vps服务器差点被入侵

V2EX = way to explore

V2EX 是一个关于分享和探索的地方

现在注册

已注册用户请登录

Linode 各机房速度测试

这是一个创建于 4155 天前的主题，其中的信息可能已经有所发展或是发生改变。

pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240 user=root
Failed password for root from 61.160.207.240 port 52296 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
Invalid user oracle from 61.160.207.240
input_userauth_request: invalid user oracle
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240
pam_succeed_if(sshd:auth): error retrieving information about user oracle
Failed password for invalid user oracle from 61.160.207.240 port 53392 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240 user=adm
Failed password for adm from 61.160.207.240 port 43603 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240 user=adm
Failed password for adm from 61.160.207.240 port 44703 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240 user=adm
Failed password for adm from 61.160.207.240 port 45640 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240
pam_succeed_if(sshd:auth): error retrieving information about user testuser
Failed password for invalid user testuser from 61.160.207.240 port 50198 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
Invalid user testuser from 61.160.207.240
input_userauth_request: invalid user testuser
input_userauth_request: invalid user linux
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240
pam_succeed_if(sshd:auth): error retrieving information about user linux
Failed password for invalid user linux from 61.160.207.240 port 54636 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
Invalid user info from 61.160.207.240
input_userauth_request: invalid user info
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240
pam_succeed_if(sshd:auth): error retrieving information about user info
Failed password for invalid user info from 61.160.207.240 port 59143 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
Invalid user alex from 61.160.207.240
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240
pam_succeed_if(sshd:auth): error retrieving information about user alex
Failed password for invalid user alex from 61.160.207.240 port 34503 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
Invalid user jack from 61.160.207.240
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240
pam_succeed_if(sshd:auth): error retrieving information about user jack
Failed password for invalid user jack from 61.160.207.240 port 35282 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
Invalid user jack from 61.160.207.240
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240
pam_succeed_if(sshd:auth): error retrieving information about user john
Failed password for invalid user john from 61.160.207.240 port 39991 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
Invalid user john from 61.160.207.240
input_userauth_request: invalid user john
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240
pam_succeed_if(sshd:auth): error retrieving information about user roy
Failed password for invalid user roy from 61.160.207.240 port 43520 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
Invalid user roy from 61.160.207.240
input_userauth_request: invalid user roy
input_userauth_request: invalid user source
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240
pam_succeed_if(sshd:auth): error retrieving information about user source
Failed password for invalid user source from 61.160.207.240 port 45495 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240
pam_succeed_if(sshd:auth): error retrieving information about user sales
Failed password for invalid user sales from 61.160.207.240 port 46570 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
Invalid user sales from 61.160.207.240
input_userauth_request: invalid user sales
input_userauth_request: invalid user test
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240
pam_succeed_if(sshd:auth): error retrieving information about user test
Failed password for invalid user test from 61.160.207.240 port 49939 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
Invalid user tester from 61.160.207.240
input_userauth_request: invalid user tester
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240
pam_succeed_if(sshd:auth): error retrieving information about user tester
Failed password for invalid user tester from 61.160.207.240 port 51042 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
Invalid user testing from 61.160.207.240
input_userauth_request: invalid user testing
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240
pam_succeed_if(sshd:auth): error retrieving information about user testing
Failed password for invalid user testing from 61.160.207.240 port 52126 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
Invalid user mysql from 61.160.207.240
input_userauth_request: invalid user mysql
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.160.207.240
pam_succeed_if(sshd:auth): error retrieving information about user mysql
Failed password for invalid user mysql from 61.160.207.240 port 53138 ssh2
Received disconnect from 61.160.207.240: 11: Bye Bye
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=250fy4ouo.ni.net.tr user=root
Failed password for root from 94.102.5.250 port 46965 ssh2
Received disconnect from 94.102.5.250: 11: Bye Bye
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=250fy4ouo.ni.net.tr user=root
Failed password for root from 94.102.5.250 port 47261 ssh2
Received disconnect from 94.102.5.250: 11: Bye Bye
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=250fy4ouo.ni.net.tr user=root
Failed password for root from 94.102.5.250 port 47605 ssh2
Received disconnect from 94.102.5.250: 11: Bye Bye
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=250fy4ouo.ni.net.tr user=root
Failed password for root from 94.102.5.250 port 47927 ssh2
Received disconnect from 94.102.5.250: 11: Bye Bye
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=250fy4ouo.ni.net.tr user=root
Failed password for root from 94.102.5.250 port 48289 ssh2
Received disconnect from 94.102.5.250: 11: Bye Bye
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=250fy4ouo.ni.net.tr user=root
Failed password for root from 94.102.5.250 port 48585 ssh2
Received disconnect from 94.102.5.250: 11: Bye Bye
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=250fy4ouo.ni.net.tr user=root
Failed password for root from 94.102.5.250 port 48925 ssh2
Received disconnect from 94.102.5.250: 11: Bye Bye
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=250fy4ouo.ni.net.tr user=root
Failed password for root from 94.102.5.250 port 49203 ssh2
Received disconnect from 94.102.5.250: 11: Bye Bye
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=250fy4ouo.ni.net.tr user=root
Failed password for root from 94.102.5.250 port 49564 ssh2
Received disconnect from 94.102.5.250: 11: Bye Bye
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=250fy4ouo.ni.net.tr user=root
Failed password for root from 94.102.5.250 port 49869 ssh2
Received disconnect from 94.102.5.250: 11: Bye Bye

