[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

ssh: Kücük bir gece yarisi saldirisi... (görüsler, öneriler, vs.)

Title: ssh: Kücük bir gece yarisi saldirisi... (görüsler, öneriler, vs.)

Merhaba,

gkrellm sayesinde bir anda eth0 arayüzü üzerinden beklenmedik
bir trafik oldugunu gördüm, bayram degil seyran degil bir sey
yollamiyorum, bir sey almiyorum, nereden cikti bu trafik dedim.

netstat ile biraz bakinca bol bol ssh ile karsilastim ve beklenmedik bir
durum oldugunu düsündüm, sshd'yi hemen durdurdum ve sonra da /var/log/auth.log'a bakinca
asagida göreceginiz satirlar ile karsilastim.

Anlayabildigim kadari ile tek bir makina, otomatik
bir program araciligi ile bazi kullanici isimlerini/parolalarini
deneyerek benim sistemi bombardimana tuttu ve ssh üzerinden giris
yapmaya calisti (hangi programla? nasil? bilemiyorum tabii).

Sistemim Debian GNU/Linux (unstable). ADSL router/firewall modem arkasindayim.

Asagidaki loga bakip daha detayli analiz yapabilecek
ve önerilerde bulunabilecek olan varsa sevinirim.

Bu arada fail2ban diye bir programin farkina vardim:

 http://fail2ban.sourceforge.net

Bu tür durumlari engellemek icin anlamli mi, kullanmis olan var mi?

Simdiden tesekkürler, log dosyasi asagida, ayrica sshd_config dosyami
da aktardim, herhangi bir sorun var mi diye (bu olay basima
geldikten sonra "apt-get install ssh" ile sshd sunucuyu güncelledim):

