linux网关服务器被攻击，大家帮帮忙，要怎么办，在线等！

zhbl

linux网关服务器被攻击，具体日志如下：
more /var/log/secure
Apr 16 15:43:09 DnProxy sshd[4328]: Failed password for admin from 202.103.178.178 port 36557 ssh2
Apr 16 15:43:12 DnProxy sshd[4330]: Failed password for admin from 202.103.178.178 port 37569 ssh2
Apr 16 15:43:15 DnProxy sshd[4332]: Failed password for admin from 202.103.178.178 port 38657 ssh2
Apr 16 15:43:18 DnProxy sshd[4334]: Failed password for admin from 202.103.178.178 port 39029 ssh2
Apr 16 15:43:20 DnProxy sshd[4336]: Failed password for admin from 202.103.178.178 port 40047 ssh2
Apr 16 15:43:23 DnProxy sshd[4338]: Failed password for admin from 202.103.178.178 port 41306 ssh2
Apr 16 15:43:26 DnProxy sshd[4340]: Failed password for admin from 202.103.178.178 port 41706 ssh2
Apr 16 15:43:28 DnProxy sshd[4342]: Failed password for admin from 202.103.178.178 port 42905 ssh2
Apr 16 15:43:31 DnProxy sshd[4344]: Failed password for admin from 202.103.178.178 port 44246 ssh2
Apr 16 15:43:34 DnProxy sshd[4346]: Failed password for admin from 202.103.178.178 port 44644 ssh2
Apr 16 15:47:52 DnProxy sshd[4522]: Failed password for illegal user test from 202.103.178.178 port 49993 ssh2
Apr 16 15:47:53 DnProxy sshd[4524]: Illegal user test from 202.103.178.178
Apr 16 15:47:55 DnProxy sshd[4524]: Failed password for illegal user test from 202.103.178.178 port 50998 ssh2
Apr 16 15:47:55 DnProxy sshd[4526]: Illegal user test from 202.103.178.178
Apr 16 15:47:58 DnProxy sshd[4526]: Failed password for illegal user test from 202.103.178.178 port 52359 ssh2
Apr 16 15:47:58 DnProxy sshd[4528]: Illegal user test from 202.103.178.178
Apr 16 15:48:00 DnProxy sshd[4528]: Failed password for illegal user test from 202.103.178.178 port 52737 ssh2
Apr 16 15:48:01 DnProxy sshd[4530]: Illegal user test from 202.103.178.178
Apr 16 15:52:14 DnProxy sshd[4720]: Illegal user alias from 202.103.178.178
Apr 16 15:52:16 DnProxy sshd[4720]: Failed password for illegal user alias from 202.103.178.178 port 48631 ssh2
Apr 16 15:52:17 DnProxy sshd[4722]: Illegal user alias from 202.103.178.178
Apr 16 15:52:19 DnProxy sshd[4722]: Failed password for illegal user alias from 202.103.178.178 port 48924 ssh2
Apr 16 15:52:19 DnProxy sshd[4724]: Illegal user alumni from 202.103.178.178
Apr 16 15:52:22 DnProxy sshd[4724]: Failed password for illegal user alumni from 202.103.178.178 port 49987 ssh2
Apr 16 15:52:22 DnProxy sshd[4726]: Illegal user alumni from 202.103.178.178
Apr 16 15:52:24 DnProxy sshd[4726]: Failed password for illegal user alumni from 202.103.178.178 port 51077 ssh2
Apr 16 15:52:27 DnProxy sshd[4728]: Failed password for apache from 202.103.178.178 port 51378 ssh2
Apr 16 15:52:30 DnProxy sshd[4730]: Failed password for apache from 202.103.178.178 port 52479 ssh2
Apr 16 15:52:41 DnProxy sshd[4740]: Illegal user apache2 from 202.103.178.178
Apr 16 15:52:43 DnProxy sshd[4740]: Failed password for illegal user apache2 from 202.103.178.178 port 56417 ssh2
Apr 16 15:52:44 DnProxy sshd[4742]: Illegal user backup from 202.103.178.178
Apr 16 15:52:46 DnProxy sshd[4742]: Failed password for illegal user backup from 202.103.178.178 port 57509 ssh2
Apr 16 15:52:46 DnProxy sshd[4744]: Illegal user backup from 202.103.178.178
Apr 16 15:52:49 DnProxy sshd[4744]: Failed password for illegal user backup from 202.103.178.178 port 58605 ssh2
Apr 16 15:52:51 DnProxy sshd[4746]: Failed password for bin from 202.103.178.178 port 58900 ssh2
Apr 16 15:52:54 DnProxy sshd[4748]: Failed password for bin from 202.103.178.178 port 59989 ssh2
Apr 16 15:52:54 DnProxy sshd[4750]: Illegal user bind from 202.103.178.178
Apr 16 15:52:57 DnProxy sshd[4750]: Failed password for illegal user bind from 202.103.178.178 port 32851 ssh2
Apr 16 15:52:57 DnProxy sshd[4752]: Illegal user bind from 202.103.178.178
