@tex620

Мой ubuntu сервер пытаются взломать, как защититься?

Подобный лог выдает
Nov 14 16:23:07 RustServer sshd[11049]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.65.42.179  user=root
Nov 14 16:23:08 RustServer sshd[11051]: Failed password for root from 122.226.181.165 port 58750 ssh2
Nov 14 16:23:08 RustServer sshd[11051]: Received disconnect from 122.226.181.165 port 58750:11:  [preauth]
Nov 14 16:23:08 RustServer sshd[11051]: Disconnected from authenticating user root 122.226.181.165 port 58750 [preauth]
Nov 14 16:23:12 RustServer sshd[11053]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:23:15 RustServer sshd[11053]: Failed password for root from 116.31.116.16 port 48970 ssh2
Nov 14 16:23:17 RustServer sshd[11053]: Failed password for root from 116.31.116.16 port 48970 ssh2
Nov 14 16:23:20 RustServer sshd[11053]: Failed password for root from 116.31.116.16 port 48970 ssh2
Nov 14 16:23:20 RustServer sshd[11053]: Received disconnect from 116.31.116.16 port 48970:11:  [preauth]
Nov 14 16:23:20 RustServer sshd[11053]: Disconnected from authenticating user root 116.31.116.16 port 48970 [preauth]
Nov 14 16:23:20 RustServer sshd[11053]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:24:11 RustServer sshd[11061]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:24:13 RustServer sshd[11061]: Failed password for root from 116.31.116.16 port 58214 ssh2
Nov 14 16:24:16 RustServer sshd[11061]: Failed password for root from 116.31.116.16 port 58214 ssh2
Nov 14 16:24:18 RustServer sshd[11061]: Failed password for root from 116.31.116.16 port 58214 ssh2
Nov 14 16:24:18 RustServer sshd[11061]: Received disconnect from 116.31.116.16 port 58214:11:  [preauth]
Nov 14 16:24:18 RustServer sshd[11061]: Disconnected from authenticating user root 116.31.116.16 port 58214 [preauth]
Nov 14 16:24:18 RustServer sshd[11061]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:24:48 RustServer sshd[11068]: Connection reset by 118.123.15.142 port 58158 [preauth]
Nov 14 16:25:07 RustServer sshd[11072]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:25:09 RustServer sshd[11072]: Failed password for root from 116.31.116.16 port 63844 ssh2
Nov 14 16:25:11 RustServer sshd[11072]: Failed password for root from 116.31.116.16 port 63844 ssh2
Nov 14 16:25:14 RustServer sshd[11072]: Failed password for root from 116.31.116.16 port 63844 ssh2
Nov 14 16:25:14 RustServer sshd[11072]: Received disconnect from 116.31.116.16 port 63844:11:  [preauth]
Nov 14 16:25:14 RustServer sshd[11072]: Disconnected from authenticating user root 116.31.116.16 port 63844 [preauth]
Nov 14 16:25:14 RustServer sshd[11072]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:26:02 RustServer sshd[11078]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:26:04 RustServer sshd[11078]: Failed password for root from 116.31.116.16 port 16276 ssh2
Nov 14 16:26:06 RustServer sshd[11078]: Failed password for root from 116.31.116.16 port 16276 ssh2
Nov 14 16:26:09 RustServer sshd[11078]: Failed password for root from 116.31.116.16 port 16276 ssh2
Nov 14 16:26:09 RustServer sshd[11078]: Received disconnect from 116.31.116.16 port 16276:11:  [preauth]
Nov 14 16:26:09 RustServer sshd[11078]: Disconnected from authenticating user root 116.31.116.16 port 16276 [preauth]
Nov 14 16:26:09 RustServer sshd[11078]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:27:20 RustServer sshd[11087]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:27:22 RustServer sshd[11087]: Failed password for root from 116.31.116.16 port 45100 ssh2
Nov 14 16:27:24 RustServer sshd[11087]: Failed password for root from 116.31.116.16 port 45100 ssh2
Nov 14 16:27:27 RustServer sshd[11087]: Failed password for root from 116.31.116.16 port 45100 ssh2
Nov 14 16:27:27 RustServer sshd[11087]: Received disconnect from 116.31.116.16 port 45100:11:  [preauth]
Nov 14 16:27:27 RustServer sshd[11087]: Disconnected from authenticating user root 116.31.116.16 port 45100 [preauth]
Nov 14 16:27:27 RustServer sshd[11087]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:28:18 RustServer sshd[11093]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:28:20 RustServer sshd[11093]: Failed password for root from 116.31.116.16 port 50902 ssh2
Nov 14 16:28:23 RustServer sshd[11093]: Failed password for root from 116.31.116.16 port 50902 ssh2
Nov 14 16:28:26 RustServer sshd[11093]: Failed password for root from 116.31.116.16 port 50902 ssh2
Nov 14 16:28:26 RustServer sshd[11093]: Received disconnect from 116.31.116.16 port 50902:11:  [preauth]
Nov 14 16:28:26 RustServer sshd[11093]: Disconnected from authenticating user root 116.31.116.16 port 50902 [preauth]
Nov 14 16:28:26 RustServer sshd[11093]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:29:15 RustServer sshd[11100]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:29:17 RustServer sshd[11100]: Failed password for root from 116.31.116.16 port 57274 ssh2
Nov 14 16:29:20 RustServer sshd[11100]: Failed password for root from 116.31.116.16 port 57274 ssh2
Nov 14 16:29:22 RustServer sshd[11100]: Failed password for root from 116.31.116.16 port 57274 ssh2
Nov 14 16:29:23 RustServer sshd[11100]: Received disconnect from 116.31.116.16 port 57274:11:  [preauth]
Nov 14 16:29:23 RustServer sshd[11100]: Disconnected from authenticating user root 116.31.116.16 port 57274 [preauth]
Nov 14 16:29:23 RustServer sshd[11100]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:30:11 RustServer sshd[11112]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Nov 14 16:30:13 RustServer sshd[11112]: Failed password for root from 116.31.116.16 port 63242 ssh2
Nov 14 16:30:16 RustServer sshd[11112]: Failed password for root from 116.31.116.16 port 63242 ssh2
Nov 14 16:30:19 RustServer sshd[11112]: Failed password for root from 116.31.116.16 port 63242 ssh2