Sep 10 00:52:46 debian sshd[16576]: Did not receive identification string from ::ffff:83.170.72.51
Sep 10 00:53:01 debian CRON[16581]: (pam_unix) session opened for user mail by (uid=0)
Sep 10 00:53:01 debian CRON[16581]: (pam_unix) session closed for user mail
Sep 10 01:00:01 debian CRON[16697]: (pam_unix) session opened for user root by (uid=0)
Sep 10 01:00:04 debian CRON[16697]: (pam_unix) session closed for user root
Sep 10 01:00:18 debian sshd[16704]: Illegal user admin from ::ffff:83.170.72.51
Sep 10 01:00:19 debian sshd[16704]: error: Could not get shadow information for NOUSER
Sep 10 01:00:19 debian sshd[16704]: Failed password for illegal user admin from ::ffff:83.170.72.51 port 37887 ssh2
Sep 10 01:00:20 debian sshd[16706]: Illegal user administrator from ::ffff:83.170.72.51
Sep 10 01:00:20 debian sshd[16706]: error: Could not get shadow information for NOUSER
Sep 10 01:00:20 debian sshd[16706]: Failed password for illegal user administrator from ::ffff:83.170.72.51 port 38063 ssh2
Sep 10 01:00:21 debian sshd[16709]: Illegal user jack from ::ffff:83.170.72.51
Sep 10 01:00:22 debian sshd[16709]: error: Could not get shadow information for NOUSER
Sep 10 01:00:22 debian sshd[16709]: Failed password for illegal user jack from ::ffff:83.170.72.51 port 38231 ssh2
Sep 10 01:00:23 debian sshd[16711]: Illegal user marvin from ::ffff:83.170.72.51
Sep 10 01:00:23 debian sshd[16711]: error: Could not get shadow information for NOUSER
Sep 10 01:00:23 debian sshd[16711]: Failed password for illegal user marvin from ::ffff:83.170.72.51 port 38411 ssh2
Sep 10 01:00:25 debian sshd[16713]: Illegal user andres from ::ffff:83.170.72.51
Sep 10 01:00:25 debian sshd[16713]: error: Could not get shadow information for NOUSER
Sep 10 01:00:25 debian sshd[16713]: Failed password for illegal user andres from ::ffff:83.170.72.51 port 38595 ssh2
Sep 10 01:00:26 debian sshd[16716]: Illegal user barbara from ::ffff:83.170.72.51
Sep 10 01:00:26 debian sshd[16716]: error: Could not get shadow information for NOUSER
Sep 10 01:00:26 debian sshd[16716]: Failed password for illegal user barbara from ::ffff:83.170.72.51 port 38773 ssh2
Sep 10 01:00:28 debian sshd[16718]: Illegal user adine from ::ffff:83.170.72.51
Sep 10 01:00:28 debian sshd[16718]: error: Could not get shadow information for NOUSER
Sep 10 01:00:28 debian sshd[16718]: Failed password for illegal user adine from ::ffff:83.170.72.51 port 38966 ssh2
Sep 10 01:00:29 debian sshd[16720]: Illegal user test from ::ffff:83.170.72.51
Sep 10 01:00:29 debian sshd[16720]: error: Could not get shadow information for NOUSER
Sep 10 01:00:29 debian sshd[16720]: Failed password for illegal user test from ::ffff:83.170.72.51 port 39126 ssh2
Sep 10 01:00:31 debian sshd[16723]: Illegal user guest from ::ffff:83.170.72.51
Sep 10 01:00:31 debian sshd[16723]: error: Could not get shadow information for NOUSER
Sep 10 01:00:31 debian sshd[16723]: Failed password for illegal user guest from ::ffff:83.170.72.51 port 39324 ssh2
Sep 10 01:00:32 debian sshd[16725]: Illegal user db from ::ffff:83.170.72.51
Sep 10 01:00:32 debian sshd[16725]: error: Could not get shadow information for NOUSER
Sep 10 01:00:32 debian sshd[16725]: Failed password for illegal user db from ::ffff:83.170.72.51 port 39497 ssh2
Sep 10 01:00:34 debian sshd[16727]: Illegal user ahmed from ::ffff:83.170.72.51
Sep 10 01:00:34 debian sshd[16727]: error: Could not get shadow information for NOUSER
Sep 10 01:00:34 debian sshd[16727]: Failed password for illegal user ahmed from ::ffff:83.170.72.51 port 39675 ssh2
Sep 10 01:00:35 debian sshd[16729]: Illegal user alan from ::ffff:83.170.72.51
Sep 10 01:00:35 debian sshd[16729]: error: Could not get shadow information for NOUSER
Sep 10 01:00:35 debian sshd[16729]: Failed password for illegal user alan from ::ffff:83.170.72.51 port 39832 ssh2
Sep 10 01:00:37 debian sshd[16732]: Illegal user albert from ::ffff:83.170.72.51
Sep 10 01:00:37 debian sshd[16732]: error: Could not get shadow information for NOUSER

[...] bu sekilde birkac bin satir

Sep 10 01:11:13 debian sshd[17711]: Failed password for illegal user admins from ::ffff:83.170.72.51 port 50218 ssh2
Sep 10 01:11:14 debian sshd[17713]: Failed password for root from ::ffff:83.170.72.51 port 50353 ssh2
Sep 10 01:11:16 debian sshd[17715]: Failed password for root from ::ffff:83.170.72.51 port 50651 ssh2
Sep 10 01:11:17 debian sshd[17718]: Failed password for root from ::ffff:83.170.72.51 port 51318 ssh2
Sep 10 01:11:19 debian sshd[17720]: Failed password for root from ::ffff:83.170.72.51 port 51482 ssh2
Sep 10 01:11:20 debian sshd[17722]: Failed password for root from ::ffff:83.170.72.51 port 51770 ssh2

[...]

