当前位置：首页 > article >正文

＜ OS 有关＞阿里云几个小时前使用密钥替换 SSH 密码认证后，发现主机正在被“攻击” 分析与应对

article 2025/1/30 0:16:32

信息来源：

文件：/var/log/auth.log

因为在 sshd_config 配置文件中，已经定义 LogLevel INFO

部分内容：

2025-01-27T18:18:55.682727+08:00 jpn sshd[15891]: Received disconnect from 45.194.37.171 port 58954:11: Bye Bye [preauth]
2025-01-27T18:18:55.682852+08:00 jpn sshd[15891]: Disconnected from invalid user es 45.194.37.171 port 58954 [preauth]
2025-01-27T18:19:30.861201+08:00 jpn sshd[15894]: Accepted publickey for root from **** port 37287 ssh2: ED25519 SHA256:jpUCXR/o4OM5+8TNsIYfpJyZWHLLxghIOe36RMVEx+0
2025-01-27T18:19:30.863454+08:00 jpn sshd[15894]: pam_unix(sshd:session): session opened for user root(uid=0) by root(uid=0)
2025-01-27T18:19:30.894649+08:00 jpn systemd-logind[834]: New session 68 of user root.
2025-01-27T18:19:30.936765+08:00 jpn (systemd): pam_unix(systemd-user:session): session opened for user root(uid=0) by root(uid=0)
2025-01-27T18:19:40.757504+08:00 jpn sudo:     root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/visudo
2025-01-27T18:19:40.758049+08:00 jpn sudo: pam_unix(sudo:session): session opened for user root(uid=0) by root(uid=0)
2025-01-27T18:19:48.862708+08:00 jpn sshd[16046]: Connection closed by 2.57.122.32 port 45270
2025-01-27T18:19:49.986155+08:00 jpn sudo: pam_unix(sudo:session): session closed for user root
2025-01-27T18:19:52.902680+08:00 jpn sudo:     root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/sbin/visudo
2025-01-27T18:19:52.904224+08:00 jpn sudo: pam_unix(sudo:session): session opened for user root(uid=0) by root(uid=0)
2025-01-27T18:19:59.817863+08:00 jpn sshd[16051]: Invalid user es from 103.27.36.57 port 52330
2025-01-27T18:19:59.927275+08:00 jpn sshd[16051]: Received disconnect from 103.27.36.57 port 52330:11: Bye Bye [preauth]
2025-01-27T18:19:59.927353+08:00 jpn sshd[16051]: Disconnected from invalid user es 103.27.36.57 port 52330 [preauth]
2025-01-27T18:20:22.627449+08:00 jpn sshd[16055]: Received disconnect from 218.92.0.229 port 27794:11:  [preauth]
2025-01-27T18:20:22.627596+08:00 jpn sshd[16055]: Disconnected from 218.92.0.229 port 27794 [preauth]
2025-01-27T18:20:22.745077+08:00 jpn sshd[16057]: Invalid user sammy from 45.194.37.171 port 45126
2025-01-27T18:20:22.812352+08:00 jpn sshd[16057]: Received disconnect from 45.194.37.171 port 45126:11: Bye Bye [preauth]
2025-01-27T18:20:22.812444+08:00 jpn sshd[16057]: Disconnected from invalid user sammy 45.194.37.171 port 45126 [preauth]
2025-01-27T18:20:26.370459+08:00 jpn sshd[16059]: Invalid user test from 185.213.165.222 port 41514
2025-01-27T18:20:26.709218+08:00 jpn sshd[16059]: Received disconnect from 185.213.165.222 port 41514:11: Bye Bye [preauth]
2025-01-27T18:20:26.709308+08:00 jpn sshd[16059]: Disconnected from invalid user test 185.213.165.222 port 41514 [preauth]
2025-01-27T18:20:42.828438+08:00 jpn sudo: pam_unix(sudo:session): session closed for user root
2025-01-27T18:21:23.015774+08:00 jpn sshd[16098]: Invalid user ftpuser from 103.27.36.57 port 58928
2025-01-27T18:21:23.118253+08:00 jpn sshd[16098]: Received disconnect from 103.27.36.57 port 58928:11: Bye Bye [preauth]
2025-01-27T18:21:23.118331+08:00 jpn sshd[16098]: Disconnected from invalid user ftpuser 103.27.36.57 port 58928 [preauth]
2025-01-27T18:21:40.835987+08:00 jpn sshd[16101]: Invalid user dev from 185.213.165.222 port 39898
