服务器被暴力扫描

服务器的SSH服务由于远程配置的原因,需要暴露在公网。虽然使用了一系列安全措施比如关闭root登录,普通权限与超级管理员权限分离,更改端口以及使用第三方工具比如强力爆破,可是看sshd的log每天依旧有数不清的登陆尝试,Fail2Ban也在孜孜不倦地一直将这些IP拉黑。昨天看到Fail2Ban可以开通邮件提醒功能,于是配置了一下,没想到邮件雪花片就飞了过来,基本上每分钟都有被ban掉的IP,一晚上竟然收到了一千多封邮件,并且早晨早早的,由于手机勿扰模式天亮就自动关闭了,邮件提示音把我吵死了。

另外看邮件日志,IP来源于世界各地,应该就是被黑客攻破的肉鸡,我之前维护的一台DigitalOcean也被黑过,DO给我发邮件说我abuse应该是我在那台服务器的Wordpress没有及时升级被利用漏洞了。从日志还有一个很严峻的发现是来之中国大陆或者中国服务商的攻击特别特别多,IP将近一半来自中国大陆或者阿里云腾讯云等在大陆外的服务器。这反映了国内互联网服务运营人员对于系统安全的意识是多么的薄弱,有这么多服务器带病运行,不经被黑客当多肉鸡攻击其他的设备,同时运行在这些服务器上的服务也被黑客一览无余,那里边的用户数据的安全性更是无从谈起。

随便摘几个日志过来,首先是中国移动的端口,感觉黑客控制可一个网段,来自这个地址以及相似地址的特别多,不排除运营商的机房已经被黑客控制的可能:

Hi,

The IP 221.181.xxx.xxx has just been banned by Fail2Ban after
5 attempts against sshd.


Here is more information about 221.181.xxx.xxx :

% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to '221.176.0.0 - 221.183.255.255'

% Abuse contact for '221.176.0.0 - 221.183.255.255' is ''

inetnum: 221.176.0.0 - 221.183.255.255
netname: CMNET
descr: China Mobile Communications Corporation
descr: Mobile Communications Network Operator in China
descr: Internet Service Provider in China
country: CN
org: ORG-CM1-AP
admin-c: ct74-AP
tech-c: CT74-AP
abuse-c: AC2006-AP
status: ALLOCATED PORTABLE
remarks: ------------------------------
remarks: Please send abuse e-mail to
remarks: 
remarks: Please send probe e-mail to
remarks: 
remarks: -------------------------------
mnt-by: APNIC-HM
mnt-lower: MAINT-CN-CMCC
mnt-routes: MAINT-CN-CMCC
mnt-irt: IRT-CHINAMOBILE-CN
last-modified: 2020-07-15T13:10:04Z
source: APNIC

irt: IRT-CHINAMOBILE-CN
address: China Mobile Communications Corporation
address: 29, Jinrong Ave., Xicheng District, Beijing, 100032
e-mail: 
abuse-mailbox: 
admin-c: CT74-AP
tech-c: CT74-AP
auth: # Filtered
remarks:  was validated on 2020-07-16
mnt-by: MAINT-CN-CMCC
last-modified: 2020-07-16T05:55:01Z
source: APNIC

organisation: ORG-CM1-AP
org-name: China Mobile
country: CN
address: 29, Jinrong Ave.
phone: +86-10-5268-6688
fax-no: +86-10-5261-6187
e-mail: 
mnt-ref: APNIC-HM
mnt-by: APNIC-HM
last-modified: 2019-12-27T12:55:58Z
source: APNIC

role: ABUSE CHINAMOBILECN
address: China Mobile Communications Corporation
address: 29, Jinrong Ave., Xicheng District, Beijing, 100032
country: ZZ
phone: +000000000
e-mail: 
admin-c: CT74-AP
tech-c: CT74-AP
nic-hdl: AC2006-AP
remarks: Generated from irt object IRT-CHINAMOBILE-CN
abuse-mailbox: 
mnt-by: APNIC-ABUSE
last-modified: 2020-07-15T13:10:00Z
source: APNIC

role: chinamobile tech
address: 29, Jinrong Ave.,Xicheng district
address: Beijing
country: CN
phone: +86 5268 6688
fax-no: +86 5261 6187
e-mail: 
admin-c: HL1318-AP
tech-c: HL1318-AP
nic-hdl: ct74-AP
notify: 
mnt-by: MAINT-cn-cmcc
abuse-mailbox: 
last-modified: 2016-11-29T09:37:27Z
source: APNIC

% Information related to '221.176.0.0/13AS9808'

route: 221.176.0.0/13
descr: China Mobile communications corporation
origin: AS9808
mnt-by: MAINT-CN-CMCC
last-modified: 2012-02-15T02:37:24Z
source: APNIC

% This query was served by the APNIC Whois Service version 1.88.15-SNAPSHOT (WHOIS-UK4)

中国联通:

Hi,

The IP 61.48.xxx.xxx has just been banned by Fail2Ban after
5 attempts against sshd.


