Fórum Ubuntu CZ/SK
Ubuntu pro osobní počítače => Internet a sítě => Téma založeno: Krysař 29 Března 2015, 22:26:31
-
Fujtajbl vespolek!
Nechapu, cim jsem se o to zaslouzil, ale nekdo ma zajem o moji malinu.
Pripadalo mi divne, ze ledka na routru blika jak blazniva, kdyz by nemel byt skoro zadny provoz na siti a nasel jsem zajimave cteni v auth.log - ukazka nize je starsi, ty novejsi zaznamy jsou velmi podobne, jen uz tam nejsou radky koncici "POSSIBLE BREAK-IN ATTEMPT!". Snazili se vydatne, celkova velikost auth.log.x je pres 80MiB (nekomprimovanych).
Zatim jsem zamezil pristupu zvenku, ale rad bych to zase zprovoznil. Takze bych se chtel zeptat znalych a zkusenych, co zkontrolovat a prohledat, jestli se nekam precejen nedostali.
A pripadne nejake rady jak zlepsit bezpecnost.
Diky, Jirka.
Mar 6 09:52:15 raspberrypi sshd[11636]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.37 user=root
Mar 6 09:52:15 raspberrypi sshd[11632]: Failed password for root from 218.65.30.107 port 57752 ssh2
Mar 6 09:52:15 raspberrypi sshd[11640]: Failed password for root from 183.136.216.4 port 35801 ssh2
Mar 6 09:52:16 raspberrypi sshd[11632]: Received disconnect from 218.65.30.107: 11: [preauth]
Mar 6 09:52:16 raspberrypi sshd[11632]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.65.30.107 user=root
Mar 6 09:52:17 raspberrypi sshd[11640]: Failed password for root from 183.136.216.4 port 35801 ssh2
Mar 6 09:52:17 raspberrypi sshd[11644]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.37 user=root
Mar 6 09:52:17 raspberrypi sshd[11640]: Received disconnect from 183.136.216.4: 11: [preauth]
Mar 6 09:52:17 raspberrypi sshd[11640]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.136.216.4 user=root
Mar 6 09:52:18 raspberrypi sshd[11648]: reverse mapping checking getaddrinfo for 107.30.65.218.broad.xy.jx.dynamic.163data.com.cn [218.65.30.107] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 6 09:52:19 raspberrypi sshd[11648]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.65.30.107 user=root
Mar 6 09:52:19 raspberrypi sshd[11644]: Failed password for root from 103.41.124.37 port 45440 ssh2
Mar 6 09:52:20 raspberrypi sshd[11652]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.136.216.4 user=root
Mar 6 09:52:20 raspberrypi sshd[11648]: Failed password for root from 218.65.30.107 port 53607 ssh2
Mar 6 09:52:21 raspberrypi sshd[11644]: Failed password for root from 103.41.124.37 port 45440 ssh2
Mar 6 09:52:22 raspberrypi sshd[11652]: Failed password for root from 183.136.216.4 port 36841 ssh2
Mar 6 09:52:22 raspberrypi sshd[11648]: Failed password for root from 218.65.30.107 port 53607 ssh2
Mar 6 09:52:23 raspberrypi sshd[11644]: Failed password for root from 103.41.124.37 port 45440 ssh2
Mar 6 09:52:23 raspberrypi sshd[11644]: Received disconnect from 103.41.124.37: 11: [preauth]
Mar 6 09:52:23 raspberrypi sshd[11644]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.37 user=root
Mar 6 09:52:24 raspberrypi sshd[11652]: Failed password for root from 183.136.216.4 port 36841 ssh2
Mar 6 09:52:25 raspberrypi sshd[11648]: Failed password for root from 218.65.30.107 port 53607 ssh2
Mar 6 09:52:26 raspberrypi sshd[11648]: Received disconnect from 218.65.30.107: 11: [preauth]
Mar 6 09:52:26 raspberrypi sshd[11648]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.65.30.107 user=root
Mar 6 09:52:26 raspberrypi sshd[11656]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.37 user=root
Mar 6 09:52:26 raspberrypi sshd[11652]: Failed password for root from 183.136.216.4 port 36841 ssh2
Mar 6 09:52:27 raspberrypi sshd[11652]: Received disconnect from 183.136.216.4: 11: [preauth]
Mar 6 09:52:27 raspberrypi sshd[11652]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.136.216.4 user=root
Mar 6 09:52:27 raspberrypi sshd[11656]: Failed password for root from 103.41.124.37 port 38186 ssh2
Mar 6 09:52:28 raspberrypi sshd[11660]: reverse mapping checking getaddrinfo for 107.30.65.218.broad.xy.jx.dynamic.163data.com.cn [218.65.30.107] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 6 09:52:28 raspberrypi sshd[11660]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.65.30.107 user=root
Mar 6 09:52:29 raspberrypi sshd[11656]: Failed password for root from 103.41.124.37 port 38186 ssh2
Mar 6 09:52:30 raspberrypi sshd[11660]: Failed password for root from 218.65.30.107 port 46097 ssh2
Mar 6 09:52:32 raspberrypi sshd[11656]: Failed password for root from 103.41.124.37 port 38186 ssh2
Mar 6 09:52:32 raspberrypi sshd[11664]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.136.216.4 user=root
Mar 6 09:52:32 raspberrypi sshd[11656]: Received disconnect from 103.41.124.37: 11: [preauth]
Mar 6 09:52:32 raspberrypi sshd[11656]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.37 user=root
Mar 6 09:52:32 raspberrypi sshd[11660]: Failed password for root from 218.65.30.107 port 46097 ssh2
Mar 6 09:52:34 raspberrypi sshd[11664]: Failed password for root from 183.136.216.4 port 39557 ssh2
Mar 6 09:52:34 raspberrypi sshd[11668]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.37 user=root
Mar 6 09:52:35 raspberrypi sshd[11660]: Failed password for root from 218.65.30.107 port 46097 ssh2
Mar 6 09:52:35 raspberrypi sshd[11660]: Received disconnect from 218.65.30.107: 11: [preauth]
Mar 6 09:52:35 raspberrypi sshd[11660]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.65.30.107 user=root
Mar 6 09:52:36 raspberrypi sshd[11668]: Failed password for root from 103.41.124.37 port 57632 ssh2
Mar 6 09:52:37 raspberrypi sshd[11664]: Failed password for root from 183.136.216.4 port 39557 ssh2
Mar 6 09:52:37 raspberrypi sshd[11672]: reverse mapping checking getaddrinfo for 107.30.65.218.broad.xy.jx.dynamic.163data.com.cn [218.65.30.107] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 6 09:52:37 raspberrypi sshd[11672]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.65.30.107 user=root
Mar 6 09:52:39 raspberrypi sshd[11664]: Failed password for root from 183.136.216.4 port 39557 ssh2
Mar 6 09:52:39 raspberrypi sshd[11672]: Failed password for root from 218.65.30.107 port 37117 ssh2
Mar 6 09:52:39 raspberrypi sshd[11668]: Failed password for root from 103.41.124.37 port 57632 ssh2
Mar 6 09:52:39 raspberrypi sshd[11664]: Received disconnect from 183.136.216.4: 11: [preauth]
Mar 6 09:52:39 raspberrypi sshd[11664]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.136.216.4 user=root
Mar 6 09:52:41 raspberrypi sshd[11672]: Failed password for root from 218.65.30.107 port 37117 ssh2
Mar 6 09:52:41 raspberrypi sshd[11668]: Failed password for root from 103.41.124.37 port 57632 ssh2
Mar 6 09:52:41 raspberrypi sshd[11668]: Received disconnect from 103.41.124.37: 11: [preauth]
Mar 6 09:52:41 raspberrypi sshd[11668]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.37 user=root
Mar 6 09:52:42 raspberrypi sshd[11676]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.136.216.4 user=root
Mar 6 09:52:44 raspberrypi sshd[11672]: Failed password for root from 218.65.30.107 port 37117 ssh2
Mar 6 09:52:44 raspberrypi sshd[11676]: Failed password for root from 183.136.216.4 port 48437 ssh2
Mar 6 09:52:44 raspberrypi sshd[11680]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.37 user=root
Mar 6 09:52:44 raspberrypi sshd[11672]: Received disconnect from 218.65.30.107: 11: [preauth]
Mar 6 09:52:44 raspberrypi sshd[11672]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.65.30.107 user=root
Mar 6 09:52:46 raspberrypi sshd[11684]: reverse mapping checking getaddrinfo for 107.30.65.218.broad.xy.jx.dynamic.163data.com.cn [218.65.30.107] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 6 09:52:46 raspberrypi sshd[11680]: Failed password for root from 103.41.124.37 port 50742 ssh2
Mar 6 09:52:46 raspberrypi sshd[11676]: Failed password for root from 183.136.216.4 port 48437 ssh2
Mar 6 09:52:46 raspberrypi sshd[11684]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.65.30.107 user=root
Mar 6 09:52:48 raspberrypi sshd[11684]: Failed password for root from 218.65.30.107 port 55421 ssh2
Mar 6 09:52:48 raspberrypi sshd[11680]: Failed password for root from 103.41.124.37 port 50742 ssh2
Mar 6 09:52:49 raspberrypi sshd[11676]: Failed password for root from 183.136.216.4 port 48437 ssh2
Mar 6 09:52:49 raspberrypi sshd[11676]: Received disconnect from 183.136.216.4: 11: [preauth]
Mar 6 09:52:49 raspberrypi sshd[11676]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.136.216.4 user=root
Mar 6 09:52:50 raspberrypi sshd[11680]: Failed password for root from 103.41.124.37 port 50742 ssh2
Mar 6 09:52:50 raspberrypi sshd[11680]: Received disconnect from 103.41.124.37: 11: [preauth]
Mar 6 09:52:50 raspberrypi sshd[11680]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.37 user=root
Mar 6 09:52:51 raspberrypi sshd[11684]: Failed password for root from 218.65.30.107 port 55421 ssh2
Mar 6 09:52:52 raspberrypi sshd[11688]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.136.216.4 user=root
Mar 6 09:52:53 raspberrypi sshd[11692]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.37 user=root
Mar 6 09:52:54 raspberrypi sshd[11684]: Failed password for root from 218.65.30.107 port 55421 ssh2
Mar 6 09:52:54 raspberrypi sshd[11684]: Received disconnect from 218.65.30.107: 11: [preauth]
Mar 6 09:52:54 raspberrypi sshd[11684]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.65.30.107 user=root
Mar 6 09:52:54 raspberrypi sshd[11688]: Failed password for root from 183.136.216.4 port 49553 ssh2
Mar 6 09:52:55 raspberrypi sshd[11692]: Failed password for root from 103.41.124.37 port 42568 ssh2
Mar 6 09:52:56 raspberrypi sshd[11696]: reverse mapping checking getaddrinfo for 107.30.65.218.broad.xy.jx.dynamic.163data.com.cn [218.65.30.107] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 6 09:52:56 raspberrypi sshd[11696]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.65.30.107 user=root
Mar 6 09:52:57 raspberrypi sshd[11688]: Failed password for root from 183.136.216.4 port 49553 ssh2
Mar 6 09:52:57 raspberrypi sshd[11692]: Failed password for root from 103.41.124.37 port 42568 ssh2
Mar 6 09:52:58 raspberrypi sshd[11696]: Failed password for root from 218.65.30.107 port 48168 ssh2
Mar 6 09:52:59 raspberrypi sshd[11688]: Failed password for root from 183.136.216.4 port 49553 ssh2
Mar 6 09:52:59 raspberrypi sshd[11692]: Failed password for root from 103.41.124.37 port 42568 ssh2
Mar 6 09:52:59 raspberrypi sshd[11688]: Received disconnect from 183.136.216.4: 11: [preauth]
Mar 6 09:52:59 raspberrypi sshd[11688]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.136.216.4 user=root
Mar 6 09:53:00 raspberrypi sshd[11692]: Received disconnect from 103.41.124.37: 11: [preauth]
Mar 6 09:53:00 raspberrypi sshd[11692]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.37 user=root
Mar 6 09:53:00 raspberrypi sshd[11696]: Failed password for root from 218.65.30.107 port 48168 ssh2
Mar 6 09:53:02 raspberrypi sshd[11704]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.37 user=root
Mar 6 09:53:02 raspberrypi sshd[11696]: Failed password for root from 218.65.30.107 port 48168 ssh2
Mar 6 09:53:02 raspberrypi sshd[11700]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.136.216.4 user=root
Mar 6 09:53:03 raspberrypi sshd[11696]: Received disconnect from 218.65.30.107: 11: [preauth]
Mar 6 09:53:03 raspberrypi sshd[11696]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.65.30.107 user=root
Mar 6 09:53:04 raspberrypi sshd[11704]: Failed password for root from 103.41.124.37 port 35315 ssh2
Mar 6 09:53:04 raspberrypi sshd[11700]: Failed password for root from 183.136.216.4 port 52911 ssh2
Mar 6 09:53:06 raspberrypi sshd[11704]: Failed password for root from 103.41.124.37 port 35315 ssh2
Mar 6 09:53:07 raspberrypi sshd[11700]: Failed password for root from 183.136.216.4 port 52911 ssh2
Mar 6 09:53:08 raspberrypi sshd[11708]: reverse mapping checking getaddrinfo for 107.30.65.218.broad.xy.jx.dynamic.163data.com.cn [218.65.30.107] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 6 09:53:08 raspberrypi sshd[11708]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.65.30.107 user=root
Mar 6 09:53:09 raspberrypi sshd[11704]: Failed password for root from 103.41.124.37 port 35315 ssh2
Mar 6 09:53:09 raspberrypi sshd[11704]: Received disconnect from 103.41.124.37: 11: [preauth]
Mar 6 09:53:09 raspberrypi sshd[11704]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.37 user=root
Mar 6 09:53:09 raspberrypi sshd[11700]: Failed password for root from 183.136.216.4 port 52911 ssh2
Mar 6 09:53:09 raspberrypi sshd[11700]: Received disconnect from 183.136.216.4: 11: [preauth]
Mar 6 09:53:09 raspberrypi sshd[11700]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.136.216.4 user=root
Mar 6 09:53:10 raspberrypi sshd[11708]: Failed password for root from 218.65.30.107 port 38268 ssh2
Mar 6 09:53:11 raspberrypi sshd[11712]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.37 user=root
Mar 6 09:53:12 raspberrypi sshd[11708]: Failed password for root from 218.65.30.107 port 38268 ssh2
Mar 6 09:53:13 raspberrypi sshd[11716]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.136.216.4 user=root
Mar 6 09:53:13 raspberrypi sshd[11712]: Failed password for root from 103.41.124.37 port 55986 ssh2
Mar 6 09:53:14 raspberrypi sshd[11716]: Failed password for root from 183.136.216.4 port 54550 ssh2
Mar 6 09:53:14 raspberrypi sshd[11708]: Failed password for root from 218.65.30.107 port 38268 ssh2
-
Nějaké základní tipy:
1) zakažte roota
2) na účty povolené v sshd dejte silné heslo
3) změntě port ssh z 22 na nějaký jiný a nastavte firewall (RPi nebo třeba i routerový), aby vše přes port 22 zkartoval.
4) pokud to RPi používáte jen vy, dejte si do firewallu na ssh port rozsah povolených IP. Lepší by bylo rovnou nastavit firewall routeru, aspoň to nebude zatěžovat zbytek sítě.
EDIT: Někde jsem četl něco o port knockingu, to je také další ztížení útoku.
-
Ja jsem to resil tak, ze jsem zakazal komunikaci s urcitymi zememi (afghanistan, cina, indie, iran, rusko atd.) a jeste zablokoval "zname firmy" podle seznamu Spamhaus Project. Viz prilozeny soubor, jsou tam nejaky seznamy a dva skripty, ktery nastavi pravidla v iptables. Snad to pomuze, jen si je uprav podle sebe, ja to mam v /root
-
Jo a jeste jedna dulezita vec - neprihlasovat se heslem, ale soukromym klicem, a samozrejme zakazat prihlaseni heslem. Viz napr. https://wiki.archlinux.org/index.php/SSH_keys
-
procti si prosim `man sshd_config'
-
Já bych to řešil firewallem a povolil na ssh pouze spojení z důvěryhodných IP adres. Nemá smysl mít ten port otevřený do celého internetu, možnosti je samozřejmě více