2025-01-27T18:21:41.196305+08:00 jpn sshd[16101]: Received disconnect from 185.213.165.222 port 39898:11: Bye Bye [preauth]
2025-01-27T18:21:41.196384+08:00 jpn sshd[16101]: Disconnected from invalid user dev 185.213.165.222 port 39898 [preauth]
2025-01-27T18:21:50.976607+08:00 jpn sshd[16103]: Invalid user alex from 45.194.37.171 port 33420
2025-01-27T18:21:51.038467+08:00 jpn sshd[16103]: Received disconnect from 45.194.37.171 port 33420:11: Bye Bye [preauth]
2025-01-27T18:21:51.038551+08:00 jpn sshd[16103]: Disconnected from invalid user alex 45.194.37.171 port 33420 [preauth]
2025-01-27T18:22:00.498436+08:00 jpn sshd[16105]: Received disconnect from 218.92.0.221 port 29964:11:  [preauth]
2025-01-27T18:22:00.498537+08:00 jpn sshd[16105]: Disconnected from 218.92.0.221 port 29964 [preauth]
2025-01-27T18:22:03.387463+08:00 jpn sshd[16107]: Received disconnect from 218.92.0.222 port 57854:11:  [preauth]
2025-01-27T18:22:03.387564+08:00 jpn sshd[16107]: Disconnected from 218.92.0.222 port 57854 [preauth]
2025-01-27T18:22:46.297244+08:00 jpn sshd[16109]: Invalid user sammy from 103.27.36.57 port 51744
2025-01-27T18:22:46.409949+08:00 jpn sshd[16109]: Received disconnect from 103.27.36.57 port 51744:11: Bye Bye [preauth]
2025-01-27T18:22:46.410041+08:00 jpn sshd[16109]: Disconnected from invalid user sammy 103.27.36.57 port 51744 [preauth]
2025-01-27T18:23:03.386976+08:00 jpn sshd[16111]: Invalid user server from 185.213.165.222 port 39412
2025-01-27T18:23:03.736443+08:00 jpn sshd[16111]: Received disconnect from 185.213.165.222 port 39412:11: Bye Bye [preauth]
2025-01-27T18:23:03.736530+08:00 jpn sshd[16111]: Disconnected from invalid user server 185.213.165.222 port 39412 [preauth]
2025-01-27T18:23:24.999251+08:00 jpn sshd[16116]: Invalid user user1 from 45.194.37.171 port 37228
2025-01-27T18:23:25.063685+08:00 jpn sshd[16116]: Received disconnect from 45.194.37.171 port 37228:11: Bye Bye [preauth]
2025-01-27T18:23:25.063778+08:00 jpn sshd[16116]: Disconnected from invalid user user1 45.194.37.171 port 37228 [preauth]
2025-01-27T18:24:04.966112+08:00 jpn sshd[16120]: Received disconnect from 103.27.36.57 port 57388:11: Bye Bye [preauth]
2025-01-27T18:24:04.966269+08:00 jpn sshd[16120]: Disconnected from authenticating user admin 103.27.36.57 port 57388 [preauth]
2025-01-27T18:24:15.054187+08:00 jpn sshd[16122]: Invalid user smart from 185.213.165.222 port 39408
2025-01-27T18:24:15.377906+08:00 jpn sshd[16122]: Received disconnect from 185.213.165.222 port 39408:11: Bye Bye [preauth]
2025-01-27T18:24:15.378009+08:00 jpn sshd[16122]: Disconnected from invalid user smart 185.213.165.222 port 39408 [preauth]
2025-01-27T18:25:01.028050+08:00 jpn CRON[16125]: pam_unix(cron:session): session opened for user root(uid=0) by root(uid=0)
2025-01-27T18:25:01.030389+08:00 jpn CRON[16125]: pam_unix(cron:session): session closed for user root
2025-01-27T18:25:01.780947+08:00 jpn sshd[16128]: Invalid user smart from 45.194.37.171 port 54306
2025-01-27T18:25:01.841197+08:00 jpn sshd[16128]: Received disconnect from 45.194.37.171 port 54306:11: Bye Bye [preauth]
2025-01-27T18:25:01.841281+08:00 jpn sshd[16128]: Disconnected from invalid user smart 45.194.37.171 port 54306 [preauth]
2025-01-27T18:25:19.503142+08:00 jpn sshd[16130]: Invalid user test from 103.27.36.57 port 49936
