一直都不怎么关心服务器安全性的问题,这该是运维的事情,最近公司不少阿里云上的服务器遭到攻击,从丢病毒文件到更改mysql max_allowed_packet都有,今天有台测试服务器不停地异常,下午又有几次进程悄无声息的被停了,检查rsyslog日志的时候发现,不停地有被攻击,部分如下:
Dec 7 16:27:49 iZ23nn1p4mjZ sshd[30720]: Invalid user david from 120.25.215.142
Dec 7 16:27:49 iZ23nn1p4mjZ sshd[30721]: input_userauth_request: invalid user david
Dec 7 16:27:49 iZ23nn1p4mjZ sshd[30720]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 16:27:49 iZ23nn1p4mjZ sshd[30720]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=120.25.215.142
Dec 7 16:27:49 iZ23nn1p4mjZ sshd[30720]: pam_succeed_if(sshd:auth): error retrieving information about user david
Dec 7 16:27:51 iZ23nn1p4mjZ sshd[30720]: Failed password for invalid user david from 120.25.215.142 port 41438 ssh2
Dec 7 16:31:41 iZ23nn1p4mjZ sshd[30801]: Invalid user content from 120.25.215.142
Dec 7 16:31:41 iZ23nn1p4mjZ sshd[30802]: input_userauth_request: invalid user content
Dec 7 16:31:41 iZ23nn1p4mjZ sshd[30801]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 16:31:41 iZ23nn1p4mjZ sshd[30801]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=120.25.215.142
Dec 7 16:31:41 iZ23nn1p4mjZ sshd[30801]: pam_succeed_if(sshd:auth): error retrieving information about user content
Dec 7 16:31:43 iZ23nn1p4mjZ sshd[30801]: Failed password for invalid user content from 120.25.215.142 port 42729 ssh2
Dec 7 16:31:43 iZ23nn1p4mjZ sshd[30802]: Received disconnect from 120.25.215.142: 11: Bye Bye
Dec 7 16:33:38 iZ23nn1p4mjZ sshd[30834]: Invalid user r00t from 120.25.215.142
Dec 7 16:33:38 iZ23nn1p4mjZ sshd[30835]: input_userauth_request: invalid user r00t
Dec 7 16:33:38 iZ23nn1p4mjZ sshd[30834]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 16:33:38 iZ23nn1p4mjZ sshd[30834]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=120.25.215.142
Dec 7 16:33:38 iZ23nn1p4mjZ sshd[30834]: pam_succeed_if(sshd:auth): error retrieving information about user r00t
Dec 7 16:33:40 iZ23nn1p4mjZ sshd[30834]: Failed password for invalid user r00t from 120.25.215.142 port 57491 ssh2
Dec 7 16:49:07 iZ23nn1p4mjZ sshd[32168]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=120.25.215.142 user=root
Dec 7 16:49:09 iZ23nn1p4mjZ sshd[32168]: Failed password for root from 120.25.215.142 port 34422 ssh2
Dec 7 16:23:56 iZ23nn1p4mjZ sshd[30542]: Invalid user oracle from 120.25.215.142
Dec 7 16:23:56 iZ23nn1p4mjZ sshd[30543]: input_userauth_request: invalid user oracle
Dec 7 16:23:56 iZ23nn1p4mjZ sshd[30542]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 16:23:56 iZ23nn1p4mjZ sshd[30542]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=120.25.215.142
Dec 7 16:23:56 iZ23nn1p4mjZ sshd[30542]: pam_succeed_if(sshd:auth): error retrieving information about user oracle
Dec 7 16:23:58 iZ23nn1p4mjZ sshd[30542]: Failed password for invalid user oracle from 120.25.215.142 port 40147 ssh2
Dec 7 16:23:58 iZ23nn1p4mjZ sshd[30543]: Received disconnect from 120.25.215.142: 11: Bye Bye
Dec 7 15:25:45 iZ23nn1p4mjZ sshd[27218]: input_userauth_request: invalid user nagios
Dec 7 15:25:45 iZ23nn1p4mjZ sshd[27217]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 15:25:45 iZ23nn1p4mjZ sshd[27217]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=120.25.215.142
Dec 7 15:25:45 iZ23nn1p4mjZ sshd[27217]: pam_succeed_if(sshd:auth): error retrieving information about user nagios
Dec 7 15:25:47 iZ23nn1p4mjZ sshd[27217]: Failed password for invalid user nagios from 120.25.215.142 port 49015 ssh2
Dec 7 15:25:47 iZ23nn1p4mjZ sshd[27218]: Received disconnect from 120.25.215.142: 11: Bye Bye
Dec 7 15:27:43 iZ23nn1p4mjZ sshd[27244]: Invalid user postgres from 120.25.215.142
Dec 7 15:27:43 iZ23nn1p4mjZ sshd[27245]: input_userauth_request: invalid user postgres
Dec 7 15:27:43 iZ23nn1p4mjZ sshd[27244]: pam_unix(sshd:auth): check pass; user unknown
Dec 7 15:27:43 iZ23nn1p4mjZ sshd[27244]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=120.25.215.142
Dec 7 15:27:43 iZ23nn1p4mjZ sshd[27244]: pam_succeed_if(sshd:auth): error retrieving information about user postgres
Dec 7 15:27:45 iZ23nn1p4mjZ sshd[27244]: Failed password for invalid user postgres from 120.25.215.142 port 35544 ssh2
公司还不少服务器时弱密码的,看来得好好设置服务器策略至少第一步要求强密码并记录所有用户执行的所有命令了。