Evitando spoofing no OpenSSH de forma simples

Evitando spoofing no OpenSSH de forma simples

  • Post author:
  • Post category:Geral

Um dos grandes problemas que temos de colocar um servidor na internet é sem dúvida as dores de cabeça com infra-estrutura.
Mesmo utilizando serviços mais seguros de conexão como o OpenSSH temos aqueles engraçadinhos que mandam spoofings ou brutal forces em
nossas máquinas.

Abaixo você consegue identificar um comportamento de um brutal force que eu encontrei em um de meus ambientes:

Apr 2 19:04:55 condor3105 sshd[32603]: Disconnected from 120.246.32.2 port 48940 [preauth]
Apr 2 19:05:01 condor3105 CRON[32614]: pam_unix(cron:session): session opened for user root by (uid=0)
Apr 2 19:05:01 condor3105 CRON[32614]: pam_unix(cron:session): session closed for user root
Apr 2 19:05:08 condor3105 sshd[32617]: Invalid user jenkins from 117.132.4.151
Apr 2 19:05:08 condor3105 sshd[32617]: input_userauth_request: invalid user jenkins [preauth]
Apr 2 19:05:08 condor3105 sshd[32617]: pam_unix(sshd:auth): check pass; user unknown
Apr 2 19:05:08 condor3105 sshd[32617]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.132.4.151
Apr 2 19:05:10 condor3105 sshd[32617]: Failed password for invalid user jenkins from 117.132.4.151 port 54700 ssh2
Apr 2 19:05:11 condor3105 sshd[32617]: Received disconnect from 117.132.4.151 port 54700:11: Bye Bye [preauth]
Apr 2 19:05:11 condor3105 sshd[32617]: Disconnected from 117.132.4.151 port 54700 [preauth]
Apr 2 19:05:21 condor3105 sshd[32621]: Invalid user sammy from 139.199.205.185
Apr 2 19:05:21 condor3105 sshd[32621]: input_userauth_request: invalid user sammy [preauth]
Apr 2 19:05:21 condor3105 sshd[32621]: pam_unix(sshd:auth): check pass; user unknown
Apr 2 19:05:21 condor3105 sshd[32621]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=139.199.205.185
Apr 2 19:05:24 condor3105 sshd[32621]: Failed password for invalid user sammy from 139.199.205.185 port 47740 ssh2
Apr 2 19:05:24 condor3105 sshd[32621]: Received disconnect from 139.199.205.185 port 47740:11: Bye Bye [preauth]
Apr 2 19:05:24 condor3105 sshd[32621]: Disconnected from 139.199.205.185 port 47740 [preauth]
Apr 2 19:05:30 condor3105 sshd[32624]: Invalid user sshtunnel from 178.86.103.31
Apr 2 19:05:30 condor3105 sshd[32624]: input_userauth_request: invalid user sshtunnel [preauth]
Apr 2 19:05:31 condor3105 sshd[32624]: Connection closed by 178.86.103.31 port 49920 [preauth]
Apr 2 19:05:38 condor3105 sshd[32626]: Invalid user sshtunnel from 5.74.169.197
Apr 2 19:05:38 condor3105 sshd[32626]: input_userauth_request: invalid user sshtunnel [preauth]
Apr 2 19:05:39 condor3105 sshd[32626]: Connection closed by 5.74.169.197 port 64754 [preauth]
Apr 2 19:06:08 condor3105 sshd[32632]: Invalid user cloudadmin from 49.234.79.65
Apr 2 19:06:08 condor3105 sshd[32632]: input_userauth_request: invalid user cloudadmin [preauth]
Apr 2 19:06:08 condor3105 sshd[32632]: pam_unix(sshd:auth): check pass; user unknown
Apr 2 19:06:08 condor3105 sshd[32632]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.234.79.65
Apr 2 19:06:08 condor3105 sshd[32634]: Invalid user sshtunnel from 95.223.74.161
Apr 2 19:06:08 condor3105 sshd[32634]: input_userauth_request: invalid user sshtunnel [preauth]
Apr 2 19:06:08 condor3105 sshd[32634]: Connection closed by 95.223.74.161 port 16489 [preauth]
Apr 2 19:06:10 condor3105 sshd[32632]: Failed password for invalid user cloudadmin from 49.234.79.65 port 54704 ssh2
Apr 2 19:06:10 condor3105 sshd[32632]: Received disconnect from 49.234.79.65 port 54704:11: Bye Bye [preauth]
Apr 2 19:06:10 condor3105 sshd[32632]: Disconnected from 49.234.79.65 port 54704 [preauth]
Apr 2 19:06:24 condor3105 sshd[32638]: Invalid user vnc from 117.132.4.151
Apr 2 19:06:24 condor3105 sshd[32638]: input_userauth_request: invalid user vnc [preauth]
Apr 2 19:06:24 condor3105 sshd[32638]: pam_unix(sshd:auth): check pass; user unknown
Apr 2 19:06:24 condor3105 sshd[32638]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.132.4.151
Apr 2 19:06:26 condor3105 sshd[32640]: Invalid user ftptest from 143.198.9.55
Apr 2 19:06:26 condor3105 sshd[32640]: input_userauth_request: invalid user ftptest [preauth]
Apr 2 19:06:26 condor3105 sshd[32640]: pam_unix(sshd:auth): check pass; user unknown
Apr 2 19:06:26 condor3105 sshd[32640]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=143.198.9.55

Uma das formas que você pode evitar é alterando a porta padrão de conexão com o SSH ( 22 padrão ). Altere para uma porta que você entenda que não irá concorrer com serviços
que estejam utilizando no ambiente de vocês.

Para editar a porta padrão do SSH edit o seguinte arquivo:

vi /etc/ssh/sshd_config

Port 22

Troque a porta 22 por uma porta de sua preferência e depois reinicie o servidor SSH

service sshd restart