Um dos grandes problemas que temos de colocar um servidor na internet é sem dúvida as dores de cabeça com infra-estrutura.
Mesmo utilizando serviços mais seguros de conexão como o OpenSSH temos aqueles engraçadinhos que mandam spoofings ou brutal forces em
nossas máquinas.
Abaixo você consegue identificar um comportamento de um brutal force que eu encontrei em um de meus ambientes:
Apr 2 19:04:55 condor3105 sshd[32603]: Disconnected from 120.246.32.2 port 48940 [preauth] Apr 2 19:05:01 condor3105 CRON[32614]: pam_unix(cron:session): session opened for user root by (uid=0) Apr 2 19:05:01 condor3105 CRON[32614]: pam_unix(cron:session): session closed for user root Apr 2 19:05:08 condor3105 sshd[32617]: Invalid user jenkins from 117.132.4.151 Apr 2 19:05:08 condor3105 sshd[32617]: input_userauth_request: invalid user jenkins [preauth] Apr 2 19:05:08 condor3105 sshd[32617]: pam_unix(sshd:auth): check pass; user unknown Apr 2 19:05:08 condor3105 sshd[32617]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.132.4.151 Apr 2 19:05:10 condor3105 sshd[32617]: Failed password for invalid user jenkins from 117.132.4.151 port 54700 ssh2 Apr 2 19:05:11 condor3105 sshd[32617]: Received disconnect from 117.132.4.151 port 54700:11: Bye Bye [preauth] Apr 2 19:05:11 condor3105 sshd[32617]: Disconnected from 117.132.4.151 port 54700 [preauth] Apr 2 19:05:21 condor3105 sshd[32621]: Invalid user sammy from 139.199.205.185 Apr 2 19:05:21 condor3105 sshd[32621]: input_userauth_request: invalid user sammy [preauth] Apr 2 19:05:21 condor3105 sshd[32621]: pam_unix(sshd:auth): check pass; user unknown Apr 2 19:05:21 condor3105 sshd[32621]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=139.199.205.185 Apr 2 19:05:24 condor3105 sshd[32621]: Failed password for invalid user sammy from 139.199.205.185 port 47740 ssh2 Apr 2 19:05:24 condor3105 sshd[32621]: Received disconnect from 139.199.205.185 port 47740:11: Bye Bye [preauth] Apr 2 19:05:24 condor3105 sshd[32621]: Disconnected from 139.199.205.185 port 47740 [preauth] Apr 2 19:05:30 condor3105 sshd[32624]: Invalid user sshtunnel from 178.86.103.31 Apr 2 19:05:30 condor3105 sshd[32624]: input_userauth_request: invalid user sshtunnel [preauth] Apr 2 19:05:31 condor3105 sshd[32624]: Connection closed by 178.86.103.31 port 49920 [preauth] Apr 2 19:05:38 condor3105 sshd[32626]: Invalid user sshtunnel from 5.74.169.197 Apr 2 19:05:38 condor3105 sshd[32626]: input_userauth_request: invalid user sshtunnel [preauth] Apr 2 19:05:39 condor3105 sshd[32626]: Connection closed by 5.74.169.197 port 64754 [preauth] Apr 2 19:06:08 condor3105 sshd[32632]: Invalid user cloudadmin from 49.234.79.65 Apr 2 19:06:08 condor3105 sshd[32632]: input_userauth_request: invalid user cloudadmin [preauth] Apr 2 19:06:08 condor3105 sshd[32632]: pam_unix(sshd:auth): check pass; user unknown Apr 2 19:06:08 condor3105 sshd[32632]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.234.79.65 Apr 2 19:06:08 condor3105 sshd[32634]: Invalid user sshtunnel from 95.223.74.161 Apr 2 19:06:08 condor3105 sshd[32634]: input_userauth_request: invalid user sshtunnel [preauth] Apr 2 19:06:08 condor3105 sshd[32634]: Connection closed by 95.223.74.161 port 16489 [preauth] Apr 2 19:06:10 condor3105 sshd[32632]: Failed password for invalid user cloudadmin from 49.234.79.65 port 54704 ssh2 Apr 2 19:06:10 condor3105 sshd[32632]: Received disconnect from 49.234.79.65 port 54704:11: Bye Bye [preauth] Apr 2 19:06:10 condor3105 sshd[32632]: Disconnected from 49.234.79.65 port 54704 [preauth] Apr 2 19:06:24 condor3105 sshd[32638]: Invalid user vnc from 117.132.4.151 Apr 2 19:06:24 condor3105 sshd[32638]: input_userauth_request: invalid user vnc [preauth] Apr 2 19:06:24 condor3105 sshd[32638]: pam_unix(sshd:auth): check pass; user unknown Apr 2 19:06:24 condor3105 sshd[32638]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.132.4.151 Apr 2 19:06:26 condor3105 sshd[32640]: Invalid user ftptest from 143.198.9.55 Apr 2 19:06:26 condor3105 sshd[32640]: input_userauth_request: invalid user ftptest [preauth] Apr 2 19:06:26 condor3105 sshd[32640]: pam_unix(sshd:auth): check pass; user unknown Apr 2 19:06:26 condor3105 sshd[32640]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=143.198.9.55Uma das formas que você pode evitar é alterando a porta padrão de conexão com o SSH ( 22 padrão ). Altere para uma porta que você entenda que não irá concorrer com serviços que estejam utilizando no ambiente de vocês. Para editar a porta padrão do SSH edit o seguinte arquivo: vi /etc/ssh/sshd_config Port 22 Troque a porta 22 por uma porta de sua preferência e depois reinicie o servidor SSH service sshd restart
Seja Membro Gratuítamente
Assine a newsletter para receber em seu email as publicações atualizadas neste blog