Ssh

儘管防火牆鎖定,但仍有數千次傳入 SSH 連接嘗試

  • May 28, 2019

因此,我的伺服器受到了數千次 SSH 登錄嘗試的衝擊。Fail2ban 正在擷取並禁止它們 - 但我的收件箱讓我擔心,它會在收件箱中填滿警報。這是我所看到的範例:

May 28 15:26:09 sshd[4908]: input_userauth_request: invalid user test [preauth]
May 28 15:26:09 sshd[4908]: pam_unix(sshd:auth): check pass; user unknown
May 28 15:26:09 sshd[4908]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<<SNIPIP>>
May 28 15:26:11 sshd[4908]: Failed password for invalid user test from <<SNIPIP>> port 41344 ssh2
May 28 15:26:11 sshd[4908]: Received disconnect from <<SNIPIP>> port 41344:11: Bye Bye [preauth]
May 28 15:26:11 sshd[4908]: Disconnected from <<SNIPIP>> port 41344 [preauth]

有趣的是,當我嘗試使用以下方式進行連接時:

ssh test@myserverip -p 41344

我的連接嘗試最終超時,並且我在 auth.log 中沒有看到任何條目 - 這是我期望發生的情況,因為我已經通過 UFW 鎖定了機器防火牆:(旁注:我已經在非標準埠上執行 ssh )

ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
Anywhere                   DENY IN     144.202.55.196
Anywhere                   DENY IN     188.53.140.190
Anywhere                   DENY IN     185.50.197.159
Anywhere                   DENY IN     206.189.197.133
Anywhere                   DENY IN     61.175.121.73
Anywhere                   DENY IN     8.30.124.149
Anywhere                   DENY IN     193.105.134.45
Anywhere                   DENY IN     139.129.14.230
Anywhere                   DENY IN     37.247.96.111
22                         DENY IN     Anywhere
2200/tcp                   ALLOW IN    Anywhere
25/tcp                     ALLOW IN    Anywhere
80,443/tcp (Nginx Full)    ALLOW IN    Anywhere
2246                       ALLOW IN    Anywhere
2812                       ALLOW IN    Anywhere
2247/tcp                   ALLOW IN    Anywhere
19999/tcp                  ALLOW IN    Anywhere
82/tcp                     ALLOW IN    Anywhere
22 (v6)                    DENY IN     Anywhere (v6)
2200/tcp (v6)              ALLOW IN    Anywhere (v6)
25/tcp (v6)                ALLOW IN    Anywhere (v6)
80,443/tcp (Nginx Full (v6)) ALLOW IN    Anywhere (v6)
2246 (v6)                  ALLOW IN    Anywhere (v6)
2812 (v6)                  ALLOW IN    Anywhere (v6)
2247/tcp (v6)              ALLOW IN    Anywhere (v6)
19999/tcp (v6)             ALLOW IN    Anywhere (v6)
82/tcp (v6)                ALLOW IN    Anywhere (v6)

所以我的主要問題是,當我無法登錄時,怎麼可能有人甚至有機會嘗試登錄埠 41344?

這是遠端端連接的源埠。連接到您這邊的埠 22(或任何您的 SSH 守護程序正在偵聽的埠)。

每個網路套接字都由一個源地址和埠以及一個目標地址和埠組成。源埠由源作業系統隨機選擇。

引用自:https://serverfault.com/questions/969170