この備忘録をホスティングしている自宅サーバのsshポートは22番から変更している。
先日ついに変更したポート番号が悪質ユーザーにバレたようだ。
なんの気なしにrootにスイッチしようとして発覚。
1 2 3 4 |
[matari@ssh ~]$ sudo su - Last login: Tue Nov 28 13:44:29 JST 2017 on pts/0 Last failed login: Wed Nov 29 08:18:18 JST 2017 from 182.18.153.206 on ssh:notty There were 13 failed login attempts since the last successful login. |
うちは割と適当なエフェメラルポートをsshに割り当てているのだが、どうやって探り当てたのだろう。
まさか全ポートをスキャンしまくったのだろうか。攻撃者ってヒマなのかな。
※エフェメラルポート(32768-61000)
1 2 |
[root@ssh ~]# sysctl -a | grep port_range net.ipv4.ip_local_port_range = 32768 61000 |
時を同じくしてConohaで借りているVPSにもまったく同じログが…
自宅サーバ側のログ
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
# grep Fail /var/log/secure Nov 28 13:59:52 ssh sshd[6684]: Failed password for invalid user carson from 103.231.209.33 port 26255 ssh2 Nov 28 14:00:01 ssh sshd[6686]: Failed password for invalid user admin from 52.80.97.172 port 45794 ssh2 Nov 28 14:43:30 ssh sshd[6717]: Failed password for root from 103.69.116.97 port 9789 ssh2 Nov 28 15:35:15 ssh sshd[6809]: Failed password for root from 222.103.136.175 port 54748 ssh2 Nov 28 15:43:02 ssh sshd[6812]: Failed password for invalid user admin from 54.186.178.242 port 46850 ssh2 Nov 28 17:14:21 ssh sshd[6872]: Failed password for invalid user justin from 221.7.147.226 port 52902 ssh2 Nov 28 18:13:10 ssh sshd[6905]: Failed password for invalid user ed from 164.39.4.146 port 43163 ssh2 Nov 28 18:16:33 ssh sshd[6908]: Failed password for invalid user test from 175.6.27.49 port 2195 ssh2 Nov 28 19:02:14 ssh sshd[6939]: Failed password for invalid user test from 192.169.198.4 port 36704 ssh2 Nov 28 20:00:00 ssh sshd[6953]: Failed password for invalid user guest from 121.15.200.85 port 58044 ssh2 Nov 28 20:19:29 ssh sshd[6978]: Failed password for invalid user lucas from 50.116.120.146 port 43175 ssh2 Nov 28 20:23:18 ssh sshd[6981]: Failed password for root from 193.70.0.112 port 54028 ssh2 Nov 28 20:28:52 ssh sshd[6984]: Failed password for root from 101.231.245.166 port 32887 ssh2 Nov 28 20:31:39 ssh sshd[6986]: Failed password for invalid user admin from 190.69.28.102 port 48710 ssh2 Nov 28 20:40:47 ssh sshd[6990]: Failed password for root from 222.103.136.182 port 36390 ssh2 Nov 28 20:50:34 ssh sshd[6994]: Failed password for invalid user anon from 81.95.18.202 port 41651 ssh2 Nov 28 21:49:05 ssh sshd[7028]: Failed password for invalid user adam from 112.29.245.145 port 2090 ssh2 Nov 28 22:30:23 ssh sshd[7057]: Failed password for root from 62.219.3.57 port 35034 ssh2 Nov 28 22:44:19 ssh sshd[7062]: Failed password for root from 120.77.222.135 port 41476 ssh2 Nov 29 00:24:47 ssh sshd[7125]: Failed password for invalid user demo4 from 103.231.218.254 port 21485 ssh2 Nov 29 01:45:26 ssh sshd[7167]: Failed password for invalid user test1 from 168.62.191.0 port 8791 ssh2 Nov 29 01:52:13 ssh sshd[7173]: Failed password for root from 81.29.93.2 port 29384 ssh2 Nov 29 02:01:10 ssh sshd[7196]: Failed password for invalid user test from 187.95.160.68 port 46779 ssh2 Nov 29 02:16:06 ssh sshd[7200]: Failed password for invalid user info from 