PericoloGiallo
Ensign
- Registriert
- Jan. 2009
- Beiträge
- 249
Liebe Freunde,
seit ein paar Tagen - 5, um genau zu sein - ist mein Server aus dem großen weiten Web auf Port 22 (und auf 21, nur verschlüsselt) zugänglich. Und bis heute abend ist die /var/log/auth.log auf rund 30.000 Zeilen angewachsen. Die meisten Zeilen sehen so oder so ähnlich aus:
May 14 20:35:10 pyxos sshd[12763]: Invalid user username from 77.56.125.125
May 14 20:35:10 pyxos sshd[12763]: input_userauth_request: invalid user username [preauth]
May 14 20:35:10 pyxos sshd[12763]: pam_unix(sshd:auth): check pass; user unknown
May 14 20:35:10 pyxos sshd[12763]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=77$
May 14 20:35:12 pyxos sshd[12763]: Failed password for invalid user username from 77.56.125.125 port 39715 ssh2
May 14 20:35:12 pyxos sshd[12763]: pam_unix(sshd:auth): check pass; user unknown
May 14 20:35:13 pyxos sshd[12763]: Failed password for invalid user username from 77.56.125.125 port 39715 ssh2
May 14 20:35:13 pyxos sshd[12763]: Disconnecting: Change of username or service not allowed: (username,ssh-connection) -> (us$
May 14 20:35:13 pyxos sshd[12763]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=77-56-125-12$
May 14 20:38:41 pyxos sshd[12800]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=22$
May 14 20:38:43 pyxos sshd[12800]: Failed password for root from 222.186.21.134 port 52892 ssh2
May 14 20:38:48 pyxos sshd[12800]: message repeated 2 times: [ Failed password for root from 222.186.21.134 port 52892 ssh2]
May 14 20:38:49 pyxos sshd[12800]: Received disconnect from 222.186.21.134: 11: [preauth]
May 14 20:38:49 pyxos sshd[12800]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.21.$
May 14 20:38:52 pyxos sshd[12802]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=22$
May 14 20:38:54 pyxos sshd[12802]: Failed password for root from 222.186.21.134 port 48869 ssh2
May 14 20:39:00 pyxos sshd[12802]: message repeated 2 times: [ Failed password for root from 222.186.21.134 port 48869 ssh2]
May 14 20:39:00 pyxos sshd[12802]: Received disconnect from 222.186.21.134: 11: [preauth]
May 14 20:39:00 pyxos sshd[12802]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.21.$
May 14 20:39:02 pyxos CRON[12806]: pam_unix(cron:session): session opened for user root by (uid=0)
May 14 20:39:03 pyxos CRON[12806]: pam_unix(cron:session): session closed for user root
May 14 20:39:05 pyxos sshd[12804]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=22$
May 14 20:39:07 pyxos sshd[12804]: Failed password for root from 222.186.21.134 port 45284 ssh2
May 14 20:39:12 pyxos sshd[12804]: message repeated 2 times: [ Failed password for root from 222.186.21.134 port 45284 ssh2]
May 14 20:39:13 pyxos sshd[12804]: Received disconnect from 222.186.21.134: 11: [preauth]
May 14 20:39:13 pyxos sshd[12804]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.21.$
May 14 20:39:18 pyxos sshd[12821]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=22$
May 14 20:39:21 pyxos sshd[12821]: Failed password for root from 222.186.21.134 port 48080 ssh2
May 14 20:39:26 pyxos sshd[12821]: message repeated 2 times: [ Failed password for root from 222.186.21.134 port 48080 ssh2]
May 14 20:39:26 pyxos sshd[12821]: Received disconnect from 222.186.21.134: 11: [preauth]
May 14 20:39:26 pyxos sshd[12821]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.21.$
May 14 20:39:30 pyxos sshd[12823]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=22$
May 14 20:39:32 pyxos sshd[12823]: Failed password for root from 222.186.21.134 port 49616 ssh2
Also 30.000 Zeilen mit Zugriffsversuchen von verschiedenen (meist chinesischen) IP-Adressen, manchmal vier oder fünf pro Sekunde.
Soweit ich es sehe, war kein Versuch erfolgreich. Mein Server ist noch niemandem "bekannt" und bietet derzeit sonst auch keine Dienste. Ich interpretiere das als Angriffsversuch auf den Server - was denkt ihr, und wie sind eure Erfahrungen dazu?
Danke!