Apr 16 15:52:59 DnProxy sshd[4752]: Failed password for illegal user bind from 202.103.178.178 port 33138 ssh2
Apr 16 15:53:32 DnProxy sshd[4778]: Illegal user cvs from 202.103.178.178
Apr 16 15:53:34 DnProxy sshd[4778]: Failed password for illegal user cvs from 202.103.178.178 port 44148 ssh2
Apr 16 15:53:35 DnProxy sshd[4780]: Illegal user cvs from 202.103.178.178
Apr 16 15:53:37 DnProxy sshd[4780]: Failed password for illegal user cvs from 202.103.178.178 port 45248 ssh2
Apr 16 15:53:37 DnProxy sshd[4782]: Illegal user cvsuser from 202.103.178.178
Apr 16 15:53:40 DnProxy sshd[4782]: Failed password for illegal user cvsuser from 202.103.178.178 port 45544 ssh2
Apr 16 15:53:40 DnProxy sshd[4784]: Illegal user cvsuser from 202.103.178.178
Apr 16 15:53:42 DnProxy sshd[4784]: Failed password for illegal user cvsuser from 202.103.178.178 port 46638 ssh2
Apr 16 15:53:45 DnProxy sshd[4786]: Failed password for daemon from 202.103.178.178 port 47717 ssh2
Apr 16 15:53:48 DnProxy sshd[4788]: Failed password for daemon from 202.103.178.178 port 48006 ssh2
Apr 16 15:53:48 DnProxy sshd[4790]: Illegal user dbadmin from 202.103.178.178
Apr 16 15:53:50 DnProxy sshd[4790]: Failed password for illegal user dbadmin from 202.103.178.178 port 49099 ssh2
Apr 16 15:53:51 DnProxy sshd[4792]: Illegal user dbadmin from 202.103.178.178
Apr 16 15:53:53 DnProxy sshd[4792]: Failed password for illegal user dbadmin from 202.103.178.178 port 50191 ssh2
Apr 17 16:14:41 DnProxy sshd[3111]: Failed password for root from 202.105.176.23 port 35704 ssh2
Apr 17 16:14:44 DnProxy sshd[3113]: Failed password for root from 202.105.176.23 port 36158 ssh2
Apr 17 16:14:46 DnProxy sshd[3115]: Failed password for root from 202.105.176.23 port 36607 ssh2
Apr 17 16:14:49 DnProxy sshd[3117]: Failed password for root from 202.105.176.23 port 37040 ssh2
Apr 17 16:14:52 DnProxy sshd[3119]: Failed password for root from 202.105.176.23 port 37484 ssh2
Apr 17 16:14:54 DnProxy sshd[3121]: Failed password for root from 202.105.176.23 port 37958 ssh2
Apr 17 16:14:57 DnProxy sshd[3123]: Failed password for root from 202.105.176.23 port 38392 ssh2
Apr 17 16:15:00 DnProxy sshd[3125]: Failed password for root from 202.105.176.23 port 38857 ssh2
Apr 17 16:15:00 DnProxy sshd[3127]: Illegal user james from 202.105.176.23
Apr 17 16:15:02 DnProxy sshd[3127]: Failed password for illegal user james from 202.105.176.23 port 39305 ssh2
Apr 17 16:15:03 DnProxy sshd[3129]: Illegal user cvs from 202.105.176.23
Apr 17 16:15:05 DnProxy sshd[3129]: Failed password for illegal user cvs from 202.105.176.23 port 39784 ssh2
Apr 17 16:15:05 DnProxy sshd[3131]: Illegal user tony from 202.105.176.23
Apr 17 16:15:08 DnProxy sshd[3131]: Failed password for illegal user tony from 202.105.176.23 port 40288 ssh2
Apr 17 16:15:08 DnProxy sshd[3133]: Illegal user print from 202.105.176.23
Apr 17 16:15:10 DnProxy sshd[3133]: Failed password for illegal user print from 202.105.176.23 port 40745 ssh2
Apr 17 16:15:11 DnProxy sshd[3135]: Illegal user bill from 202.105.176.23
Apr 17 16:15:13 DnProxy sshd[3135]: Failed password for illegal user bill from 202.105.176.23 port 41250 ssh2
Apr 17 16:15:13 DnProxy sshd[3137]: Illegal user maggie from 202.105.176.23
Apr 17 16:15:16 DnProxy sshd[3137]: Failed password for illegal user maggie from 202.105.176.23 port 41728 ssh2
Apr 17 16:15:16 DnProxy sshd[3139]: Illegal user info from 202.105.176.23
Apr 17 16:15:19 DnProxy sshd[3139]: Failed password for illegal user info from 202.105.176.23 port 42222 ssh2
Apr 17 16:15:21 DnProxy sshd[3141]: Failed password for ftp from 202.105.176.23 port 42737 ssh2
Apr 17 16:15:22 DnProxy sshd[3143]: Illegal user httpd from 202.105.176.23
Apr 17 16:15:24 DnProxy sshd[3143]: Failed password for illegal user httpd from 202.105.176.23 port 43246 ssh2

