m*d
发帖数: 7658 | 1 每次的端口还不一样,这是什么后门程序?
[email protected]/* */:~# netstat |grep ssh
tcp 0 52 192.168.1.146:ssh PC:54877 ESTABLISHED
tcp 0 39 192.168.1.146:ssh 60.12.109.16:54023
ESTABLISHED
[email protected]/* */:~# netstat |grep ssh
tcp 0 52 192.168.1.146:ssh PC:54877 ESTABLISHED
tcp 0 0 192.168.1.146:ssh 60.12.109.16:54023
ESTABLISHED
[email protected]/* */:~# netstat |grep ssh
tcp 0 52 192.168.1.146:ssh PC:54877 ESTABLISHED
tcp 0 0 192.168.1.146:ssh 60.12.109.16:54709
ESTABLISHED
[email protected]/* */:~# netstat |grep ssh
tcp 0 0 192.168.1.146:ssh 60.12.109.16:40794
ESTABLISHED
tcp 0 52 192.168.1.146:ssh PC:54877 ESTABLISHED |
m*d
发帖数: 7658 | 2 原来是有人在试密码
Nov 27 14:30:51 debian sshd[31165]: Failed password for invalid user downloa
d from 60.12.109.16 port 33426 ssh2
Nov 27 14:30:51 debian sshd[31165]: Received disconnect from 60.12.109.16: 1
1: Bye Bye [preauth]
Nov 27 14:30:52 debian sshd[31169]: warning: /etc/hosts.allow, line 13: miss
ing ":" separator
Nov 27 14:30:53 debian sshd[31169]: Invalid user download from 60.12.109.16
Nov 27 14:30:53 debian sshd[31169]: input_userauth_request: invalid user dow
nload [preauth]
Nov 27 14:30:53 debian sshd[31169]: pam_unix(sshd:auth): check pass; user un
known
Nov 27 14:30:53 debian sshd[31169]: pam_unix(sshd:auth): authentication fail
ure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.12.109.16
Nov 27 14:30:56 debian sshd[31169]: Failed password for invalid user downloa
d from 60.12.109.16 port 34099 ssh2
Nov 27 14:30:56 debian sshd[31169]: Received disconnect from 60.12.109.16: 1
1: Bye Bye [preauth]
Nov 27 14:30:56 debian sshd[31179]: warning: /etc/hosts.allow, line 13: miss
ing ":" separator
Nov 27 14:30:57 debian sshd[31179]: Invalid user download from 60.12.109.16
Nov 27 14:30:57 debian sshd[31179]: input_userauth_request: invalid user dow
nload [preauth]
Nov 27 14:30:57 debian sshd[31179]: pam_unix(sshd:auth): check pass; user un
known
Nov 27 14:30:57 debian sshd[31179]: pam_unix(sshd:auth): authentication fail
ure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.12.109.16
Nov 27 14:30:58 debian sshd[31183]: warning: /etc/hosts.allow, line 13: miss
ing ":" separator
Nov 27 14:30:59 debian sshd[31179]: Failed password for invalid user downloa
d from 60.12.109.16 port 34842 ssh2
Nov 27 14:30:59 debian sshd[31179]: Received disconnect from 60.12.109.16: 1
1: Bye Bye [preauth]
Nov 27 14:30:59 debian sshd[31186]: warning: /etc/hosts.allow, line 13: miss
ing ":" separator
Nov 27 14:31:00 debian sshd[31183]: pam_unix(sshd:auth): authentication fail
ure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.229.172.73 user=root
【在 m*d 的大作中提到】
: 每次的端口还不一样,这是什么后门程序?