翻了下/var/log/secure，发现来自江苏省常州市电信的61.160.207.240估计是个惯犯，而来自土耳其的94.102.5.250一直试图攻破root密码，还好我在sshd_config中将root远程登录关闭了。

今天登录查看日志后，立马又将root密码改复杂了，另外将远程登录的用户名和密码也改复杂了，又查了下vps开启的服务和端口，发现大部分都管闭了，只运行了一些必要的服务。之后又将系统更新到最新。

大家还有什么经验要分享的吗？

user

61.160

207.240

53 条回复 • 1970-01-01 08:00:00 +08:00

lhx2008

2013-07-08 08:52:47 +08:00

感觉没什么。最简单有效的解决方法就是密钥登录，或者密码设长一点等他慢慢来。

summic

2013-07-08 08:54:37 +08:00

每台机器的secure都会大量被扫，密钥登录或者fail2ban

juicy

2013-07-08 08:55:33 +08:00 via Android

猜密码这种能猜对的概率也太低了吧。。

fork3rt

2013-07-08 09:00:30 +08:00

估计是字典爆破,类似MS MSTSC爆破 .

wjchen

2013-07-08 09:14:12 +08:00

改成key登录，禁止密码登录，改端口就ok了。

vietor

2013-07-08 09:37:20 +08:00

太正常了，一般平均每天都有1000左右这样的扫描。设置一个没在字典里面的密码就行了。

liheng

2013-07-08 09:41:15 +08:00

1、使用密钥登录，禁止密码登录
2、禁止root 登录
3、更改ssh端口。

Numbcoder

2013-07-08 09:41:42 +08:00

我擦，刚刚看我 VPS log，貌似也是一直被暴力破解。

Jul 7 23:42:37 localhost sshd[27508]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.142.106.34 user=root
Jul 7 23:42:39 localhost sshd[27508]: Failed password for root from 61.142.106.34 port 47903 ssh2
Jul 7 23:42:39 localhost sshd[27508]: Received disconnect from 61.142.106.34: 11: Bye Bye [preauth]

csx163

2013-07-08 09:44:07 +08:00

撸主大惊小怪了

vibbow

2013-07-08 09:53:46 +08:00

端口扫描太正常了。
我在一台windows服务器上装了一个sshd，你就看每天一堆用root账户尝试登陆的（一点也不智能，看到Windows标记也不知道用Administrator...）

vibbow

2013-07-08 09:56:46 +08:00

随便来张日志截图
http://vsean.net/pic/di-9RKV.png

caoyue

2013-07-08 09:58:31 +08:00

grep "Failed password for root" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -nr | grep -v ";"

统计来源和次数

chenshaoju

2013-07-08 10:03:52 +08:00

这篇文章适合初学者，给你参考：
http://t.tt/104/

won

2013-07-08 10:13:50 +08:00

太正常了，也不是针对你为了什么特殊内容。这也就是批量找肉鸡的

ksc010

2013-07-08 10:17:12 +08:00

fail2ban

akira

2013-07-08 10:19:50 +08:00

习惯了就好

ivanlw

2013-07-08 10:26:28 +08:00

@chenshaoju 502？

zhttty

2013-07-08 10:53:33 +08:00

刚改了19位的密码...