zhbl

more /var/log/messages
Apr 16 15:13:35 DnProxy sshd(pam_unix)[3062]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=202.103.178.17
8  user=root
Apr 16 15:13:39 DnProxy sshd(pam_unix)[3064]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=202.103.178.17
8  user=root
Apr 16 15:13:44 DnProxy sshd(pam_unix)[3066]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=202.103.178.17
8  user=root
Apr 16 15:13:47 DnProxy sshd(pam_unix)[3068]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=202.103.178.17
8  user=root
Apr 16 15:13:50 DnProxy sshd(pam_unix)[3070]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=202.103.178.17
8  user=root
Apr 16 15:13:53 DnProxy sshd(pam_unix)[3072]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=202.103.178.17
8  user=root

smz0102

没什么!这样的攻击很多,你防火墙配了吗?

zhbl

那这些非法用户那儿来的？
cvs   james   illegal user bill 等等

zhbl

很多这种记录啊。晕死了

hss202

限制 22 端口的连接就可以了

klight

没什么奇怪的我这里天天都有，因为你的主机直接暴露在网上难免造到各种手段的扫描，只要配好防火墙就没事了。

zhbl

天天都这样被攻击也没关系吗？

ssffzz1

原帖由 zhbl 于 2007-4-18 13:00 发表于 8楼  
天天都这样被攻击也没关系吗？

如果一点限制也没有，加上用户名和口令够弱，不久的将来是要被攻入的。

我菜我怕谁

原帖由 zhbl 于 2007-4-18 13:00 发表于 8楼  
天天都这样被攻击也没关系吗？

肯定有关系啊，别人再用字典来破解你的机器口令。
建议：
1。更改ssh服务端口
2。禁止直接用root登陆
3. 配置iptables，block掉这个ip.