Here is more information about 61.48.xxx.xxx :

% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to '61.48.0.0 - 61.51.255.255'

% Abuse contact for '61.48.0.0 - 61.51.255.255' is ''

inetnum: 61.48.0.0 - 61.51.255.255
netname: UNICOM-BJ
descr: China Unicom Beijing province network
descr: China Unicom
country: CN
admin-c: CH1302-AP
tech-c: SY21-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CNCGROUP-BJ
mnt-routes: MAINT-CNCGROUP-RR
mnt-irt: IRT-CU-CN
status: ALLOCATED PORTABLE
last-modified: 2013-08-08T23:05:39Z
source: APNIC

irt: IRT-CU-CN
address: No.21,Financial Street
address: Beijing,100033
address: P.R.China
e-mail: 
abuse-mailbox: 
admin-c: CH1302-AP
tech-c: CH1302-AP
auth: # Filtered
mnt-by: MAINT-CNCGROUP
last-modified: 2017-10-23T05:59:13Z
source: APNIC

person: ChinaUnicom Hostmaster
nic-hdl: CH1302-AP
e-mail: 
address: No.21,Jin-Rong Street
address: Beijing,100033
address: P.R.China
phone: +86-10-66259764
fax-no: +86-10-66259764
country: CN
mnt-by: MAINT-CNCGROUP
last-modified: 2017-08-17T06:13:16Z
source: APNIC

person: sun ying
address: fu xing men nei da jie 97, Xicheng District
address: Beijing 100800
country: CN
phone: +86-10-66030657
fax-no: +86-10-66078815
e-mail: 
nic-hdl: SY21-AP
mnt-by: MAINT-CNCGROUP-BJ
last-modified: 2009-06-30T08:42:48Z
source: APNIC

% Information related to '61.48.0.0/14AS4808'

route: 61.48.0.0/14
descr: China Unicom Beijing Province Network
country: CN
origin: AS4808
mnt-by: MAINT-CNCGROUP-RR
last-modified: 2016-05-20T01:24:03Z
source: APNIC

% This query was served by the APNIC Whois Service version 1.88.15-SNAPSHOT (WHOIS-UK3)

 

然后找个中国电信的例子:

Hi,

The IP 222.187.xxx.xxx has just been banned by Fail2Ban after
5 attempts against sshd.


Here is more information about 222.187.xxx.xxx :

% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to '222.184.0.0 - 222.191.255.255'

% Abuse contact for '222.184.0.0 - 222.191.255.255' is ''

inetnum: 222.184.0.0 - 222.191.255.255
netname: CHINANET-JS
descr: CHINANET jiangsu province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
admin-c: CH93-AP
tech-c: CJ186-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-JS
mnt-routes: MAINT-CHINANET-JS
mnt-irt: IRT-CHINANET-CN
remarks: --------------------------------------------------------
remarks: To report network abuse, please contact mnt-irt
remarks: For troubleshooting, please contact tech-c and admin-c
remarks: Report invalid contact via www.apnic.net/invalidcontact
remarks: --------------------------------------------------------
status: ALLOCATED PORTABLE
last-modified: 2020-02-04T05:38:43Z
source: APNIC

irt: IRT-CHINANET-CN
address: No.31 ,jingrong street,beijing
address: 100032
e-mail: 
abuse-mailbox: 
admin-c: CH93-AP
tech-c: CH93-AP
auth: # Filtered
mnt-by: MAINT-CHINANET
last-modified: 2010-11-15T00:31:55Z
source: APNIC

role: CHINANET JIANGSU
address: 260 Zhongyang Road,Nanjing 210037
country: CN
phone: +86-25-86588231
phone: +86-25-86588745
fax-no: +86-25-86588104
e-mail: 
remarks: send anti-spam reports to 
remarks: send abuse reports to 
remarks: times in GMT+8
remarks: www.jsinfo.net
admin-c: CH360-AP
tech-c: CS306-AP
tech-c: CN142-AP
nic-hdl: CJ186-AP
notify: 
mnt-by: MAINT-CHINANET-JS
last-modified: 2020-04-02T09:18:02Z
source: APNIC

person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: 
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
mnt-by: MAINT-CHINANET
last-modified: 2014-02-27T03:37:38Z
source: APNIC

% This query was served by the APNIC Whois Service version 1.88.15-SNAPSHOT (WHOIS-UK3)

 

再贴一个腾讯的例子:

Hi,

The IP 101.32.xxx.xxx has just been banned by Fail2Ban after
5 attempts against sshd.


