这是一个创建于 3135 天前的主题,其中的信息可能已经有所发展或是发生改变。
以下是截取部分数据: IP 查到是强国南方某几个省的电信 IP. 而且最少 1 秒就有 2 次左右的尝试登录. 难道是?!!!!
Apr 6 16:27:55 instance-3 sshd[2602]: Failed password for root from 183.3.202.175 port 10606 ssh2
Apr 6 16:27:58 instance-3 sshd[2602]: Failed password for root from 183.3.202.175 port 10606 ssh2
Apr 6 16:28:00 instance-3 sshd[2602]: Failed password for root from 183.3.202.175 port 10606 ssh2
Apr 6 16:28:00 instance-3 sshd[2602]: Received disconnect from 183.3.202.175: 11: [preauth]
Apr 6 16:28:03 instance-3 sshd[2604]: Failed password for root from 183.3.202.175 port 38243 ssh2
Apr 6 16:28:05 instance-3 sshd[2604]: Failed password for root from 183.3.202.175 port 38243 ssh2
Apr 6 16:28:07 instance-3 sshd[2604]: Failed password for root from 183.3.202.175 port 38243 ssh2
Apr 6 16:28:07 instance-3 sshd[2604]: Received disconnect from 183.3.202.175: 11: [preauth]
Apr 6 16:28:10 instance-3 sshd[2606]: Failed password for root from 183.3.202.175 port 62540 ssh2
Apr 6 16:28:12 instance-3 sshd[2606]: Failed password for root from 183.3.202.175 port 62540 ssh2
Apr 6 16:28:14 instance-3 sshd[2606]: Failed password for root from 183.3.202.175 port 62540 ssh2
Apr 6 16:28:14 instance-3 sshd[2606]: Received disconnect from 183.3.202.175: 11: [preauth]
Apr 6 16:29:13 instance-3 sshd[2623]: Failed password for root from 222.186.56.107 port 2405 ssh2
Apr 6 16:29:16 instance-3 sshd[2623]: Failed password for root from 222.186.56.107 port 2405 ssh2
Apr 6 16:29:18 instance-3 sshd[2623]: Failed password for root from 222.186.56.107 port 2405 ssh2
Apr 6 16:29:21 instance-3 sshd[2623]: Failed password for root from 222.186.56.107 port 2405 ssh2
Apr 6 16:29:22 instance-3 sshd[2623]: Failed password for root from 222.186.56.107 port 2405 ssh2
Apr 6 16:29:23 instance-3 sshd[2623]: fatal: Read from socket failed: Connection reset by peer [preauth]
Apr 6 16:29:26 instance-3 sshd[2625]: Failed password for root from 222.186.56.107 port 4002 ssh2
Apr 6 16:29:28 instance-3 sshd[2625]: Failed password for root from 222.186.56.107 port 4002 ssh2
Apr 6 16:27:55 instance-3 sshd[2602]: Failed password for root from 183.3.202.175 port 10606 ssh2
Apr 6 16:27:58 instance-3 sshd[2602]: Failed password for root from 183.3.202.175 port 10606 ssh2
Apr 6 16:28:00 instance-3 sshd[2602]: Failed password for root from 183.3.202.175 port 10606 ssh2
Apr 6 16:28:00 instance-3 sshd[2602]: Received disconnect from 183.3.202.175: 11: [preauth]
Apr 6 16:28:03 instance-3 sshd[2604]: Failed password for root from 183.3.202.175 port 38243 ssh2
Apr 6 16:28:05 instance-3 sshd[2604]: Failed password for root from 183.3.202.175 port 38243 ssh2
Apr 6 16:28:07 instance-3 sshd[2604]: Failed password for root from 183.3.202.175 port 38243 ssh2
Apr 6 16:28:07 instance-3 sshd[2604]: Received disconnect from 183.3.202.175: 11: [preauth]
Apr 6 16:28:10 instance-3 sshd[2606]: Failed password for root from 183.3.202.175 port 62540 ssh2
Apr 6 16:28:12 instance-3 sshd[2606]: Failed password for root from 183.3.202.175 port 62540 ssh2
Apr 6 16:28:14 instance-3 sshd[2606]: Failed password for root from 183.3.202.175 port 62540 ssh2
Apr 6 16:28:14 instance-3 sshd[2606]: Received disconnect from 183.3.202.175: 11: [preauth]
Apr 6 16:29:13 instance-3 sshd[2623]: Failed password for root from 222.186.56.107 port 2405 ssh2
Apr 6 16:29:16 instance-3 sshd[2623]: Failed password for root from 222.186.56.107 port 2405 ssh2
Apr 6 16:29:18 instance-3 sshd[2623]: Failed password for root from 222.186.56.107 port 2405 ssh2
Apr 6 16:29:21 instance-3 sshd[2623]: Failed password for root from 222.186.56.107 port 2405 ssh2
Apr 6 16:29:22 instance-3 sshd[2623]: Failed password for root from 222.186.56.107 port 2405 ssh2
Apr 6 16:29:23 instance-3 sshd[2623]: fatal: Read from socket failed: Connection reset by peer [preauth]
Apr 6 16:29:26 instance-3 sshd[2625]: Failed password for root from 222.186.56.107 port 4002 ssh2
Apr 6 16:29:28 instance-3 sshd[2625]: Failed password for root from 222.186.56.107 port 4002 ssh2
第 1 条附言 · 2016-04-08 10:35:36 +08:00
换默认的 ssh 端口可以解决吗?