BOYPT

2013-07-08 12:57:51 +08:00

改什么密码都没意义吧，去掉root的密码登录才正道。fail2ban，

Zhang

2013-07-08 13:07:29 +08:00

再长的密码也是明文传输，也会被截获

BOYPT

2013-07-08 13:22:59 +08:00

楼上亮了。

colorday

2013-07-08 13:23:13 +08:00

fail2ban+1

xunyu

2013-07-08 13:36:09 +08:00

在上面跑个虚拟机，做个蜜罐，看看这厮要怎样

chenshaoju

2013-07-08 13:50:29 +08:00

@ivanlw 挂了……

@Zhang SSH是加密的，除非你手动指定不加密（一般不允许）。

DreaMQ

2013-07-08 13:50:33 +08:00 via iPhone

禁用SSH，用VNC控制

Zhang

2013-07-08 13:53:52 +08:00

@chenshaoju 握手阶段还是明文

ooxxcc

2013-07-08 14:18:13 +08:00

denyhosts。。

chenshaoju

2013-07-08 14:44:38 +08:00

@Zhang 握手结束后才会传输认证信息，理论上能确认服务器的公钥正确的情况下，无需担心密码被第三方破译。

HiVPS

2013-07-08 14:45:02 +08:00

@juicy 你太忽视一些人爱用用“123abc”做密码的习惯了，并且他们觉得这个密码还不错哦

PrideChung

2013-07-08 15:21:19 +08:00

禁止root登陆 √
公钥验证登陆 √
修改SSH默认端口 √
fail2ban √
用ufw关闭所有不使用的端口号 √
自动安装安全更新 √
Logwatch每天日报 √

每天都有人来扫我的VPS，不过还没看见有什么威胁。

bearqq

2013-07-08 16:10:31 +08:00

让他攻击好了，给他个蜜罐，让他什么也得不到
比如：

RKTECH:~# w
00:33:54 up 5 days, 19:02, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 172.158.34.148 00:33 0.00s 0.00s 0.00s w
RKTECH:~# uname -a
Linux RKTECH 2.6.26-2-686 #1 SMP Wed Nov 4 20:45:37 UTC 2009 i686 GNU/Linux
RKTECH:~# php -v
bash: php: command not found
RKTECH:~# cat /proc/cpuinfo
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 23
model name : Intel(R) Core(TM)2 Duo CPU E8200 @ 2.66GHz
stepping : 6
cpu MHz : 2133.305
cache size : 6144 KB
physical id : 0
siblings : 2
core id : 0
cpu cores : 2
apicid : 0
initial apicid : 0
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good pni monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr sse4_1 lahf_lm
bogomips : 4270.03
clflush size : 64
cache_alignment : 64
address sizes : 36 bits physical, 48 bits virtual
power management:

processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 23
model name : Intel(R) Core(TM)2 Duo CPU E8200 @ 2.66GHz
stepping : 6
cpu MHz : 2133.305
cache size : 6144 KB
physical id : 0
siblings : 2
core id : 1
cpu cores : 2
apicid : 1
initial apicid : 1
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc arch_perfmon pebs bts rep_good pni monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr sse4_1 lahf_lm
bogomips : 4266.61
clflush size : 64
cache_alignment : 64
address sizes : 36 bits physical, 48 bits virtual
power management:

RKTECH:~# ps x
PID TTY STAT TIME COMMAND
1 ? Ss 0:07 init [2]
2 ? S< 0:00 [kthreadd]
3 ? S< 0:00 [migration/0]
4 ? S< 0:00 [ksoftirqd/0]
5 ? S< 0:00 [watchdog/0]
6 ? S< 0:17 [events/0]
7 ? S< 0:00 [khelper]
39 ? S< 0:00 [kblockd/0]
41 ? S< 0:00 [kacpid]
42 ? S< 0:00 [kacpi_notify]
170 ? S< 0:00 [kseriod]
207 ? S 0:01 [pdflush]
208 ? S 0:00 [pdflush]
209 ? S< 0:00 [kswapd0]
210 ? S< 0:00 [aio/0]
748 ? S< 0:00 [ata/0]
749 ? S< 0:00 [ata_aux]
929 ? S< 0:00 [scsi_eh_0]
1014 ? D< 0:03 [kjournald]
1087 ? S<s 0:00 udevd --daemon
1553 ? S< 0:00 [kpsmoused]
2054 ? Sl 0:01 /usr/sbin/rsyslogd -c3
2103 tty1 Ss 0:00 /bin/login --
2105 tty2 Ss+ 0:00 /sbin/getty 38400 tty2
2107 tty3 Ss+ 0:00 /sbin/getty 38400 tty3
2109 tty4 Ss+ 0:00 /sbin/getty 38400 tty4
2110 tty5 Ss+ 0:00 /sbin/getty 38400 tty5
2112 tty6 Ss+ 0:00 /sbin/getty 38400 tty6
2133 ? S<s 0:00 dhclient3 -pf /var/run/dhclient.eth0.pid -lf /var/lib
4969 ? Ss 0:00 /usr/sbin/sshd: root@pts/0
5673 pts/0 Ss 0:00 -bash
5679 pts/0 R+ 0:00 ps x
RKTECH:~# unset ; rm -rf /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog ; touch /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog ; unset HISTFILE ; unset HISTSAVE ; unset HISTLOG ; history -n ; unset WATCH ; export HISTFILE=/dev/null ; export HISTFILE=/dev/null
1 w
2 uname -a
3 php -v
4 cat /proc/cpuinfo
5 ps x
6 unset ; rm -rf /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog ; touch /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog ; unset HISTFILE ; unset HISTSAVE ; unset HISTLOG ; history -n ; unset WATCH ; export HISTFILE=/dev/null ; export HISTFILE=/dev/null
RKTECH:~#