190.146.168.222 port 57104 ssh2 Nov 29 03:08:45 ssh sshd[7235]: Failed password for root from 221.141.3.53 port 54085 ssh2 Nov 29 03:15:18 ssh sshd[7239]: Failed password for invalid user deploy from 180.166.114.150 port 14442 ssh2 Nov 29 03:25:02 ssh sshd[7271]: Failed password for invalid user radio from 177.38.108.106 port 41346 ssh2 Nov 29 03:35:12 ssh sshd[7275]: Failed password for invalid user admin from 181.141.26.121 port 52899 ssh2 Nov 29 03:49:22 ssh sshd[7280]: Failed password for root from 1.250.238.180 port 42854 ssh2 Nov 29 04:45:28 ssh sshd[7313]: Failed password for invalid user xmlrpc from 137.175.96.43 port 65387 ssh2 Nov 29 05:23:06 ssh sshd[7343]: Failed password for invalid user tomcat from 190.85.163.45 port 60019 ssh2 Nov 29 05:56:53 ssh sshd[7351]: Failed password for invalid user admin from 153.37.189.101 port 58264 ssh2 Nov 29 06:30:53 ssh sshd[7380]: Failed password for root from 186.147.249.67 port 53618 ssh2 Nov 29 07:34:00 ssh sshd[7414]: Failed password for invalid user deploy from 139.198.1.182 port 10663 ssh2 Nov 29 07:37:36 ssh sshd[7417]: Failed password for root from 190.52.166.83 port 47082 ssh2 Nov 29 08:18:18 ssh sshd[7447]: Failed password for root from 182.18.153.206 port 36852 ssh2 Nov 29 08:31:42 ssh sshd[7452]: Failed password for invalid user demo from 111.204.35.200 port 35544 ssh2 Nov 29 09:16:42 ssh sshd[7539]: Failed password for invalid user test from 61.109.255.162 port 59112 ssh2 |
Conoha側のログ
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
# grep Fail /var/log/secure Nov 28 13:13:48 conoha sshd[15357]: Failed password for root from 103.69.116.97 port 29834 ssh2 Nov 28 13:14:35 conoha sshd[15359]: Failed password for invalid user carson from 103.231.209.33 port 15020 ssh2 Nov 28 13:15:00 conoha sshd[15361]: Failed password for invalid user admin from 52.80.97.172 port 53947 ssh2 Nov 28 14:57:46 conoha sshd[15485]: Failed password for invalid user admin from 54.186.178.242 port 44454 ssh2 Nov 28 15:06:41 conoha sshd[15505]: Failed password for root from 222.103.136.175 port 58614 ssh2 Nov 28 17:28:55 conoha sshd[15636]: Failed password for invalid user test from 175.6.27.49 port 2238 ssh2 Nov 28 17:43:50 conoha sshd[15652]: Failed password for invalid user ed from 164.39.4.146 port 45861 ssh2 Nov 28 18:17:57 conoha sshd[15692]: Failed password for invalid user test from 192.169.198.4 port 37640 ssh2 Nov 28 19:12:01 conoha sshd[15754]: Failed password for invalid user guest from 121.15.200.85 port 29811 ssh2 Nov 28 19:35:28 conoha sshd[15777]: Failed password for invalid user lucas from 50.116.120.146 port 58267 ssh2 Nov 28 19:39:15 conoha sshd[15780]: Failed password for root from 193.70.0.112 port 42876 ssh2 Nov 28 20:02:03 conoha sshd[15816]: Failed password for root from 101.231.245.166 port 35297 ssh2 Nov 28 20:03:11 conoha sshd[15818]: Failed password for invalid user admin from 190.69.28.102 port 37942 ssh2 Nov 28 20:21:44 conoha sshd[15836]: Failed password for root from 222.103.136.182 port 43928 ssh2 Nov 28 20:23:52 conoha sshd[15839]: Failed