Nov301: 22: 06 serversshd [11879]: failedpasswordforrootfrom123.127.5.20.port38917ssh2nov301: 22: 17 serversshd [11880]: Receiveddisconnectfrom123.127.5.131: 13: thecan
Nov 3 01:22:06 server sshd [11879]: Failed password for root from 123.127.5.131 port 38917 ssh2
Nov 3 01:22:17 server sshd [11880]: Received disconnect from 123.127.5.131: 13: The user canceled authentication.
Nov 3 03:15:08 server sshd [17524]: pam_unix (sshd: auth): authentication failure; logname = uid = 0 euid = 0 tty = ssh ruser = rhost = 2
4.238.47.93.res-cmts.tv13.ptd.net user = root
Nov 3 03:15:11 server sshd [17524]: Failed password for root from 24.238.47.93 port 3033 ssh2
Nov 3 03:15:11 server sshd [17525]: Received disconnect from 24.238.47.93: 11: Bye
Nov 3 05:14:12 server sshd [20460]: Invalid user a from 218.28.4.61
Nov 3 05:14:12 server sshd [20460]: Address 218.28.4.61 maps to pc0.zz.ha.cn, but this does not map back to the address-POS
Sible break-in attempt!
Nov 3 05:14:12 server sshd [20461]: input_userauth_request: invalid user
Nov 3 05:14:12 server sshd [20460]: pam_unix (sshd: auth): check pass; user unknown
Nov 3 05:14:12 server sshd [20460]: pam_unix (sshd: auth): authentication failure; logname = uid = 0 euid = 0 tty = ssh ruser = rhost = 2
18.28.4.61
Nov 3 05:14:14 server sshd [20460]: Failed password for invalid user a from 218.28.4.61 port 15683 ssh2
Nov 3 05:14:14 server sshd [20461]: Received disconnect from 218.28.4.61: 11: Bye
Nov 3 05:14:16 server sshd [20467]: Invalid user 1 from 218.28.4.61
Nov 3 05:14:16 server sshd [20467]: Address 218.28.4.61 maps to pc0.zz.ha.cn, but this does not map back to the address-POS
Sible break-in attempt!
Nov 3 05:14:16 server sshd [20468]: input_userauth_request: invalid user 1
Nov 3 05:14:16 server sshd [20467]: pam_unix (sshd: auth): check pass; user unknown
Nov 3 05:14:16 server sshd [20467]: pam_unix (sshd: auth): authentication failure; logname = uid = 0 euid = 0 tty = ssh ruser = rhost = 2
18.28.4.61
Nov 3 05:14:18 server sshd [20467]: Failed password for invalid user 1 from 218.28.4.61 port 15817 ssh2
Nov 3 05:14:18 server sshd [20468]: Received disconnect from 218.28.4.61: 11: Bye
Nov 3 05:14:20 server sshd [20473]: Address 218.28.4.61 maps to pc0.zz.ha.cn, but this does not map back to the address-POS
Sible break-in attempt!
Nov 3 05:14:20 server sshd [20473]: pam_unix (sshd: auth): authentication failure; logname = uid = 0 euid = 0 tty = ssh ruser = rhost = 2
18.28.4.61 user = root
Nov 3 05:14:22 server sshd [20473]: Failed password for root from 218.28.4.61 port 15940 ssh2
Nov 3 05:14:22 server sshd [20475]: Received disconnect from 218.28.4.61: 11: Bye
Nov 3 05:14:24 server sshd [21504]: Address 218.28.4.61 maps to pc0.zz.ha.cn, but this does not map back to the address-POS
Sible break-in attempt!
It is more like this:
Nov 4 13:09:44 server sshd [9319]: Did not receive identification string from 66.197.176.130
Nov 4 13:15:24 server sshd [10015]: Did not receive identification string from UNKNOWN
Nov 4 13:16:25 server sshd [10200]: Did not receive identification string from UNKNOWN
Nov 4 13:18:28 server sshd [11524]: Did not receive identification string from UNKNOWN
Nov 4 13:19:24 server sshd [11579]: Did not receive identification string from UNKNOWN
Nov 4 13:20:24 server sshd [11707]: Did not receive identification string from UNKNOWN
Nov 4 13:21:24 server sshd [11782]: Did not receive identification string from UNKNOWN
Nov 4 13:22:24 server sshd [11854]: Did not receive identification string from UNKNOWN
Nov 4 13:24:26 server sshd [12036]: Did not receive identification string from UNKNOWN
Nov 4 13:25:26 server sshd [12201]: Did not receive identification string from UNKNOWN
Nov 4 13:26:26 server sshd [13312]: Did not receive identification string from UNKNOWN
Nov 4 13:27:26 server sshd [13400]: Did not receive identification string from UNKNOWN
Nov 4 13:28:26 server sshd [13542]: Did not receive identification string from UNKNOWN
It seems that there are many security problems. So they started to reinforce the security line of defense and build a secure server, so that old and beautiful hackers could also take a break. haha.
First, disable root remote logon and change the ssh port.
Vi/etc/ssh/sshd_config
PermitRootLogin no # Disable root logon, create a common user for remote logon, and convert it to a root user through su-
# Port 22
Port 36301 # Change to the Port that can be found only when the scanner is exhausted (from 20 to 36301... Haha)
Restart/etc/init. d/sshd restart
After the above changes, the security log has not been dynamic for several days. in addition to my own logon log, the results have just begun. However, the good news is not long. a few days later, I found another test log:
Nov 9 15:57:02 server sshd [13948]: Did not receive identification string from 66.197.176.130
Nov 9 15:57:02 server sshd [13916]: Did not receive identification string from 66.197.176.130
Nov 9 15:57:02 server sshd [13949]: Did not receive identification string from 66.197.176.130
Nov 9 15:57:02 server sshd [13944]: Did not receive identification string from 66.197.176.130
Nov 9 22:58:17 server sshd [15736]: Did not receive identification string from UNKNOWN
Nov 9 22:59:17 server sshd [15972]: Did not receive identification string from UNKNOWN
Nov 9 23:00:18 server sshd [16163]: Did not receive identification string from UNKNOWN
Nov 9 23:01:18 server sshd [16309]: Did not receive identification string from UNKNOWN
Nov 9 23:02:18 server sshd [17579]: Did not receive identification string from UNKNOWN
Nov 9 23:03:18 server sshd [17736]: Did not receive identification string from UNKNOWN
Nov 9 23:04:17 server sshd [17846]: Did not receive identification string from UNKNOWN
Nov 9 23:05:17 server sshd [18021]: Did not receive identification string from UNKNOWN
Nov 9 23:06:20 server sshd [18103]: Did not receive identification string from UNKNOWN
Nov 9 23:07:20 server sshd [18166]: Did not receive identification string from UNKNOWN
Nov 9 23:08:20 server sshd [18307]: Did not receive identification string from UNKNOWN
Well, it seems that this is a persistent hacker who is not in vain and finally finds my new ssh port. (My god, how long does it take to scan from 22 to 36301 ???), It seems that I can only cut my killer. IPvi/etc/hosts. deny
Sshd: ALL instances T xxx. xxx. xxx.0/Latest versions 255.0 zzz. zz yyy. yyy. yyy.0/Latest versions 255.0
The above means that all IP addresses are refused to log on to ssh except the IP addresses listed by me. I use ADSL for Internet access, which is usually obtained in two IP address pools. Therefore, the above xxx. xxx. xxx.0 and yyy. yyy. yyy.0 are my dynamic ADSL ip segments. Another zzz. zz is my fixed IP address in the unit. in this case, if my ADSL network segment changes, will the server reject my logon? So be careful when rejecting IP addresses. do not lock yourself out of the door. haha.
After the above security reinforcement, check the log tail-fn100 secure
Nov 9 23:48:17 server sshd [30249]: refused connect from: ffff: 66.197.176.130 (: ffff: 66.197.176.130)
Nov 9 23:49:17 server sshd [30319]: refused connect from: ffff: 66.197.176.130 (: ffff: 66.197.176.130)
Nov 9 23:50:17 server sshd [30475]: refused connect from: ffff: 66.197.176.130 (: ffff: 66.197.176.130)
Nov 9 23:51:18 server sshd [30539]: refused connect from: ffff: 66.197.176.130 (: ffff: 66.197.176.130)
Nov 9 23:52:17 server sshd [30609]: refused connect from: ffff: 66.197.176.130 (: ffff: 66.197.176.130)
Nov 9 23:53:17 server sshd [31752]: refused connect from: ffff: 66.197.176.130 (: ffff: 66.197.176.130)
Nov 9 23:54:17 server sshd [31833]: refused connect from: ffff: 66.197.176.130 (: ffff: 66.197.176.130)
Nov 9 23:55:17 server sshd [31978]: refused connect from: ffff: 66.197.176.130 (: ffff: 66.197.176.130)
Nov 9 23:56:22 server sshd [32045]: refused connect from: ffff: 66.197.176.130 (: ffff: 66.197.176.130)
Nov 9 23:57:18 server sshd [32105]: refused connect from: ffff: 66.197.176.130 (: ffff: 66.197.176.130)
Nov 9 23:58:18 server sshd [32171]: refused connect from: ffff: 66.197.176.130 (: ffff: 66.197.176.130)
Nov 9 23:59:17 server sshd [32238]: refused connect from: ffff: 66.197.176.130 (: ffff: 66.197.176.130)
Nov 10 00:00:20 server sshd [32378]: refused connect from: ffff: 66.197.176.130 (: ffff: 66.197.176.130)
Nov 10 00:01:20 server sshd [32450]: refused connect from: ffff: 66.197.176.130 (: ffff: 66.197.176.130)
Nov 10 00:02:19 server sshd [1, 32484]: refused connect fro