我的服务器是否受到攻击？

Question

我的服务器是否受到攻击？

昨天我在 DigitalOcean 创建了一个 Ubuntu 18.04 droplet，带有 MongoDB v4.0.2 图像，今天我检查了/var/log/auth.log文件......我看到的是这样的：

Oct  1 16:16:25 mongodb-server-1 sshd[9171]: Failed password for root from 116.31.116.16 port 61535 ssh2
Oct  1 16:16:30 mongodb-server-1 sshd[9171]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 61535 ssh2]
Oct  1 16:16:30 mongodb-server-1 sshd[9171]: Received disconnect from 116.31.116.16 port 61535:11:  [preauth]
Oct  1 16:16:30 mongodb-server-1 sshd[9171]: Disconnected from authenticating user root 116.31.116.16 port 61535 [preauth]
Oct  1 16:16:30 mongodb-server-1 sshd[9171]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Oct  1 16:17:01 mongodb-server-1 CRON[9173]: pam_unix(cron:session): session opened for user root by (uid=0)
Oct  1 16:17:01 mongodb-server-1 CRON[9173]: pam_unix(cron:session): session closed for user root
Oct  1 16:17:34 mongodb-server-1 sshd[9176]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Oct  1 16:17:36 mongodb-server-1 sshd[9176]: Failed password for root from 116.31.116.16 port 60613 ssh2
Oct  1 16:17:40 mongodb-server-1 sshd[9176]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 60613 ssh2]
Oct  1 16:17:40 mongodb-server-1 sshd[9176]: Received disconnect from 116.31.116.16 port 60613:11:  [preauth]
Oct  1 16:17:40 mongodb-server-1 sshd[9176]: Disconnected from authenticating user root 116.31.116.16 port 60613 [preauth]
Oct  1 16:17:40 mongodb-server-1 sshd[9176]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Oct  1 16:18:43 mongodb-server-1 sshd[9178]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Oct  1 16:18:45 mongodb-server-1 sshd[9178]: Failed password for root from 116.31.116.16 port 30163 ssh2
Oct  1 16:18:49 mongodb-server-1 sshd[9178]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 30163 ssh2]
Oct  1 16:18:49 mongodb-server-1 sshd[9178]: Received disconnect from 116.31.116.16 port 30163:11:  [preauth]
Oct  1 16:18:49 mongodb-server-1 sshd[9178]: Disconnected from authenticating user root 116.31.116.16 port 30163 [preauth]
Oct  1 16:18:49 mongodb-server-1 sshd[9178]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Oct  1 16:19:50 mongodb-server-1 sshd[9183]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Oct  1 16:19:53 mongodb-server-1 sshd[9183]: Failed password for root from 116.31.116.16 port 55398 ssh2
Oct  1 16:19:57 mongodb-server-1 sshd[9183]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 55398 ssh2]
Oct  1 16:19:57 mongodb-server-1 sshd[9183]: Received disconnect from 116.31.116.16 port 55398:11:  [preauth]
Oct  1 16:19:57 mongodb-server-1 sshd[9183]: Disconnected from authenticating user root 116.31.116.16 port 55398 [preauth]
Oct  1 16:19:57 mongodb-server-1 sshd[9183]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Oct  1 16:20:57 mongodb-server-1 sshd[9186]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Oct  1 16:20:59 mongodb-server-1 sshd[9186]: Failed password for root from 116.31.116.16 port 24942 ssh2
Oct  1 16:21:04 mongodb-server-1 sshd[9186]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 24942 ssh2]
Oct  1 16:21:05 mongodb-server-1 sshd[9186]: Received disconnect from 116.31.116.16 port 24942:11:  [preauth]
Oct  1 16:21:05 mongodb-server-1 sshd[9186]: Disconnected from authenticating user root 116.31.116.16 port 24942 [preauth]
Oct  1 16:21:05 mongodb-server-1 sshd[9186]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Oct  1 16:22:15 mongodb-server-1 sshd[9188]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Oct  1 16:22:18 mongodb-server-1 sshd[9188]: Failed password for root from 116.31.116.16 port 17758 ssh2
Oct  1 16:22:22 mongodb-server-1 sshd[9188]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 17758 ssh2]
Oct  1 16:22:23 mongodb-server-1 sshd[9188]: Received disconnect from 116.31.116.16 port 17758:11:  [preauth]
Oct  1 16:22:23 mongodb-server-1 sshd[9188]: Disconnected from authenticating user root 116.31.116.16 port 17758 [preauth]
Oct  1 16:22:23 mongodb-server-1 sshd[9188]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Oct  1 16:23:15 mongodb-server-1 sshd[9190]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Oct  1 16:23:17 mongodb-server-1 sshd[9190]: Failed password for root from 116.31.116.16 port 17471 ssh2
Oct  1 16:23:21 mongodb-server-1 sshd[9190]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 17471 ssh2]
Oct  1 16:23:22 mongodb-server-1 sshd[9190]: Received disconnect from 116.31.116.16 port 17471:11:  [preauth]
Oct  1 16:23:22 mongodb-server-1 sshd[9190]: Disconnected from authenticating user root 116.31.116.16 port 17471 [preauth]
Oct  1 16:23:22 mongodb-server-1 sshd[9190]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Oct  1 16:24:19 mongodb-server-1 sshd[9209]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Oct  1 16:24:20 mongodb-server-1 sshd[9209]: Failed password for root from 116.31.116.16 port 37695 ssh2
Oct  1 16:24:25 mongodb-server-1 sshd[9209]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 37695 ssh2]
Oct  1 16:24:26 mongodb-server-1 sshd[9209]: Received disconnect from 116.31.116.16 port 37695:11:  [preauth]
Oct  1 16:24:26 mongodb-server-1 sshd[9209]: Disconnected from authenticating user root 116.31.116.16 port 37695 [preauth]
Oct  1 16:24:26 mongodb-server-1 sshd[9209]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Oct  1 16:25:26 mongodb-server-1 sshd[9214]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Oct  1 16:25:27 mongodb-server-1 sshd[9214]: Failed password for root from 116.31.116.16 port 17403 ssh2
Oct  1 16:25:31 mongodb-server-1 sshd[9214]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 17403 ssh2]
Oct  1 16:25:32 mongodb-server-1 sshd[9214]: Received disconnect from 116.31.116.16 port 17403:11:  [preauth]
Oct  1 16:25:32 mongodb-server-1 sshd[9214]: Disconnected from authenticating user root 116.31.116.16 port 17403 [preauth]
Oct  1 16:25:32 mongodb-server-1 sshd[9214]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root