2025-01-27T18:25:19.604616+08:00 jpn sshd[16130]: Received disconnect from 103.27.36.57 port 49936:11: Bye Bye [preauth]
2025-01-27T18:25:19.604710+08:00 jpn sshd[16130]: Disconnected from invalid user test 103.27.36.57 port 49936 [preauth]
2025-01-27T18:25:21.589372+08:00 jpn sshd[16132]: Invalid user steam from 185.213.165.222 port 58956
2025-01-27T18:25:21.937081+08:00 jpn sshd[16132]: Received disconnect from 185.213.165.222 port 58956:11: Bye Bye [preauth]
2025-01-27T18:25:21.937164+08:00 jpn sshd[16132]: Disconnected from invalid user steam 185.213.165.222 port 58956 [preauth]
2025-01-27T18:26:27.432529+08:00 jpn sshd[16136]: Invalid user deploy from 185.213.165.222 port 43124
2025-01-27T18:26:27.766964+08:00 jpn sshd[16136]: Received disconnect from 185.213.165.222 port 43124:11: Bye Bye [preauth]
2025-01-27T18:26:27.767062+08:00 jpn sshd[16136]: Disconnected from invalid user deploy 185.213.165.222 port 43124 [preauth]
2025-01-27T18:26:36.494292+08:00 jpn sshd[16138]: Invalid user dev from 103.27.36.57 port 50164
2025-01-27T18:26:36.595899+08:00 jpn sshd[16138]: Received disconnect from 103.27.36.57 port 50164:11: Bye Bye [preauth]
2025-01-27T18:26:36.596008+08:00 jpn sshd[16138]: Disconnected from invalid user dev 103.27.36.57 port 50164 [preauth]
2025-01-27T18:26:37.148520+08:00 jpn sshd[16141]: Received disconnect from 45.194.37.171 port 43148:11: Bye Bye [preauth]
2025-01-27T18:26:37.148638+08:00 jpn sshd[16141]: Disconnected from authenticating user admin 45.194.37.171 port 43148 [preauth]
2025-01-27T18:27:19.961834+08:00 jpn sshd[16144]: Invalid user udatabase from 139.19.117.130 port 34824
2025-01-27T18:27:19.962218+08:00 jpn sshd[16144]: userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
2025-01-27T18:27:28.842456+08:00 jpn sshd[16144]: Connection closed by invalid user udatabase 139.19.117.130 port 34824 [preauth]
2025-01-27T18:27:35.048858+08:00 jpn sshd[16146]: Invalid user user from 185.213.165.222 port 35672
2025-01-27T18:27:35.388298+08:00 jpn sshd[16146]: Received disconnect from 185.213.165.222 port 35672:11: Bye Bye [preauth]
2025-01-27T18:27:35.388373+08:00 jpn sshd[16146]: Disconnected from invalid user user 185.213.165.222 port 35672 [preauth]
2025-01-27T18:27:52.749556+08:00 jpn sshd[16148]: Invalid user debian from 103.27.36.57 port 33168
2025-01-27T18:27:52.856125+08:00 jpn sshd[16148]: Received disconnect from 103.27.36.57 port 33168:11: Bye Bye [preauth]
2025-01-27T18:27:52.856215+08:00 jpn sshd[16148]: Disconnected from invalid user debian 103.27.36.57 port 33168 [preauth]
2025-01-27T18:27:58.680968+08:00 jpn sshd[16150]: Invalid user sammy from 190.181.4.12 port 53132
2025-01-27T18:27:58.945670+08:00 jpn sshd[16150]: Received disconnect from 190.181.4.12 port 53132:11: Bye Bye [preauth]
2025-01-27T18:27:58.945810+08:00 jpn sshd[16150]: Disconnected from invalid user sammy 190.181.4.12 port 53132 [preauth]
2025-01-27T18:28:17.065155+08:00 jpn sshd[16152]: Invalid user deploy from 45.194.37.171 port 36046
2025-01-27T18:28:17.129274+08:00 jpn sshd[16152]: Received disconnect from 45.194.37.171 port 36046:11: Bye Bye [preauth]
2025-01-27T18:28:17.129355+08:00 jpn sshd[16152]: Disconnected from invalid user deploy 45.194.37.171 port 36046 [preauth]
root@jpn:~# cat /var/log/auth.logcat /var/log/auth.log