и так далее

Как от такого защититься, это происходит уже не в 1 раз.
Что за ssh2 и почему он работает на разных портах.
  • Вопрос задан
  • 3192 просмотра
Решения вопроса 1
mhthnz
@mhthnz
PHP, YII2, Golang, Linux
1) Перенести порт ssh сервера со стандартного на другой, это отобьет большую часть ботов/сканнеров
2) Запретить авторизацию пользователю root по ssh
3) Поставить Fail2Ban для блокировки айпишников с которых идет брут

P.S. Разные порты это скорее всего порты исходящего соединения, поэтому они разные, к вам же они все стучатся на порт который указан в конфиге sshd
Ответ написан
Пригласить эксперта
Ответы на вопрос 7
@etaliorum
Платон мне друг, но истины не надо
Утилита fail2ban поможет. Плюсом будет если поставишь авторизацию по ssh ключам.
В сети полным полно ботов которые конектяться под рутом, чаще всего на 22 порт, а пароль подбирают по словарю
Ответ написан
@xtress
Web-dev
В дополнение к ответу Андрей - настройте "простукивание", к примеру через этот софт:
www.zeroflux.org/projects/knock
Ответ написан
@metajiji
Кстати, если сервер это vps и iptsbles не доступен, всегда можно воспользоваться ip route blackhole. В fsil2ban прикручивается не сложно.
Ответ написан
@psyxodolby
Хм. Боты, если умные, забьют на сервак если на нем настроена авторизация по сертификату?
Ответ написан
Ваш ответ на вопрос

Войдите, чтобы написать ответ

Войти через центр авторизации
Похожие вопросы