: [email protected]/* */:~# netstat |grep ssh
: tcp 0 52 192.168.1.146:ssh PC:54877 ESTABLISHED
: tcp 0 39 192.168.1.146:ssh 60.12.109.16:54023
: ESTABLISHED
: [email protected]/* */:~# netstat |grep ssh
: tcp 0 52 192.168.1.146:ssh PC:54877 ESTABLISHED
: tcp 0 0 192.168.1.146:ssh 60.12.109.16:54023
: ESTABLISHED
: [email protected]/* */:~# netstat |grep ssh
|
z*********e
发帖数: 10149 | 3 这个ip在我的adblock list上
地址在浙江
有点蹊跷
【在 m*d 的大作中提到】
: 每次的端口还不一样,这是什么后门程序?
: [email protected]/* */:~# netstat |grep ssh
: tcp 0 52 192.168.1.146:ssh PC:54877 ESTABLISHED
: tcp 0 39 192.168.1.146:ssh 60.12.109.16:54023
: ESTABLISHED
: [email protected]/* */:~# netstat |grep ssh
: tcp 0 52 192.168.1.146:ssh PC:54877 ESTABLISHED
: tcp 0 0 192.168.1.146:ssh 60.12.109.16:54023
: ESTABLISHED
: [email protected]/* */:~# netstat |grep ssh
|
m*d
发帖数: 7658 | 4 我在router上用iptables block了
iptables -A INPUT -s 60.12.109.16 -p tcp --destination-port 22 -j DROP
为什么在debian上还能看到
【在 z*********e 的大作中提到】
: 这个ip在我的adblock list上
: 地址在浙江
: 有点蹊跷
|
j*a
发帖数: 14423 | 5 FORWARD chain, not INPUT chain.
【在 m*d 的大作中提到】
: 我在router上用iptables block了
: iptables -A INPUT -s 60.12.109.16 -p tcp --destination-port 22 -j DROP
: 为什么在debian上还能看到
|
z*********e
发帖数: 10149 | 6 试试
iptables -A INPUT -s 60.12.109.16 -p tcp --dport ssh -j DROP
? |
p***o
发帖数: 1252 | 7 装个fail2ban自动block把。
【在 m*d 的大作中提到】
: 我在router上用iptables block了
: iptables -A INPUT -s 60.12.109.16 -p tcp --destination-port 22 -j DROP
: 为什么在debian上还能看到
|
F***Q
发帖数: 6599 | 8
these are zombies infected by backdoor programs, not from actual person.
banning that IP is not helpful because you will soon find other IPs trying
the same thing.
make sure you disable remote root access, by setting PermitRootLogin to no
in sshd_config (of course, make your account sudoer first), then
sudo /etc/init.d/sshd restart
you can also install tripwire to automatically disable intruders after
failed passwords
https://www.digitalocean.com/community/tutorials/how-to-use-tripwire-to-
detect-server-intrusions-on-an-ubuntu-vps
【在 m*d 的大作中提到】
: 原来是有人在试密码
: Nov 27 14:30:51 debian sshd[31165]: Failed password for invalid user downloa
: d from 60.12.109.16 port 33426 ssh2
: Nov 27 14:30:51 debian sshd[31165]: Received disconnect from 60.12.109.16: 1
: 1: Bye Bye [preauth]
: Nov 27 14:30:52 debian sshd[31169]: warning: /etc/hosts.allow, line 13: miss
: ing ":" separator
: Nov 27 14:30:53 debian sshd[31169]: Invalid user download from 60.12.109.16
: Nov 27 14:30:53 debian sshd[31169]: input_userauth_request: invalid user dow
: nload [preauth]
|
z*********e
发帖数: 10149 | 9 也可以换ssh key-based auth,这个应该非常安全 |
m*d
发帖数: 7658 | 10 装了ipset的脚本,这下清净了
https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset
【在 z*********e 的大作中提到】
: 也可以换ssh key-based auth,这个应该非常安全
|
c******n
发帖数: 16666 | 11 这个加上ban2fail再加上那个自动装安全补丁的unattended upgrades 基本上不用管了
ufw我都觉得不是非常必要
【在 z*********e 的大作中提到】
: 也可以换ssh key-based auth,这个应该非常安全
|
