---
要退订此论坛并停止接收此论坛的电子邮件,请发送电子邮件到shlug+un...@googlegroups.com。
要查看更多选项,请访问 https://groups.google.com/d/optout。
loong0
2014/05/19 13:03:242014/05/19
To: sh...@googlegroups.com
换个端口,再加上iptables的规则,应该就OK了
您收到此邮件是因为您订阅了Google网上论坛中的“Shanghai Linux User Group”论坛。
要退订此论坛并停止接收此论坛的电子邮件,请发送电子邮件到shlug+un...@googlegroups.com。
要查看更多选项,请访问https://groups.google.com/d/optout。
--
Follow your dream!
DaboD
2014/05/19 14:17:352014/05/19
To: sh...@googlegroups.com
或是加個 knockd
On Monday, May 19, 2014 8:26:13 PM UTC+8, 姚飞 wrote:
On Monday, May 19, 2014 8:26:13 PM UTC+8, 姚飞 wrote:
Haowu Ge
2014/05/19 20:32:222014/05/19
To: sh...@googlegroups.com
看到温州过来凑合的。。。。。。。
首先扫描的
==
大批蠕虫=======
一些跳板==
就是温州区人民干的=
==
首先扫描的
==
大批蠕虫=======
一些跳板==
就是温州区人民干的=
==
PAM关关掉不就好了,强制密钥认证就好了
--
-- You received this message because you are subscribed to the Google Groups Shanghai Linux User Group group. To post to this group, send email to sh...@googlegroups.com. To unsubscribe from this group, send email to shlug+un...@googlegroups.com. For more options, visit this group at https://groups.google.com/d/forum/shlug?hl=zh-CN
---
Dennis
2014/05/19 20:36:452014/05/19
To: sh...@googlegroups.com
强制密钥认证,去掉密码认证,不用改端口,随便扫。
Yang Fan
2014/05/19 21:03:312014/05/19
To: sh...@googlegroups.com
上星期偶尔发现VPS上居然有个其他省市的IP用root登录进来了,赶紧在iptables里把IP禁了,把SSHd禁用root登录了,再把22端口换掉,叹气。
Regards,
Fan Yang
Dennis
2014/05/19 21:27:172014/05/19
To: sh...@googlegroups.com
虽然禁止root登录了,root密码也要改一下吧?
Dennis
2014/05/19 21:29:012014/05/19
To: sh...@googlegroups.com
禁ip,其实没用。换端口,其实也没用。密码强壮,系统不要有漏洞,应用程序不要有漏洞,才是关键的。
moon
2014/05/19 21:44:252014/05/19
To: sh...@googlegroups.com
这哥们,为何我有幸灾乐祸的感觉。。
Icat
2014/05/19 21:57:402014/05/19
To: sh...@googlegroups.com
这....如果是那是本人就可以直接报警了
但一般都是代理肉鸡吧...
如果是不用代理裸扫...这人要么是无聊玩玩,要么实在是太新手?
但一般都是代理肉鸡吧...
如果是不用代理裸扫...这人要么是无聊玩玩,要么实在是太新手?
Shell Xu
2014/05/19 22:00:502014/05/19
To: shlug
如果有异常登录,第一反应不是重装么?
如果碰到扫描,建议用denyhosts自动把ip加入防御列表里面。这样对方变换IP也没用了。但是denyhosts最近好像有一些漏洞,所以在debian testing以后版本上都不提供了。我在头痛要不要把一堆设备上的denyhosts换成fail2ban。
另外ssh的常规修改有:
1. 关闭密码登录。
2. 增加UseDNS no。
3. 将root密码修改到复杂。
4. 修改端口(个人觉得没用)。
5. 加knockd(个人觉得蛋疼)。
6. 加google authentication(个人觉得蛋在燃烧)。
7. 多个机器需要维护的,把大家的ssh放进内网,从内网网关拨出VPN到某个固定IP设备上。这样暴露在外面的端口就一个都没有了。或者用openvpn也行,扫UDP的比扫TCP的少。
彼節者有間,而刀刃者無厚;以無厚入有間,恢恢乎其於游刃必有餘地矣。
blog: http://shell909090.org/blog/
blog: http://shell909090.org/blog/
none_nobody
2014/05/19 22:02:582014/05/19
To: sh...@googlegroups.com
为什么禁ip没用? 我只允许内网ip地址登陆,外网全部干掉了。这会失效么?