Sep 10 01:12:03 debian sshd[17789]: Failed password for root from ::ffff:83.170.72.51 port 33967 ssh2
Sep 10 01:12:04 debian sshd[17791]: Failed password for root from ::ffff:83.170.72.51 port 34290 ssh2
Sep 10 01:12:06 debian sshd[17794]: Failed password for root from ::ffff:83.170.72.51 port 34412 ssh2
Sep 10 01:12:07 debian sshd[17796]: Failed password for root from ::ffff:83.170.72.51 port 35084 ssh2
Sep 10 01:12:09 debian sshd[17798]: Failed password for root from ::ffff:83.170.72.51 port 35179 ssh2
Sep 10 01:12:10 debian sshd[17800]: Failed password for root from ::ffff:83.170.72.51 port 36468 ssh2
Sep 10 01:12:12 debian sshd[17803]: Failed password for root from ::ffff:83.170.72.51 port 39287 ssh2
Sep 10 01:13:28 debian sshd[17922]: Failed password for root from ::ffff:83.170.72.51 port 35609 ssh2
Sep 10 01:13:29 debian su[17924]: + pts/0 fz:root
Sep 10 01:13:29 debian su[17924]: (pam_unix) session opened for user root by fz(uid=1000)
Sep 10 01:13:29 debian sshd[17925]: Failed password for root from ::ffff:83.170.72.51 port 35718 ssh2
Sep 10 01:13:31 debian sshd[17928]: Failed password for root from ::ffff:83.170.72.51 port 36332 ssh2
Sep 10 01:13:32 debian sshd[17931]: Failed password for root from ::ffff:83.170.72.51 port 36605 ssh2
Sep 10 01:13:34 debian sshd[17933]: Failed password for root from ::ffff:83.170.72.51 port 36843 ssh2
Sep 10 01:15:50 debian sshd[18169]: Failed password for root from ::ffff:83.170.72.51 port 49164 ssh2
Sep 10 01:15:52 debian sshd[18172]: Failed password for root from ::ffff:83.170.72.51 port 50317 ssh2
Sep 10 01:15:53 debian sshd[18174]: Failed password for root from ::ffff:83.170.72.51 port 51059 ssh2
Sep 10 01:15:55 debian sshd[18176]: Failed password for root from ::ffff:83.170.72.51 port 52225 ssh2
Sep 10 01:15:57 debian sshd[18179]: Failed password for root from ::ffff:83.170.72.51 port 53013 ssh2
Sep 10 01:15:58 debian sshd[18183]: Failed password for root from ::ffff:83.170.72.51 port 54437 ssh2
Sep 10 01:16:00 debian sshd[18185]: Failed password for root from ::ffff:83.170.72.51 port 55263 ssh2
Sep 10 01:16:02 debian sshd[18188]: Failed password for root from ::ffff:83.170.72.51 port 56625 ssh2
Sep 10 01:16:03 debian sshd[18190]: Failed password for root from ::ffff:83.170.72.51 port 57807 ssh2
Sep 10 01:16:04 debian sshd[3837]: Received signal 15; terminating.
Sep 10 01:16:05 debian sshd[18192]: Failed password for root from ::ffff:83.170.72.51 port 58675 ssh2
Sep 10 01:16:51 debian su[18207]: + pts/0 fz:root
Sep 10 01:16:51 debian su[18207]: (pam_unix) session opened for user root by fz(uid=1000)
Sep 10 01:17:01 debian CRON[18211]: (pam_unix) session opened for user root by (uid=0)
Sep 10 01:17:01 debian CRON[18211]: (pam_unix) session closed for user root
Sep 10 01:23:01 debian CRON[18375]: (pam_unix) session opened for user mail by (uid=0)
Sep 10 01:23:01 debian CRON[18375]: (pam_unix) session closed for user mail
Sep 10 01:30:01 debian CRON[18519]: (pam_unix) session opened for user root by (uid=0)
Sep 10 01:30:07 debian CRON[18519]: (pam_unix) session closed for user root
Sep 10 01:38:01 debian CRON[18661]: (pam_unix) session opened for user mail by (uid=0)
Sep 10 01:38:01 debian CRON[18661]: (pam_unix) session closed for user mail
Sep 10 01:53:01 debian CRON[18896]: (pam_unix) session opened for user mail by (uid=0)
Sep 10 01:53:01 debian CRON[18896]: (pam_unix) session closed for user mail






/etc/ssh/sshd_config
==========================================

# Package generated configuration file
# See the sshd(8) manpage for defails

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# ...but breaks Pam auth via kbdint, so we have to turn it off
# Use PAM authentication via keyboard-interactive so PAM modules can
# properly interface with the user (off due to PrivSep)
#PAMAuthenticationViaKbdInt no
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 600
#PermitRootLogin yes
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes


# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd no
#PrintLastLog no
KeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes

Subsystem sftp /usr/lib/openssh/sftp-server


UsePAM yes

Reply to: