- 主题:这个是被攻击了吗?
这今天看 systemd-journal 日志,看到 sshd 在不断重启?是被攻击了吧?
Apr 05 22:05:04 xxxxxxxxx sshd[27233]: Received disconnect from 68.183.10.8 port 50736:11: Normal Shutdown, Thank you for playing [preauth]
Apr 05 22:05:04 xxxxxxxxx sshd[27233]: Disconnected from authenticating user postgres 68.183.10.8 port 50736 [preauth]
Apr 05 22:05:07 xxxxxxxxx CRON[27238]: (CRON) info (No MTA installed, discarding output)
Apr 05 22:05:07 xxxxxxxxx CRON[27238]: pam_unix(cron:session): session closed for user root
Apr 05 22:06:31 xxxxxxxxx sshd[27490]: Received disconnect from 68.183.10.8 port 51926:11: Normal Shutdown, Thank you for playing [preauth]
Apr 05 22:06:31 xxxxxxxxx sshd[27490]: Disconnected from authenticating user postgres 68.183.10.8 port 51926 [preauth]
Apr 05 22:07:11 xxxxxxxxx systemd[1]: Stopping OpenBSD Secure Shell server...
Apr 05 22:07:11 xxxxxxxxx sshd[26242]: Received signal 15; terminating.
Apr 05 22:07:11 xxxxxxxxx systemd[1]: Stopped OpenBSD Secure Shell server.
Apr 05 22:07:11 xxxxxxxxx systemd[1]: Starting OpenBSD Secure Shell server...
Apr 05 22:07:11 xxxxxxxxx sshd[27643]: Server listening on 0.0.0.0 port 22.
Apr 05 22:07:11 xxxxxxxxx sshd[27643]: Server listening on :: port 22.
Apr 05 22:07:11 xxxxxxxxx systemd[1]: Started OpenBSD Secure Shell server.
Apr 05 22:07:11 xxxxxxxxx systemd[1]: Stopping OpenBSD Secure Shell server...
Apr 05 22:07:11 xxxxxxxxx sshd[27643]: Received signal 15; terminating.
Apr 05 22:07:11 xxxxxxxxx systemd[1]: Stopped OpenBSD Secure Shell server.
Apr 05 22:07:11 xxxxxxxxx systemd[1]: Starting OpenBSD Secure Shell server...
Apr 05 22:07:11 xxxxxxxxx sshd[27662]: Server listening on 0.0.0.0 port 22.
Apr 05 22:07:11 xxxxxxxxx sshd[27662]: Server listening on :: port 22.
Apr 05 22:07:11 xxxxxxxxx systemd[1]: Started OpenBSD Secure Shell server.
--
FROM 112.47.122.*
1以前没见过thank you for playing这种日志
2stopping似乎是手工关闭的吧
【 在 hgoldfish (老鱼) 的大作中提到: 】
: 这今天看 systemd-journal 日志,看到 sshd 在不断重启?是被攻击了吧?
: Apr 05 22:05:04 xxxxxxxxx sshd[27233]: Received disconnect from 68.183.10.8 port 50736:11: Normal Shutdown, Thank you for playing [preauth]
: Apr 05 22:05:04 xxxxxxxxx sshd[27233]: Disconnected from authenticating user postgres 68.183.10.8 port 50736 [preauth]
: ...................
--
FROM 113.89.11.*
signal 15 是 SIGTERM,应该是收到了外部的kill,而不像是程序崩溃。
另外PID也很奇怪,新进程的PID应该是不断增长的,而不是在两个PID之间来回跳。
【 在 hgoldfish (老鱼) 的大作中提到: 】
: 这今天看 systemd-journal 日志,看到 sshd 在不断重启?是被攻击了吧?
: Apr 05 22:05:04 xxxxxxxxx sshd[27233]: Received disconnect from 68.183.10.8 port 50736:11: Normal Shutdown, Thank you for playing [preauth]
: Apr 05 22:05:04 xxxxxxxxx sshd[27233]: Disconnected from authenticating user postgres 68.183.10.8 port 50736 [preauth]
: ...................
--
修改:ArchLinux FROM 103.90.178.*
FROM 103.90.178.*
@hgoldfish 老兄您好,我今天从公司连家里的armbian连不上,后来发现auth.log也出现大量日志
Normal Shutdown, Thank you for playing [preauth]
从网上搜,搜到了你这个贴子。
我改了ssh默认端口,但仍然被扫描盯上了。万幸禁用密码登录,没被黑进来,只是把ssh服务弄挂了
马上装了fail2ban,试了能检测封禁密码错误的访问ip,但是不会封公钥错误的ip。
请问您后来是怎么解决的?
【 在 hgoldfish 的大作中提到: 】
:
: 这今天看 systemd-journal 日志,看到 sshd 在不断重启?是被攻击了吧?
:
: Apr 05 22:05:04 xxxxxxxxx sshd[27233]: Received disconnect from 68.183.10.8 port 50736:11: Normal Shutdown, Thank you for playing [preauth]
: Apr 05 22:05:04 xxxxxxxxx sshd[27233]: Disconnected from authenticating user postgres 68.183.10.8 port 50736 [preauth]
#发自zSMTH@RMX2205
--
FROM 221.197.234.*
后来我压根没去解决。就放着,反正也攻不进来。 -___-!!
【 在 kis2006 (Dr.Web) 的大作中提到: 】
: @hgoldfish 老兄您好,我今天从公司连家里的armbian连不上,后来发现auth.log也出现大量日志
: Normal Shutdown, Thank you for playing [preauth]
: 从网上搜,搜到了你这个贴子。
: ...................
--
FROM 117.26.53.*
哦,好吧。我这次是被人把ssh服务搞死了。
fail2ban跑一段时间看看,再不行就把端口映射关了,先拨 微P恩,再访问内网。
【 在 hgoldfish 的大作中提到: 】
: 后来我压根没去解决。就放着,反正也攻不进来。 -___-!!
:
:
: ...................
--来自微水木3.5.11
--
FROM 111.164.254.*