摩托學園討論區

[訪客]

/var/log/auth.log
sshd[4933]: Illegal user test from 206.165.120.xx
像這樣的訊息有一堆

[phantom]

不太稀奇吧. 每天都會有很多這樣的 log.

Oct 19 03:15:14 host sshd[801]: Failed password for root from 211.232.135.176
port 47421 ssh2

沒辦法. 太多人整天閒著沒事做...

[damon]

用firewall來限制sshd這類的連線範圍是一定要的

[andrechen]

目前是採用 TCP Wrappers 來阻擋，修改

/etc/hosts.allow
/etc/hosts.deny

只允許特定 ip 可以用 ssh 進入

可以參考鳥哥的私房菜網頁
http://linux.vbird.org//linux_server/02 ... P_Wrappers

[脫線]

我的學校是有一堆IP是著要登入，試過的帳號有root、guest、www、anonymous......等等，據學校另一位資深電腦老師說，有可能是病毒要入侵，因為用的帳號都是這幾個。

校內還有一些XP的電腦，當我用偵測封包的程式時，會發現一直問
who has XXX.XXX.XXX.XXX?
然後還連號，只要有三台電腦這樣子一秒鐘大概會有100多個廣播封包塞在網路上。

因為用掃毒程式抓不到毒，所以問電腦廠商，廠商回答說：『中了木馬，因為沒有用微軟的更新，所以被入侵了。』

目前的解決方法是：『重灌』！！！

[訪客]

Oct 19 15:25:28 debian sshd[5560]: Illegal user patrick from 210.222.214.161
Oct 19 15:25:32 debian sshd[5562]: Illegal user patrick from 210.222.214.161
Oct 19 15:25:50 debian sshd[5574]: Illegal user rolo from 210.222.214.161
Oct 19 15:25:52 debian sshd[5576]: Illegal user iceuser from 210.222.214.161
Oct 19 15:25:55 debian sshd[5578]: Illegal user horde from 210.222.214.161
Oct 19 15:25:58 debian sshd[5580]: Illegal user cyrus from 210.222.214.161
Oct 19 15:26:01 debian sshd[5582]: Illegal user www from 210.222.214.161
Oct 19 15:26:04 debian sshd[5584]: Illegal user wwwrun from 210.222.214.161
Oct 19 15:26:07 debian sshd[5586]: Illegal user matt from 210.222.214.161
Oct 19 15:26:09 debian sshd[5588]: Illegal user test from 210.222.214.161
Oct 19 15:26:12 debian sshd[5590]: Illegal user test from 210.222.214.161
Oct 19 15:26:16 debian sshd[5592]: Illegal user test from 210.222.214.161
Oct 19 15:26:18 debian sshd[5594]: Illegal user test from 210.222.214.161
Oct 19 15:26:24 debian sshd[5598]: Illegal user mysql from 210.222.214.161
Oct 19 15:26:27 debian sshd[5600]: Illegal user operator from 210.222.214.161
Oct 19 15:26:30 debian sshd[5602]: Illegal user adm from 210.222.214.161
Oct 19 15:26:33 debian sshd[5604]: Illegal user apache from 210.222.214.161
Oct 19 15:26:43 debian sshd[5610]: Illegal user adm from 210.222.214.161
Oct 19 15:26:55 debian sshd[5618]: Illegal user jane from 210.222.214.161
Oct 19 15:26:57 debian sshd[5620]: Illegal user pamela from 210.222.214.161
Oct 19 15:27:17 debian sshd[5632]: Illegal user cosmin from 210.222.214.161
Oct 19 15:29:16 debian sshd[5706]: Illegal user cip52 from 210.222.214.161
Oct 19 15:29:19 debian sshd[5708]: Illegal user cip51 from 210.222.214.161
Oct 19 15:29:25 debian sshd[5712]: Illegal user noc from 210.222.214.161
Oct 19 15:29:40 debian sshd[5722]: Illegal user webmaster from 210.222.214.161
Oct 19 15:29:43 debian sshd[5724]: Illegal user data from 210.222.214.161
Oct 19 15:29:46 debian sshd[5726]: Illegal user user from 210.222.214.161
Oct 19 15:29:48 debian sshd[5728]: Illegal user user from 210.222.214.161
Oct 19 15:29:51 debian sshd[5730]: Illegal user user from 210.222.214.161
Oct 19 15:29:55 debian sshd[5732]: Illegal user web from 210.222.214.161
Oct 19 15:29:57 debian sshd[5734]: Illegal user web from 210.222.214.161
Oct 19 15:30:00 debian sshd[5736]: Illegal user oracle from 210.222.214.161
Oct 19 15:30:03 debian sshd[5738]: Illegal user sybase from 210.222.214.161
Oct 19 15:30:06 debian sshd[5740]: Illegal user master from 210.222.214.161
Oct 19 15:30:09 debian sshd[5742]: Illegal user account from 210.222.214.161
Oct 19 15:30:14 debian sshd[5746]: Illegal user server from 210.222.214.161
Oct 19 15:30:17 debian sshd[5748]: Illegal user adam from 210.222.214.161
Oct 19 15:30:20 debian sshd[5750]: Illegal user alan from 210.222.214.161
Oct 19 15:30:23 debian sshd[5752]: Illegal user frank from 210.222.214.161
Oct 19 15:30:26 debian sshd[5754]: Illegal user george from 210.222.214.161
Oct 19 15:30:28 debian sshd[5756]: Illegal user henry from 210.222.214.161
Oct 19 15:30:31 debian sshd[5758]: Illegal user john from 210.222.214.161
Oct 19 15:30:49 debian sshd[5770]: Illegal user test from 210.222.214.161

