【问题】cron每隔一段时间关闭root的远程连接

Web、Mail、Ftp、DNS、Proxy、VPN、Samba、LDAP 等基础网络服务
回复
头像
roamer
帖子: 43
注册时间: 2007-04-18 3:09
来自: UESTC

【问题】cron每隔一段时间关闭root的远程连接

#1

帖子 roamer » 2007-12-09 21:35

我在虚拟机上装了一个服务器版的ubuntu,在上面建了个网站,用ssh远程控制,刚开始的时候一时疏忽,root的账号密码只设置成123456,后来发现被人暴力破解
Oct 25 07:07:17 roamer sshd[4263]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mails.tecomtech.com
Oct 25 07:07:19 roamer sshd[4263]: Failed password for invalid user margarethe from 61.183.139.138 port 47682 ssh2
Oct 25 07:07:55 roamer sshd[4265]: Invalid user milind from 61.183.139.138
Oct 25 07:07:55 roamer sshd[4265]: (pam_unix) check pass; user unknown
Oct 25 07:07:55 roamer sshd[4265]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mails.tecomtech.com
Oct 25 07:07:57 roamer sshd[4265]: Failed password for invalid user milind from 61.183.139.138 port 53583 ssh2
Oct 25 07:11:22 roamer sshd[4273]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mails.tecomtech.com user=root
Oct 25 07:11:23 roamer sshd[4273]: Failed password for root from 61.183.139.138 port 52583 ssh2
Oct 25 07:11:58 roamer sshd[4275]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mails.tecomtech.com user=root
Oct 25 07:12:00 roamer sshd[4275]: Failed password for root from 61.183.139.138 port 58002 ssh2
Oct 25 07:12:06 roamer sshd[4277]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mails.tecomtech.com user=root
Oct 25 07:12:08 roamer sshd[4277]: Failed password for root from 61.183.139.138 port 59341 ssh2
Oct 25 07:12:17 roamer sshd[4279]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mails.tecomtech.com user=root
Oct 25 07:12:19 roamer sshd[4279]: Failed password for root from 61.183.139.138 port 60228 ssh2
Oct 25 07:13:16 roamer sshd[4281]: Invalid user shoichi from 61.183.139.138
Oct 25 07:13:16 roamer sshd[4281]: (pam_unix) check pass; user unknown
Oct 25 07:13:16 roamer sshd[4281]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mails.tecomtech.com
Oct 25 07:13:18 roamer sshd[4281]: Failed password for invalid user shoichi from 61.183.139.138 port 39624 ssh2
Oct 25 07:14:28 roamer sshd[4285]: Invalid user whatnot from 61.183.139.138
Oct 25 07:14:28 roamer sshd[4285]: (pam_unix) check pass; user unknown
Oct 25 07:14:28 roamer sshd[4285]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mails.tecomtech.com
Oct 25 07:14:30 roamer sshd[4285]: Failed password for invalid user whatnot from 61.183.139.138 port 49921 ssh2
Oct 25 07:15:04 roamer sshd[4287]: Invalid user tuelay from 61.183.139.138

也不知道后来有没有成功破解密码
现在我远程登陆虚拟机,可是没有用多久链接就被关闭,过一段时间又可以连上去,我看了日志,记录如下
Nov 10 02:23:59 roamer sshd[4143]: (pam_unix) session opened for user root by root(uid=0)
Nov 10 02:29:48 roamer sshd[4157]: Accepted password for root from 202.38.*.* port 1153 ssh2
Nov 10 02:29:48 roamer sshd[4159]: (pam_unix) session opened for user root by root(uid=0)
Nov 10 03:17:01 roamer CRON[4343]: (pam_unix) session opened for user root by (uid=0)
Nov 10 03:17:01 roamer CRON[4343]: (pam_unix) session closed for user root
Nov 10 04:12:24 roamer sshd[4141]: channel_by_id: 0: bad id: channel free
Nov 10 04:12:24 roamer sshd[4141]: Disconnecting: Received oclose for nonexistent channel 0.
Nov 10 04:17:01 roamer CRON[4510]: (pam_unix) session opened for user root by (uid=0)
Nov 10 04:17:01 roamer CRON[4510]: (pam_unix) session closed for user root
Nov 10 20:17:20 roamer sshd[4043]: Server listening on :: port 22.
Nov 10 20:17:52 roamer sshd[4115]: Accepted password for root from 202.38.*.* port 1748 ssh2
Nov 10 20:17:52 roamer sshd[4117]: (pam_unix) session opened for user root by root(uid=0)

谁能帮我解决这个问题呢?谢谢了哈
todaypuzzleme
帖子: 79
注册时间: 2007-06-08 22:43

#2

帖子 todaypuzzleme » 2007-12-11 11:42

先确定一下是不是被入侵了,看看/var/log/auth.log下有没有未知远程地址访问成功的记录,
Nov 10 03:17:01 roamer CRON[4343]: (pam_unix) session opened for user root by (uid=0)
Nov 10 03:17:01 roamer CRON[4343]: (pam_unix) session closed for user root
怀疑你在连接的时候被踢出来了,你可以试试限制访问ssh的源IP地址,比如用iptable,保证安全的情况下再连接一段时间试试
头像
roamer
帖子: 43
注册时间: 2007-04-18 3:09
来自: UESTC

#3

帖子 roamer » 2008-01-01 11:48

todaypuzzleme 写了:先确定一下是不是被入侵了,看看/var/log/auth.log下有没有未知远程地址访问成功的记录,
Nov 10 03:17:01 roamer CRON[4343]: (pam_unix) session opened for user root by (uid=0)
Nov 10 03:17:01 roamer CRON[4343]: (pam_unix) session closed for user root
怀疑你在连接的时候被踢出来了,你可以试试限制访问ssh的源IP地址,比如用iptable,保证安全的情况下再连接一段时间试试
谢谢了哈,我试一下!
回复