PG
PS: Wie kann meinem FTP-Server (pure-ftpd) beibringen, ausschließlich virtuellen Usern und keinen Systemusern verschlüsselten Zugriff zu gewähren?
seit ein paar Tagen - 5, um genau zu sein - ist mein Server aus dem großen weiten Web auf Port 22 (und auf 21, nur verschlüsselt) zugänglich. Und bis heute abend ist die /var/log/auth.log auf rund 30.000 Zeilen angewachsen. Die meisten Zeilen sehen so oder so ähnlich aus:
May 14 20:35:10 pyxos sshd[12763]: Invalid user username from 77.56.125.125
May 14 20:35:10 pyxos sshd[12763]: input_userauth_request: invalid user username [preauth]
May 14 20:35:10 pyxos sshd[12763]: pam_unix(sshd:auth): check pass; user unknown
May 14 20:35:10 pyxos sshd[12763]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=77$
May 14 20:35:12 pyxos sshd[12763]: Failed password for invalid user username from 77.56.125.125 port 39715 ssh2
May 14 20:35:12 pyxos sshd[12763]: pam_unix(sshd:auth): check pass; user unknown
May 14 20:35:13 pyxos sshd[12763]: Failed password for invalid user username from 77.56.125.125 port 39715 ssh2
May 14 20:35:13 pyxos sshd[12763]: Disconnecting: Change of username or service not allowed: (username,ssh-connection) -> (us$
May 14 20:35:13 pyxos sshd[12763]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=77-56-125-12$
May 14 20:38:41 pyxos sshd[12800]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=22$
May 14 20:38:43 pyxos sshd[12800]: Failed password for root from 222.186.21.134 port 52892 ssh2
May 14 20:38:48 pyxos sshd[12800]: message repeated 2 times: [ Failed password for root from 222.186.21.134 port 52892 ssh2]
May 14 20:38:49 pyxos sshd[12800]: Received disconnect from 222.186.21.134: 11: [preauth]
May 14 20:38:49 pyxos sshd[12800]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.21.$
May 14 20:38:52 pyxos sshd[12802]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=22$
May 14 20:38:54 pyxos sshd[12802]: Failed password for root from 222.186.21.134 port 48869 ssh2
May 14 20:39:00 pyxos sshd[12802]: message repeated 2 times: [ Failed password for root from 222.186.21.134 port 48869 ssh2]
May 14 20:39:00 pyxos sshd[12802]: Received disconnect from 222.186.21.134: 11: [preauth]
May 14 20:39:00 pyxos sshd[12802]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.21.$
May 14 20:39:02 pyxos CRON[12806]: pam_unix(cron:session): session opened for user root by (uid=0)
May 14 20:39:03 pyxos CRON[12806]: pam_unix(cron:session): session closed for user root
May 14 20:39:05 pyxos sshd[12804]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=22$
May 14 20:39:07 pyxos sshd[12804]: Failed password for root from 222.186.21.134 port 45284 ssh2
May 14 20:39:12 pyxos sshd[12804]: message repeated 2 times: [ Failed password for root from 222.186.21.134 port 45284 ssh2]
May 14 20:39:13 pyxos sshd[12804]: Received disconnect from 222.186.21.134: 11: [preauth]
May 14 20:39:13 pyxos sshd[12804]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.21.$
May 14 20:39:18 pyxos sshd[12821]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=22$
May 14 20:39:21 pyxos sshd[12821]: Failed password for root from 222.186.21.134 port 48080 ssh2
May 14 20:39:26 pyxos sshd[12821]: message repeated 2 times: [ Failed password for root from 222.186.21.134 port 48080 ssh2]
May 14 20:39:26 pyxos sshd[12821]: Received disconnect from 222.186.21.134: 11: [preauth]
May 14 20:39:26 pyxos sshd[12821]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.21.$
May 14 20:39:30 pyxos sshd[12823]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=22$
May 14 20:39:32 pyxos sshd[12823]: Failed password for root from 222.186.21.134 port 49616 ssh2
Also 30.000 Zeilen mit Zugriffsversuchen von verschiedenen (meist chinesischen) IP-Adressen, manchmal vier oder fünf pro Sekunde.
Soweit ich es sehe, war kein Versuch erfolgreich. Mein Server ist noch niemandem "bekannt" und bietet derzeit sonst auch keine Dienste. Ich interpretiere das als Angriffsversuch auf den Server - was denkt ihr, und wie sind eure Erfahrungen dazu?
Danke!
PG
PS: Wie kann meinem FTP-Server (pure-ftpd) beibringen, ausschließlich virtuellen Usern und keinen Systemusern verschlüsselten Zugriff zu gewähren?