38 条回复 • 2016-04-08 15:56:37 +08:00
 |
1
cszchen 2016-04-08 09:45:11 +08:00
也许曾经这是他的服务器
|
 |
3
twor2 2016-04-08 09:46:36 +08:00
发 ip 不打码
你吧发帖前后的登录次数对比一下,看看是否有变化 |
 |
4
initialdp 2016-04-08 09:46:49 +08:00  1
在粗暴破解你的 SSH 密码。安装 fail2ban 吧,一般这些无聊的动作都可以被封锁。
|
|
5
twor2 2016-04-08 09:46:52 +08:00
哦 是对方 ip ,我 2 了
|
 |
6
imWBB 2016-04-08 09:50:16 +08:00 via Android
为什么不禁用 root 和密码登录?
|
 |
7
raincious 2016-04-08 10:15:26 +08:00
缘分啊。我的机器也在被 183.3.202 这段 IP 地址的机器扫描,而且频率非常高,感觉十分奇怪。建议各位也看看自己的服务器是不是有这个 IP 地址的访问记录。
这是 3 月份的截图: 图片太长请手动复制到地址栏://i.imgur.com/bwtJcgB.png 这是刚刚的: 图片太长请手动复制到地址栏://i.imgur.com/aQKYHid.png `attempts` 计数低是因为程序会自动用 iptables 屏蔽 IP 地址 1.5 天时间,这期间这个 IP 就不能再访问我的服务器了。 |
 |
9
strahe 2016-04-08 10:21:33 +08:00
都是这样的,都是大面积扫描和暴力破解的,我几台机器,都是这样,
|
 |
11
H3x 2016-04-08 10:28:31 +08:00
黑产批量扫的
|
 |
12
kenshinhu 2016-04-08 10:30:02 +08:00
弱弱问问,在哪可以看到这个日志
|
 |
13
Andy1999 2016-04-08 10:31:25 +08:00 via iPhone
扫描
我几台服务器一天吃几百万的扫描呢 |
 |
15
BOYPT 2016-04-08 10:38:26 +08:00
至少你的服务器又公网 ip 就会有这种链接,没啥大惊小怪。
|
 |
16
DT27 2016-04-08 10:40:38 +08:00
很正常。所有服务器都这样。
|
 |
17
Jaylee 2016-04-08 10:43:40 +08:00
反正我禁止了密码登入,改了端口
|
 |
20
UnisandK 2016-04-08 10:54:20 +08:00
SSH 端口用默认的 22 的话基本每次登陆都能看见个几万次的尝试,换其他的端口也就稍好一点
端口扫描+协议分析+穷举弱密码的黑产一条龙,被扫多了就见怪不怪了 |
 |
21
jacy 2016-04-08 10:56:27 +08:00
我的路由器每天都会关顾上万次
|
 |
22
7654 2016-04-08 11:00:56 +08:00
我是直接把 SSH 关了,用网页控制 SSHD ,需要用的时候开启,不用的时候关闭
|
 |
23
xmoiduts 2016-04-08 11:03:36 +08:00 via Android
搭车求问,登录失败请求来自 127.0.0.1 ,用户名是常用的,不存在的用户名,比如 elasticsearch ,这是被黑了还是有人扫?我没有安装 elasticsearch 等程序。
|
 |
25
terrywang 2016-04-08 11:15:03 +08:00 via Android
更改默认端口可以省去很多麻烦
|
|
26
terrywang 2016-04-08 11:17:57 +08:00 via Android
抱歉,我看错了,能删除自己的发言吗?
|
 |
27
qa52666 2016-04-08 11:18:13 +08:00
我也纠结一下,阿里云天天提示有人尝试暴力破解。。。应该怎么搞?
|
 |
28
zyx89513 2016-04-08 11:20:02 +08:00
很正常 都是扫描肉鸡
|
 |
29
SourceMan 2016-04-08 11:21:54 +08:00
这些事,开新服务器之后,都做了吗?
http://www.ruanyifeng.com/blog/2014/03/server_setup.html |
 |
30
icybee 2016-04-08 11:28:00 +08:00
使用秘钥文件+密码登录
|
 |
31
RqPS6rhmP3Nyn3Tm 2016-04-08 11:42:44 +08:00
关闭密码登陆,只使用证书
|
 |
32
lxy 2016-04-08 11:45:10 +08:00
开通的当天半夜就有印度 IP 来扫,第二天我换了个大端口号后,至今就一直正常
|
 |
33
zhanglp888 2016-04-08 11:48:54 +08:00
ssh 要改端口,禁 root ,加证书
|
 |
34
SharkIng 2016-04-08 11:49:23 +08:00
扫肉鸡不是一个很常见的事么
|
 |
35
badcode 2016-04-08 12:33:55 +08:00
|
 |
36
intsilence 2016-04-08 14:10:36 +08:00
换证书,改端口等方法影响自己正常使用。还是装 fail2ban 吧,一劳永逸。
|
 |
37
4679kun 2016-04-08 14:15:43 +08:00
我用私钥登录 禁止密码登录
|
 |
38
rayhome1987 2016-04-08 15:56:37 +08:00
改 ssh 端口,禁止 root 用户登录,禁止密码登录
|
Select Language