在2008-5-23下午突然想做個試驗,把一台虛擬機(VM)掛上public IP,然後把ssh-server的port TCP/22對外開起來,看看經過多久會有人來TRY.
(個人習慣系統裝完我會把SSH的 TCP/22改掉,改成很後面的PORT,如果有人要掃port就讓他慢慢掃)
結果不到6小時就逮到一個嘗試入侵的IP了
記錄到的LOG如下
May 23 19:52:06 __ sshd[3515]: Did not receive identification string from 59.125.163.62
19:52:06第一個封包來測試TCP/22是否開啟
May 23 20:12:36 __ sshd[3521]: User root from 59-125-163-62.hinet-ip.hinet.net not allowed because not listed in AllowUsers
May 23 20:12:36 __ sshd[3521]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=59-125-163-62.hinet-ip.hinet.net user=root
May 23 20:12:38 __ sshd[3521]: Failed password for invalid user root from 59.125.163.62 port 33779 ssh2
接下來 20:12:36開始用root帳號try密碼,try了120次.
之後又用其他帳號來try了244次,一直到20:38:52才結束整個嘗試密碼的行為
整個嘗試帳號的統計如下
root 120次 lady 4次 anca 2次 dana 2次 personal 2次 radu 2次
剩下都是一次的帳號
abc ace adela adi adrian adv alex alexandru alias alina amar ambulator ancutza andrew annuaire anonymous antica arthur atb aurelia avenues awstats axente beleaua bogdan bremar bula calcul calin callhome cdvonline cerasela chimi chuck cimpeanu ciprian claudia claudiu claudius cncp contabil contat contempo corbus cosinus courier cris crisan cristi cristina cs dan daniel daniela danutza darkman dascalu david diabet dispecer dnp doina doomi dorin dorina drweb duane echopedi eddie emuleon eric erin ernest eugen eva exim fabrice farmacia felix filter fish florin fluffy folkert foobar fotograf garda gold gratiela greg guma haitac healer horia hostmaster httpd ina ionita ionut ionutz Ionutz ircd isabel iuli iulian iuly java jeffrey jeni jubar jurca juridic kent klaus laura lauren lead leu liana lili lorant loredana loverd lucia lucky mada mari maria marius mark master mckey medie medina Melk mia miha mihai moderna moised monika monique mysql nelu nick nico nicoara nicu norby notorius nucleara numis officeinn oprea oracle ovidiu palex passwd paul preist promo public quake raducu raul razvan revista richer robert rodica rodney romeo roxi ryan saito samba sanda sanderson sarolta sasha sauv save seba sebestyen secretar seongjin shadow simina sin skid slayer sly sorin spik sport squirrelmail staff statistica stefan styx sun support susan taz tehnolog telegest temp teo testguy tina tomcat toor tordai toto town trash trigger tuningar vasi victor water webadmin webmasters webrun webster whitecanyon wolf x xman yarul zako zemba
(可惜沒去修改sshd來記錄他嚐試過的密碼,哪天再來改sshd的code來玩玩好了)
用NMAP來掃了一下 59.125.163.62這台機器,
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
554/tcp open rtsp
904/tcp open unknown =>VMware Authentication Daemon
5901/tcp open vnc-1
10000/tcp open snet-sensor-mgmt =>WEBMIN =_=
看來沒作啥特別防護....=_=
# telnet 59.125.163.62 904
Trying 59.125.163.62...
Connected to 59.125.163.62.
Escape character is '^]'.
220 VMware Authentication Daemon Version 1.10: SSL Required, MKSDisplayProtocol:VNC
TELNET他的TCP/80看到
嘿..原來是架在Fedora上面的機器,還有提供服務啊,GOOGLE了一下看起來像是提供WAP/PDA的一些資訊服務吧.
原則上比較傾向認定那台機器也是受害者吧..
後記:剛KEY完這篇不到半小時,結果又有另兩台機器來TRY了,分別是 83.145.82.134 & 90.183.8.146,行為模式也與上面寫的相同,
看來這種亂槍打鳥掃SSH PORT的機器不少,頻率也頗高....剛開半天就來3次
結論: 機器架起來該做的防護還是要做,不該對外開的服務就盡量關掉或擋掉,ssh port能改就改..三不五時還得要關心一下機器有沒異狀..
沒有留言:
張貼留言