Here is more information about 101.32.xxx.xxx :

% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to '101.32.0.0 - 101.32.255.255'

% Abuse contact for '101.32.0.0 - 101.32.255.255' is ''

inetnum: 101.32.0.0 - 101.32.255.255
netname: ACEVILLEPTELTD-SG
descr: ACEVILLE PTE.LTD.
descr: 16 COLLYER QUAY
descr: # 18-29
descr: INCOME AT RAFFLES
country: SG
org: ORG-AP2-AP
admin-c: APA7-AP
tech-c: APA7-AP
abuse-c: AA1875-AP
status: ALLOCATED PORTABLE
remarks: --------------------------------------------------------
remarks: To report network abuse, please contact mnt-irt
remarks: For troubleshooting, please contact tech-c and admin-c
remarks: Report invalid contact via www.apnic.net/invalidcontact
remarks: --------------------------------------------------------
mnt-by: APNIC-HM
mnt-lower: MAINT-ACEVILLEPTELTD-SG
mnt-routes: MAINT-ACEVILLEPTELTD-SG
mnt-irt: IRT-ACEVILLEPTELTD-SG
last-modified: 2020-07-22T13:11:03Z
source: APNIC

irt: IRT-ACEVILLEPTELTD-SG
address: 16 COLLYER QUAY, # 18-29, INCOME AT RAFFLES, SINGAPORE
e-mail: 
abuse-mailbox: 
admin-c: APA7-AP
tech-c: APA7-AP
auth: # Filtered
remarks:  is invalid
mnt-by: MAINT-ACEVILLEPTELTD-SG
last-modified: 2020-07-22T13:08:42Z
source: APNIC

organisation: ORG-AP2-AP
org-name: ACEVILLE PTE.LTD.
country: SG
address: 16 COLLYER QUAY
address: # 18-29
address: INCOME AT RAFFLES
phone: +8613923479936
e-mail: 
mnt-ref: APNIC-HM
mnt-by: APNIC-HM
last-modified: 2018-02-05T12:57:01Z
source: APNIC

role: ABUSE ACEVILLEPTELTDSG
address: 16 COLLYER QUAY, # 18-29, INCOME AT RAFFLES, SINGAPORE
country: ZZ
phone: +000000000
e-mail: 
admin-c: APA7-AP
tech-c: APA7-AP
nic-hdl: AA1875-AP
remarks: Generated from irt object IRT-ACEVILLEPTELTD-SG
abuse-mailbox: 
mnt-by: APNIC-ABUSE
last-modified: 2020-07-22T13:11:02Z
source: APNIC

role: ACEVILLE PTELTD administrator
address: 16 COLLYER QUAY, #18-29, INCOME AT RAFFLES, SINGAPORE
country: SG
phone: +8613923479936
fax-no: +8613923479936
e-mail: 
admin-c: APA7-AP
tech-c: APA7-AP
nic-hdl: APA7-AP
mnt-by: MAINT-ACEVILLEPTELTD-SG
last-modified: 2019-02-27T04:02:48Z
source: APNIC

% Information related to '101.32.0.0/16AS132203'

route: 101.32.0.0/16
origin: AS132203
descr: ACEVILLE PTE.LTD.
16 COLLYER QUAY
#18-29
INCOME AT RAFFLES
mnt-by: MAINT-ACEVILLEPTELTD-SG
last-modified: 2019-11-22T02:36:15Z
source: APNIC

% This query was served by the APNIC Whois Service version 1.88.15-SNAPSHOT (WHOIS-UK3)

后来我将Fail2Ban配置升级了一下,使之更加严格。隔离天数按照“天”来计算,升级后收到的邮件总算少了一些。可由于我昨天测试邮件能不能发送成功时候,我用自己电脑输错密码5次来做实验,当时被ban了十分钟,还能接受。今天更改配置后,发现我昨天被ban的记录,由于还没到我心的设置ban的天数,我自己电脑无法连接我的服务器了。。。感觉这个插件是通过密码错误时间来计算ban期限有没有到。真是被我自己蠢到了。在此也给小伙伴们警示一下,Fail2Ban设置错了,可能自己也无法连接服务器,永久失联也不是说没可能。

Reference:

https://wiki.archlinux.org/index.php/Fail2ban

https://edywerder.ch/fail2ban-email-notification/

https://hostadvice.com/how-to/how-to-setup-fail2ban-on-your-ubuntu-18-04-vps-server-or-dedicated-server/

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.