andybest

2013-07-08 16:13:07 +08:00

有没有办法可以在日志里看到攻击者尝试登录的密码是什么？

swulling

2013-07-08 16:15:21 +08:00

@Zhang 握手阶段又不传密码

只能做中间人攻击，而中间人攻击会改变服务器的签名，客户端直接连不上的

chshouyu

2013-07-08 16:43:06 +08:00

@liheng 这样基本上就很安全了

annielong

2013-07-08 16:57:59 +08:00

都有，windows的也是经常有错误密码登陆的错误提示，

shierji

2013-07-08 17:16:39 +08:00

很正常我用的denyhosts

cicku

2013-07-08 18:13:36 +08:00

@andybest 没有的（曾经的我一样天真）

楼主用 @shierji 说的，基本就可以了。我的设置的是只要密码输入错了1次，就直接封禁永久。

还有，如果你的VPS没有重要数据，你可以使用密码登录，否则最好用证书登录。

我的服务器进去了是蜜罐，所以不在乎。禁用 root 登录，采用 sudo 提升权限维护服务器的方法是最好的，但是这全看你个人。

yangzh

2013-07-08 19:25:00 +08:00

@bearqq
@cicku

蜜罐这个高端啊，有什么好的架设介绍？比如说我有个放网站的 vps，怎样架设一个蜜罐上去？用一些开源软件？

bearqq

2013-07-08 21:30:50 +08:00

@yangzh 我用kippo

alexrezit

2013-07-08 22:23:01 +08:00 via iPhone

我 I 进来 came in 就是 just 为了 for 吐槽: VPS 的 S 就是服务器的意思.

janxin

2013-07-09 17:56:44 +08:00

建立信任关系，禁用SSH密码登陆

Showfom

2013-07-09 22:10:39 +08:00

@ivanlw 已经恢复

Showfom

2013-07-09 22:12:38 +08:00

@juicy 不，概率很高，要是不防护的话，一个10位的密码，没多少天就可以干掉

juicy

2013-07-09 23:40:19 +08:00

@Showfom 是嘛。。。有什么好的防护措施防止暴力破解么？

Showfom

2013-07-10 17:19:49 +08:00

@juicy 禁止密码登陆就是了。

juicy

2013-07-10 17:34:01 +08:00

@Showfom 私要似乎也就是几百位的密码，如果暴力破解私钥怎么防？

Showfom

2013-07-10 17:35:20 +08:00

@juicy 私匙再加个密码。。。

Showfom

2013-07-10 17:36:12 +08:00

@juicy 直接关了 SSH 外网连接，只限制成用内网连接，或者干脆用 KVM IPMI 之类的= =

ety001

2013-07-10 22:43:49 +08:00

撸主大惊小怪了

vibbow

2013-07-11 00:05:08 +08:00

@Showfom 这等于把密码安全性从SSH转移到了KVM，没有实际意义啊。

PrideChung

2013-07-11 01:35:22 +08:00

@juicy 用fail2ban解决暴力破解，你设定成登陆失败3次封锁该IP小时，按RSA的加密等级他得算上好久。

Showfom

2013-07-13 00:46:57 +08:00

@vibbow 那就用内网才能登陆 SSH 好了，或者指定 IP 才能登陆。。。安全性就变成 VPN 的了。

twd2

2013-07-13 02:05:23 +08:00

关闭ssh, 使用串口