一次用這麼多帳號去掃,看來是用工具下去作的,也有可能是對方的機器中了目馬變成肉雞當跳板.

[阿信]

andrechen wrote:
目前是採用 TCP Wrappers 來阻擋，修改

/etc/hosts.allow
/etc/hosts.deny

只允許特定 ip 可以用 ssh 進入

可以參考鳥哥的私房菜網頁
http://linux.vbird.org//linux_server/02 ... P_Wrappers

也可以允許指定的帳號登入...

AllowUsers asho

[aprotoss]

我的也是一堆人在try，
最扯的是還有來自140.137.11.179的，
我連過去看，居然是"中央研究院資科所"的網站，
真不曉得是被人當跳板了，還是有人從那邊出來的...

Oct 20 11:34:43 hellojacky sshd[1139]: Failed password for illegal user john from 140.137.11.179 port 50647 ssh2
Oct 20 11:34:43 hellojacky sshd[1141]: Failed password for root from 140.137.11.179 port 50661 ssh2
Oct 20 11:34:44 hellojacky sshd[1143]: Failed password for root from 140.137.11.179 port 50669 ssh2
Oct 20 11:34:46 hellojacky sshd[1145]: Failed password for root from 140.137.11.179 port 50684 ssh2
Oct 20 11:34:47 hellojacky sshd[1147]: Failed password for root from 140.137.11.179 port 50700 ssh2
Oct 20 11:34:48 hellojacky sshd[1149]: Failed password for root from 140.137.11.179 port 50718 ssh2
Oct 20 11:34:48 hellojacky sshd[1151]: Failed password for illegal user test from 140.137.11.179 port 50725 ssh2

[脫線]

其實覺得很好玩的是：它掃描的port不是預設的22

企圖入侵本校機器的IP有：
151.97.6.254
211.72.141.74
207.164.126.103
66.130.102.250
218.234.208.2
203.121.16.19
163.21.48.121
212.78.150.64
61.100.12.154
211.115.72.142
69.24.173.170
196.14.192.162
61.57.26.106
163.24.239.20
24.157.156.237
210.99.250.246
66.119.160.125
63.211.183.68
66.111.55.130

對了!突然想知道那些IP的機器是啥系統，知道一下是專門攻擊那一種機器的。

[phantom]

是可以啦. 用 port scan.. 只是現在這樣做好像不是合法的...
不過如果它們被利用都不知道, 我想, 去 port scan 它們, 它們也不知道...

我以前會去測. 現在沒那麼閒.

[脫線]

測試系統需要用到post scan嗎？

我只是想知道這些是來自WIN? Linux? BSD?......等等而已。

[phantom]

是不需要到 port scan. 但是很多 port scan 的軟體都有含偵測 OS 的功能. 所以... 我應該說的是. 用 port scan 的軟體去偵測它的 OS, 而不用真的去 port scan 它.

[訪客]

我設定了 hosts.allow 限制允許 SSH 的來源後，反而在 /var/log/auth.log 中發現如下的訊息，看起來似乎沒有成功，可是想想總是怕怕的：

代碼: 選擇全部

Nov 18 18:27:31 localhost sshd[3894]: warning: /etc/hosts.allow, line 14:
can't verify hostname: getaddrinfo(umad.edu.mx, AF_INET) failed
Nov 18 18:27:32 localhost sshd[3894]: refused connect from
::ffff:148.244.79.145 (::ffff:148.244.79.145)

Nov 19 13:09:39 localhost sshd[4111]: warning: /etc/hosts.allow, line 14:
can't verify hostname: getaddrinfo(extremo_pool_93135-139.007mundo.com,
AF_INET) failed
Nov 19 13:09:39 localhost sshd[4111]: refused connect from
::ffff:200.93.135.139 (::ffff:200.93.135.139)


[andrechen]

設定 hosts.allow 後，還要設定 hosts.deny 阿，否則不完整喔

[訪客]

嗯，我有設定 hosts.deny （sshd: ALL），不過仍有上述的訊息。