password for invalid user anon from 81.95.18.202 port 41528 ssh2 Nov 28 21:01:12 conoha sshd[15874]: Failed password for invalid user adam from 112.29.245.145 port 2082 ssh2 Nov 28 21:56:18 conoha sshd[15945]: Failed password for root from 120.77.222.135 port 42794 ssh2 Nov 28 22:03:49 conoha sshd[15965]: Failed password for root from 62.219.3.57 port 53280 ssh2 Nov 28 23:39:50 conoha sshd[16060]: Failed password for invalid user demo4 from 103.231.218.254 port 32714 ssh2 Nov 29 00:15:49 conoha sshd[16119]: Failed password for invalid user test1 from 168.62.191.0 port 28188 ssh2 Nov 29 00:22:13 conoha sshd[16129]: Failed password for root from 81.29.93.2 port 55981 ssh2 Nov 29 01:16:22 conoha sshd[16219]: Failed password for invalid user test from 187.95.160.68 port 52143 ssh2 Nov 29 01:31:47 conoha sshd[16239]: Failed password for invalid user info from 190.146.168.222 port 47574 ssh2 Nov 29 01:34:58 conoha sshd[16242]: Failed password for root from 221.141.3.53 port 48906 ssh2 Nov 29 01:45:25 conoha sshd[16252]: Failed password for invalid user deploy from 180.166.114.150 port 52396 ssh2 Nov 29 02:57:14 conoha sshd[16330]: Failed password for invalid user radio from 177.38.108.106 port 56597 ssh2 Nov 29 03:08:32 conoha sshd[16354]: Failed password for invalid user admin from 181.141.26.121 port 33421 ssh2 Nov 29 03:19:18 conoha sshd[16365]: Failed password for root from 1.250.238.180 port 47518 ssh2 Nov 29 03:55:06 conoha sshd[16431]: Failed password for invalid user tomcat from 190.85.163.45 port 42088 ssh2 Nov 29 04:16:30 conoha sshd[16465]: Failed password for invalid user xmlrpc from 137.175.96.43 port 57148 ssh2 Nov 29 04:28:14 conoha sshd[16476]: Failed password for invalid user admin from 153.37.189.101 port 43330 ssh2 Nov 29 05:41:15 conoha sshd[16560]: Failed password for root from 186.147.249.67 port 44984 ssh2 Nov 29 06:45:29 conoha sshd[16626]: Failed password for invalid user deploy from 139.198.1.182 port 20172 ssh2 Nov 29 06:52:36 conoha sshd[16635]: Failed password for root from 190.52.166.83 port 50367 ssh2 Nov 29 07:33:30 conoha sshd[16690]: Failed password for root from 182.18.153.206 port 40364 ssh2 Nov 29 07:46:59 conoha sshd[16700]: Failed password for invalid user demo from 111.204.35.200 port 48096 ssh2 Nov 29 07:47:00 conoha sshd[16702]: Failed password for invalid user test from 61.109.255.162 port 52448 ssh2 Nov 29 08:11:20 conoha sshd[16738]: Failed password for invalid user image from 64.124.219.135 port 40885 ssh2 |
アタックする順番まで一緒って、なんかそういう総当りツールとかあるんだろうな・・・。
そもそも外部からアクセスできるsshサーバなのに、パスワード認証を有効にしてるのもひどい話だ。これは本当に反省すべきところ。
でもまだ全部の端末に公開鍵を配布していない…。
他の対策もあるのでsshポートがバレた程度ならセキュリティ上問題ないが、
このような輩のためにHDDがガリガリ動いて/var/log/secureが膨らんでいくと思うと憤懣遣る方無い。
ということで対策することにした。
またデフォルトポートを変えるのは面倒なのでネットワークでシャットアウトすることに。
買ってから実はあんまり使っていないSSG140、君に決めた。
SSHはANYで通してたけれど、自宅からしかアクセスできないように!
1 2 3 4 |
set address "V1-Trust" "SSH" 192.168.0.9 255.255.255.255 set address "V1-Untrust" "HOME" 192.168.0.0 255.255.240.0 set policy id 6 from "V1-Untrust" to "V1-Trust" "HOME" "SSH" "SSH" permit set policy id 6 |
これですっきりした。