Oct  1 16:26:25 mongodb-server-1 sshd[9367]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root
Oct  1 16:26:27 mongodb-server-1 sshd[9367]: Failed password for root from 116.31.116.16 port 42236 ssh2
Oct  1 16:26:31 mongodb-server-1 sshd[9367]: message repeated 2 times: [ Failed password for root from 116.31.116.16 port 42236 ssh2]
Oct  1 16:26:32 mongodb-server-1 sshd[9367]: Received disconnect from 116.31.116.16 port 42236:11:  [preauth]
Oct  1 16:26:32 mongodb-server-1 sshd[9367]: Disconnected from authenticating user root 116.31.116.16 port 42236 [preauth]
Oct  1 16:26:32 mongodb-server-1 sshd[9367]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.16  user=root

Run Code Online (Sandbox Code Playgroud)

数以千计的连接尝试记录！而且还在继续！

我是唯一可以访问服务器的人，而且我唯一打开的端口是 22！

发生了什么？

Answer 1

Tho*_*ard 47

此特定流量来自中国来源的 IP 地址（dnslytics.com 上IP 地址的基本信息），它试图root通过 SSH使用密码身份验证登录到您的用户。

在运行任何面向 Internet 的服务时，有几个主要问题：

当他们上网时，所有的IP 地址都会被探测到。

当某些探测发现开放端口（例如 SSH 端口）时，恶意威胁行为者将尝试继续探测，以查看他们是否可以通过密码攻击进入您的系统。

这两者都是面向 Internet 的服务的事实上的标准。因此，其中许多威胁仍在持续。但是，这种情况发生在许多服务上——而不仅仅是 SSH。

这些类型的探索不太可能停止。这就是为什么在将服务暴露给 Internet 时应该小心的原因。

根据我过去所见、我对 IT 安全的了解，以及我自己运行多个面向 Internet 的服务而获得的第一手知识，此活动看起来像典型的服务扫描和探测活动大多数直接面向 Internet 的系统都会发生这种情况。 这并不意味着您的服务器直接受到攻击。只是，发生的事情是服务扫描器发现您的服务器在端口 22 上做出响应，并且反复返回并尝试使用弱密码进行身份验证以试图破坏服务器。这在面向 Internet 的连接中并不少见。

但是，您可以做一些事情来减轻这种情况：

root直接禁用用户的SSH 登录访问。

编辑/etc/ssh/sshd_config，找到显示的行PermitRootLogin并确保将其设置为prohibit-password或no。

请注意，如果您这样做，您将需要有一个可以登录的非 root用户；这样您就可以保护root用户，并且您拥有一个可以sudo为他们配置访问权限的非 root 用户，因此他们仍然可以根据需要执行超级用户命令。（root对于您的管理功能和操作，永远不要使用 SSH ！）

禁用密码验证，并将 SSH 密钥验证设置为唯一可行的 SSH 登录机制。有很多关于如何执行此操作的指南，例如来自 Digital Ocean 的指南。

设置类似的东西fail2ban来帮助阻止蛮力尝试。这本身就是一个复杂的过程，但您可以通过执行sudo apt install fail2ban. 这将默认设置为启用以保护 SSH 连接。

在继续添加其他服务之前设置防火墙。通过这种方式，您只能接收您信任的与您想要提供给 Internet 的服务的连接，而不是让所有内容都暴露在外。

这是一个很好的总结，并且在数字海洋文档站点上有一些很好的教程可以用来强化服务器。要添加的一件事是设置防火墙、UFW，并在添加任何新服务之前对其进行配置和运行。 (2认同)

归档时间：	6 年，11 月前
查看次数：	7551 次
最近记录：	6 年，11 月前