论坛徽章:: 1

电梯直达

1楼 [收藏(0)] [报告]

发表于 2009-11-04 19:06 |只看该作者 |倒序浏览

操作系统：suse linux 10
unicommas:~ # cat /etc/issue

Welcome to SUSE Linux Enterprise Server 10 (x86_64) - Kernel \r (\l).
最近发现系统一直在被扫描，截取/var/log/messages日志。
Nov  4 18:46:18 unicommas sshd[20111]: error: PAM: User not known to the underlying authentication module for illegal user colleen from 80.55.130.2
Nov  4 18:46:18 unicommas sshd[20111]: Failed keyboard-interactive/pam for invalid user colleen from 80.55.130.2 port 3480 ssh2
Nov  4 18:46:51 unicommas sshd[20134]: Invalid user comercial from 200.252.244.203
Nov  4 18:46:51 unicommas sshd[20134]: error: PAM: User not known to the underlying authentication module for illegal user comercial from 200.252.244.203
Nov  4 18:46:51 unicommas sshd[20134]: Failed keyboard-interactive/pam for invalid user comercial from 200.252.244.203 port 34725 ssh2
Nov  4 18:47:15 unicommas sshd[20155]: Invalid user common from 201.232.56.63
Nov  4 18:47:15 unicommas sshd[20155]: error: PAM: User not known to the underlying authentication module for illegal user common from 201.232.56.63
Nov  4 18:47:15 unicommas sshd[20155]: Failed keyboard-interactive/pam for invalid user common from 201.232.56.63 port 3977 ssh2
Nov  4 18:47:36 unicommas sshd[20170]: Invalid user compras from 194.79.70.206
Nov  4 18:47:36 unicommas sshd[20170]: error: PAM: User not known to the underlying authentication module for illegal user compras from 194.79.70.206
Nov  4 18:47:36 unicommas sshd[20170]: Failed keyboard-interactive/pam for invalid user compras from 194.79.70.206 port 63830 ssh2
Nov  4 18:48:08 unicommas sshd[20191]: Invalid user comunica from 82.90.157.218
Nov  4 18:48:08 unicommas sshd[20191]: error: PAM: User not known to the underlying authentication module for illegal user comunica from 82.90.157.218
Nov  4 18:48:08 unicommas sshd[20191]: Failed keyboard-interactive/pam for invalid user comunica from 82.90.157.218 port 4505 ssh2
Nov  4 18:48:13 unicommas sshd[20194]: Invalid user condor from 80.153.75.232
Nov  4 18:48:14 unicommas sshd[20194]: error: PAM: User not known to the underlying authentication module for illegal user condor from 80.153.75.232
Nov  4 18:48:14 unicommas sshd[20194]: Failed keyboard-interactive/pam for invalid user condor from 80.153.75.232 port 58278 ssh2
Nov  4 18:49:06 unicommas sshd[20227]: Invalid user confixx from 83.3.138.122
Nov  4 18:49:07 unicommas sshd[20227]: error: PAM: User not known to the underlying authentication module for illegal user confixx from 83.3.138.122
Nov  4 18:49:07 unicommas sshd[20227]: Failed keyboard-interactive/pam for invalid user confixx from 83.3.138.122 port 33995 ssh2
Nov  4 18:49:11 unicommas sshd[20237]: Invalid user connie from 91.189.113.196
Nov  4 18:49:11 unicommas sshd[20237]: error: PAM: User not known to the underlying authentication module for illegal user connie from 91.189.113.196
Nov  4 18:49:11 unicommas sshd[20237]: Failed keyboard-interactive/pam for invalid user connie from 91.189.113.196 port 40523 ssh2
查看了一下日志中的ip，有的是美国的，有的是罗马尼亚的，有的是内地的，很多国家的，另外查看了其它messages的备份
unicommas:/var/log # ls -ltr messages*
-rw-r----- 1 root root  374227 Jun 12 14:45 messages-20090612.bz2
-rw-r----- 1 root root  323330 Jul  2 14:45 messages-20090702.bz2
-rw-r----- 1 root root  360121 Jul 13 14:45 messages-20090713.bz2
-rw-r----- 1 root root  400743 Jul 27 14:45 messages-20090727.bz2
-rw-r----- 1 root root  302029 Aug 14 14:45 messages-20090814.bz2
-rw-r----- 1 root root  319920 Sep  2 14:45 messages-20090902.bz2
-rw-r----- 1 root root  265131 Sep 10 14:45 messages-20090910.bz2
-rw-r----- 1 root root  256436 Sep 20 14:45 messages-20090920.bz2
-rw-r----- 1 root root  319744 Oct  8 14:45 messages-20091008.bz2
-rw-r----- 1 root root 4282809 Oct 26 14:45 messages-20091026
-rw-r----- 1 root root  410175 Nov  4 14:45 messages-20091104.bz2
发现messages-20091026也有被扫描的记录。
观察了一下messages日志，发现其中的ip是不断变化的，起初我认为是肉鸡，但是觉得肉鸡也太多了吧，是不是有这么一种扫描工具可以隐藏自身的真实ip，然后通过不断变化的虚假的ip来逃避ssh登陆失败次数限制？本人菜鸟，求教各位大虾。

文库|博客

chenyx

版主

论坛徽章:: 381

2楼 [报告]

发表于 2009-11-04 20:48 |只看该作者

ssh改端口,去掉密码认证,改用key认证

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

woshiyiziyuma

白手起家

论坛徽章:: 1

3楼 [报告]

发表于 2009-11-04 22:15 |只看该作者

原帖由 chenyx 于 2009-11-4 20:48 发表
ssh改端口,去掉密码认证,改用key认证

谢谢chenyx，但是我现在不想去做防护措施，今天在cu中已经搜索了80多页的帖子，看了很多关于入侵以及怎样防护的帖子。我想问的是我说的那款扫描工具。补充一个问题：能不能找出真实攻击者的ip呢？通过tcpdump找mac地址？虽然我看网上说数据传输走的是tcp协议，不大可能查处攻击者的mac地址，除非是同一网段的mac地址。