内网就我一个人。
内网就我一个人。
Dennis
2014/05/19 22:30:232014/05/19
To: sh...@googlegroups.com
如果是禁掉全部外网ip,那是有用的。
Han Lei
2014/05/19 22:51:402014/05/19
To: sh...@googlegroups.com
有人想看窥探我卫星的项目。。吼吼。。
--
//////////\\\\
( ~~ ~~ )
( @ @ )
( o )
-------------oOOo-----------oOOo--------------
Mit freundlichen Grüßen
Man proposes, God disposes .
Greetings from Oliver Twist
0ooo
---------------------oooO---( )------------------
( ) ) /
\ ( (_/
\_)
//////////\\\\
( ~~ ~~ )
( @ @ )
( o )
-------------oOOo-----------oOOo--------------
Mit freundlichen Grüßen
Man proposes, God disposes .
Greetings from Oliver Twist
0ooo
---------------------oooO---( )------------------
( ) ) /
\ ( (_/
\_)
Dennis
2014/05/19 23:00:552014/05/19
To: sh...@googlegroups.com
哈哈,卫星项目的服务器,就不是简单软件规则阻挡,而是要物理隔离的了吧。专网专用。
Ben Luo
2014/05/20 0:21:282014/05/20
To: shlug
如果他们真是这目的,一定是颈椎以上瘫痪。
Haowu Ge
2014/05/20 1:27:282014/05/20
To: sh...@googlegroups.com
liyaoshi
2014/05/20 1:30:322014/05/20
To: sh...@googlegroups.com
高端口的话,更加扫不到,人家扫5000以下的端口还有兴趣,40000以上的,人家基本没空扫吧?
Qf Yang
2014/05/20 3:16:012014/05/20
To: sh...@googlegroups.com
报警没用的。。。。通常他们先问有没有损失,没有损失或损失小,根本不立案,不管。还是自己加强安全吧。。。。
Arith Xu
2014/07/20 11:50:342014/07/20
To: sh...@googlegroups.com
建议关闭密码登录,使用证书登录。
然后将denylist加入blocklist
然后将denylist加入blocklist
> --
> -- You received this message because you are subscribed to the Google Groups Shanghai Linux User Group group. To post to this group, send email to sh...@googlegroups.com. To unsubscribe from this group, send email to shlug+un...@googlegroups.com. For more options, visit this group at https://groups.google.com/d/forum/shlug?hl=zh-CN
> ---
> 您收到此邮件是因为您订阅了 Google 网上论坛的“Shanghai Linux User Group”论坛。
> -- You received this message because you are subscribed to the Google Groups Shanghai Linux User Group group. To post to this group, send email to sh...@googlegroups.com. To unsubscribe from this group, send email to shlug+un...@googlegroups.com. For more options, visit this group at https://groups.google.com/d/forum/shlug?hl=zh-CN
> ---
Marco
2014/07/29 5:36:112014/07/29
To: shlug
我以前故意放了一个弱密码弱用户名的帐号, 好像是test/ test123什么的, 然后过几天发现机器里有莫名其妙的程序了, 变了肉鸡, 哈哈
--
LinuX
Violin
Canon EOS
LinuX
Violin
Canon EOS
lanxi
2014/07/30 10:02:512014/07/30
To: sh...@googlegroups.com
蜜罐吗- -
> 您收到此邮件是因为您订阅了Google网上论坛中的“Shanghai Linux User Group”论坛。
全員に返信
投稿者に返信
転送
新着メール 0 件