Debian
Logwatch - 幾次攻擊?我很擔心!我該怎麼辦?
我有一個 VPS,我每天都會收到一個超級擁擠的 Logwatch。
我不是 Debian 專家,所以我不知道這是否正常,或者我是否應該擔心。
有什麼意見嗎?
################### Logwatch 7.4.0 (03/01/11) #################### Processing Initiated: Wed Apr 15 06:25:28 2020 Date Range Processed: yesterday ( 2020-Apr-14 ) Period is day. Detail Level of Output: 0 Type of Output/Format: mail / text Logfiles for Host: ***.***.** ################################################################## --------------------- fail2ban-messages Begin ------------------------ Banned services with Fail2Ban: Bans:Unbans ssh: [495:500] ---------------------- fail2ban-messages End ------------------------- --------------------- httpd Begin ------------------------ Connection attempts using mod_proxy: 113.128.105.226 -> www.baidu.com:443: 1 Time(s) 119.118.30.23 -> www.ipip.net:443: 1 Time(s) 223.12.78.165 -> cn.bing.com:443: 1 Time(s) 45.13.93.90 -> ip.ws.126.net:443: 1 Time(s) A total of 993 sites probed the server 100.18.10.141 101.165.194.135 102.115.161.115 103.214.12.244 103.80.239.154 104.191.118.29 104.192.236.93 106.180.4.213 107.141.74.125 108.17.75.210 108.70.82.189 109.112.38.174 109.116.190.21 109.117.136.112 109.118.88.47 [...] ---------------------- httpd End ------------------------- --------------------- iptables firewall Begin ------------------------ Listed by source hosts: Logged 4735 packets on interface eth0 From 2.25.218.189 - 16 packets to tcp(443) From 2.32.62.225 - 8 packets to tcp(443) From 2.34.179.95 - 4 packets to tcp(443) From 2.36.160.255 - 4 packets to tcp(443) From 2.37.140.177 - 1 packet to tcp(443) From 2.39.41.23 - 10 packets to tcp(443) From 2.45.1.230 - 3 packets to tcp(443) From 2.45.152.99 - 2 packets to tcp(443) From 2.102.45.174 - 2 packets to tcp(443) From 2.132.43.242 - 1 packet to tcp(80) From 2.177.207.154 - 1 packet to tcp(443) From 2.178.237.89 - 1 packet to tcp(80) From 2.180.124.124 - 1 packet to tcp(22) From 2.181.21.231 - 3 packets to tcp(80) From 2.181.67.150 - 3 packets to tcp(22) From 2.186.1.136 - 2 packets to tcp(80) From 2.186.43.121 - 1 packet to tcp(443) [...] ---------------------- iptables firewall End ------------------------- --------------------- pam_unix Begin ------------------------ sshd: Authentication Failures: root (222.186.190.17): 180 Time(s) unknown (78.107.220.5): 82 Time(s) unknown (139.217.218.255): 48 Time(s) root (9.213.155.104.bc.googleusercontent.com): 47 Time(s) root (206.189.164.136): 41 Time(s) unknown (134.209.228.253): 41 Time(s) root (125.74.47.230): 38 Time(s) root (163.172.178.167): 36 Time(s) root (ns3003413.ip-5-196-75.eu): 36 Time(s) root (106.12.2.81): 35 Time(s) root (184.13.240.142): 35 Time(s) unknown (9.213.155.104.bc.googleusercontent.com): 35 Time(s) [...] Invalid Users: Unknown Account: 2879 Time(s) ---------------------- pam_unix End ------------------------- --------------------- SSHD Begin ------------------------ Illegal users from: undef: 1441 times 1.53.158.156: 1 time 1.214.156.163: 43 times 2.184.4.3: 46 times 3.133.0.24 (ec2-3-133-0-24.us-east-2.compute.amazonaws.com): 31 times 5.135.94.191 (ip191.ip-5-135-94.eu): 36 times 5.135.181.53 (ns3120718.ip-5-135-181.eu): 27 times 5.147.173.226 (ip-5-147-173-226.unitymediagroup.de): 1 time [...] Login attempted when not in AllowUsers list: backup : 18 Time(s) bin : 32 Time(s) daemon : 5 Time(s) games : 3 Time(s) irc : 1 Time(s) list : 1 Time(s) lp : 1 Time(s) mail : 2 Time(s) man : 1 Time(s) messagebus : 3 Time(s) mysql : 26 Time(s) news : 3 Time(s) nobody : 2 Time(s) postfix : 1 Time(s) proxy : 1 Time(s) root : 4881 Time(s) sshd : 3 Time(s) sync : 3 Time(s) sys : 5 Time(s) uucp : 3 Time(s) www-data : 6 Time(s) ---------------------- SSHD End ------------------------- ###################### Logwatch End #########################
它是掃描和攻擊的混合體(尋找周點,查看通常的使用者名/服務是如何嘗試的)。每個面向 Internet 的伺服器都以這種方式進行探測,如果您提供的服務是公開的,則無法避免。
它不是 Debian 特定的,它與您伺服器上的服務有關。
對於 ssh,您可以做的是嘗試限制這些掃描在被禁止之前進行的嘗試次數(fail2ban)。您可能還想檢查您是否正在使用
mod_proxy,因為一些探測器正在檢查您是否設置了開放代理(但沒有成功)。儘管我在您的報告中沒有看到任何令人擔憂的內容,但您必須學習如何閱讀它,以防發生不好的事情。如果有部分你不明白(大部分是不言自明的),請隨時提問。