分析日志：

密集的暴力破解尝试，主要来自以下IP：

185.213.165.222：尝试 test, dev, server, smart, steam, deploy, user 等用户名
45.194.37.171：尝试 sammy, alex, user1, smart, deploy 等用户名
103.27.36.57：尝试 es, ftpuser, sammy, dev, debian 等用户名
139.19.117.130：使用了失效的 ssh-rsa 算法尝试登录
190.181.4.12：尝试 sammy 用户名
203.23.199.89
85.208.253.163

IP 也分布在世界各地。

应对方案：

要么更改端口，还有用 fail2ban 来封禁频繁失败的 IP。

这里记录用 fail2ban

1. 安装 fail2ban

apt update
apt install fail2ban -y

2. 阿里云的 apt 服务器连不上

3. 更新 /etc/apt/sources.list

root@jpn:~# cat /etc/apt/sources.list
deb http://jp.archive.ubuntu.com/ubuntu/ noble main restricted universe multiverse
deb http://jp.archive.ubuntu.com/ubuntu/ noble-updates main restricted universe multiverse
deb http://jp.archive.ubuntu.com/ubuntu/ noble-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu/ noble-security main restricted universe multiverse

4. 继续安装 fail2ban

sudo apt update && sudo apt upgrade -y

apt install fail2ban -y

5. 创建配置文件

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

6. 编辑配置文件 /etc/fail2ban/jail.local

原内容：

我改后的内容：

策略：5分钟内失败3次就封1小时

7. 设置开机自启、启动服务

systemctl enable fail2ban
systemctl start fail2ban

如果配置有修改，重启服务

systemctl restart fail2ban

8. 如何检查状态和查看封禁列表

1) 查看服务状态

2) 查看 sshd 的详细状态封禁列表

3）检查配置命令

fail2ban-client get sshd bantime
fail2ban-client get sshd findtime
fail2ban-client get sshd maxretry

结束语：

这两晚在看阿里云的性能宕机问题，从删除阿里云服务，使用密钥验证时增加ssh输出，突然发现日志中有重试登录 IP。现在安装 f2b来解决。

20年前的知识，还在能用上

这么会儿功夫，关了 8只

查看全文

http://www.kler.cn/a/522262.html

Python GUI 开发 | Qt Designer — 工具介绍

Nuitka打包python脚本

[A-29]ARMv8/v9-GIC-中断子系统的安全架构设计(Security/FIQ/IRQ)

Luzmo 专为SaaS公司设计的嵌入式数据分析平台

【Elasticsearch】Elasticsearch的查询

电力晶体管（GTR）全控性器件

关于Dubbo的面试题概念原理配置及代码

【信息系统项目管理师-选择真题】2012上半年综合知识答案和详解

十三先天记

【面试】【前端】前端浏览器考题总结

深度学习｜表示学习｜卷积神经网络｜输出维度公式｜15

HTML 符号详解

安全策略初始实验

30289_SC65XX功能机MMI开发笔记（ums9117）

深入理解动态规划(dp)--(提前要对dfs有了解)

【OMCI实践】ONT上线过程的omci消息（二）

leetcode 209. 长度最小的子数组

AI 模型评估与质量控制：生成内容的评估与问题防护

Web开发 -前端部分-CSS3新特性

unity学习20：time相关基础 Time.time 和 Time.deltaTime

基于Django的微博舆情分析系统的设计与实现

【算法与数据结构】动态规划

RTOS面试合集

【Python实现机器遗忘算法】复现2020年顶会CVPR算法Selective Forgetting

006 mybatis关联查询（一对一、一对多）

OPencv3.4.1安装及配置教程