Desde hace un par de días, mi servidor Debian comenzó a obtener intentos de inicio de sesión (consulte el archivo de registro a continuación). /var/log/auth.log
hace solo tres días, aunque el servidor se ha estado ejecutando durante mucho más tiempo.
Me di cuenta de que el tráfico de la red aumentó 10 veces y el servidor se detuvo para realizar su trabajo (eliminando y analizando los datos meteorológicos cada x minutos).
¿Son estos intentos de piratería o simplemente alguien que ha cometido un error honesto y está intentando iniciar sesión en el servidor incorrecto?
Reinicié el servidor y obtuve una nueva IP. Los intentos de inicio de sesión se detuvieron y el servidor podría reiniciarse para funcionar como se esperaba. ¿Es eso suficiente?
Usuarios inválidos:
Feb 25 07:05:47 <my_server_name> sshd[20223]: Invalid user pi from 84.1.34.55 port 42168
Feb 25 07:05:47 <my_server_name> sshd[20225]: Invalid user pi from 84.1.34.55 port 42170
Feb 25 07:11:16 <my_server_name> sshd[20249]: Invalid user admin from 110.77.173.11 port 59058
Feb 25 09:26:11 <my_server_name> sshd[20693]: Invalid user cacti from 91.206.4.250 port 51831
Feb 25 09:29:56 <my_server_name> sshd[20699]: Invalid user system from 91.206.4.250 port 46048
Feb 25 09:34:07 <my_server_name> sshd[20720]: Invalid user oracle4 from 91.206.4.250 port 40576
Feb 25 09:38:17 <my_server_name> sshd[20738]: Invalid user kang from 91.206.4.250 port 35145
Feb 25 09:43:07 <my_server_name> sshd[20757]: Invalid user scaner from 91.206.4.250 port 58343
Feb 25 10:45:32 <my_server_name> sshd[20972]: Invalid user 0101 from 5.101.40.10 port 60675
Feb 25 13:01:14 <my_server_name> sshd[21480]: Invalid user packer from 178.238.227.236 port 48256
Feb 25 13:57:14 <my_server_name> sshd[21708]: Invalid user customer from 45.77.20.111 port 61447
Feb 25 19:26:16 <my_server_name> sshd[23390]: Invalid user admin from 41.238.155.19 port 54046
Feb 25 19:26:21 <my_server_name> sshd[23394]: Invalid user admin from 123.17.142.134 port 8115
Feb 25 19:26:25 <my_server_name> sshd[23396]: Invalid user admin from 123.21.121.162 port 47277
Feb 26 01:07:26 <my_server_name> sshd[24576]: Invalid user setup from 125.212.248.37 port 51559
Feb 26 01:11:29 <my_server_name> sshd[24595]: Invalid user test7 from 125.212.248.37 port 43459
Feb 26 01:15:54 <my_server_name> sshd[24613]: Invalid user squid from 125.212.248.37 port 35362
Feb 26 01:20:36 <my_server_name> sshd[24635]: Invalid user ubnt from 125.212.248.37 port 55512
Feb 26 01:25:30 <my_server_name> sshd[24655]: Invalid user cron from 125.212.248.37 port 47436
Feb 26 03:27:08 <my_server_name> sshd[25046]: Invalid user 0101 from 5.101.40.10 port 40939
Feb 26 03:27:19 <my_server_name> sshd[25050]: Invalid user 0 from 5.101.40.10 port 46872
Feb 26 03:27:32 <my_server_name> sshd[25053]: Invalid user 1234 from 5.101.40.10 port 56612
Feb 26 03:27:40 <my_server_name> sshd[25056]: Invalid user admin from 5.101.40.10 port 42483
Feb 26 03:27:42 <my_server_name> sshd[25059]: Invalid user admin from 5.101.40.10 port 38818
Feb 26 07:42:23 <my_server_name> sshd[26082]: Invalid user admin from 82.209.209.32 port 56889
Feb 26 07:42:27 <my_server_name> sshd[26086]: Invalid user admin from 186.101.223.181 port 58521
Feb 26 07:42:35 <my_server_name> sshd[26088]: Invalid user admin from 109.86.89.70 port 48484
Feb 26 09:20:40 <my_server_name> sshd[26459]: Invalid user ubuntu from 62.210.103.20 port 17592
Feb 26 09:53:32 <my_server_name> sshd[26570]: Invalid user ubuntu from 62.210.103.20 port 33833
Feb 26 10:27:02 <my_server_name> sshd[26696]: Invalid user ubuntu from 62.210.103.20 port 50168
Feb 26 12:22:59 <my_server_name> sshd[27097]: Invalid user alice from 54.197.138.157 port 44960
Feb 26 12:23:05 <my_server_name> sshd[27100]: Invalid user packer from 54.197.138.157 port 46468
Feb 26 12:23:12 <my_server_name> sshd[27103]: Invalid user ec2-user from 54.197.138.157 port 48060
Feb 26 12:23:32 <my_server_name> sshd[27111]: Invalid user deploy from 54.197.138.157 port 52844
Feb 26 12:23:38 <my_server_name> sshd[27114]: Invalid user vagrant from 54.197.138.157 port 54437
Feb 26 12:23:45 <my_server_name> sshd[27117]: Invalid user postgres from 54.197.138.157 port 56043
Feb 26 12:23:58 <my_server_name> sshd[27122]: Invalid user tigertooth from 54.197.138.157 port 59214
Feb 26 12:24:05 <my_server_name> sshd[27125]: Invalid user ubuntu from 54.197.138.157 port 60813
Feb 26 12:24:12 <my_server_name> sshd[27128]: Invalid user centos from 54.197.138.157 port 34175
Feb 26 14:06:56 <my_server_name> sshd[27484]: Invalid user 0101 from 5.101.40.10 port 35918
Feb 26 14:07:04 <my_server_name> sshd[27488]: Invalid user 0 from 5.101.40.10 port 42591
Feb 26 14:07:09 <my_server_name> sshd[27491]: Invalid user 1234 from 5.101.40.10 port 53641
Feb 26 14:07:10 <my_server_name> sshd[27494]: Invalid user admin from 5.101.40.10 port 51921
Feb 26 14:07:19 <my_server_name> sshd[27497]: Invalid user admin from 5.101.40.10 port 41209
Feb 26 14:07:28 <my_server_name> sshd[27499]: Invalid user admin from 5.101.40.10 port 45466
Feb 26 14:07:34 <my_server_name> sshd[27501]: Invalid user admin from 5.101.40.10 port 56275
Feb 26 14:07:39 <my_server_name> sshd[27504]: Invalid user default from 5.101.40.10 port 40792
Feb 26 14:07:47 <my_server_name> sshd[27507]: Invalid user ftp from 5.101.40.10 port 55119
Feb 26 17:40:53 <my_server_name> sshd[28259]: Invalid user pi from 113.232.204.10 port 42721
Feb 26 17:40:53 <my_server_name> sshd[28258]: Invalid user pi from 113.232.204.10 port 42720
Feb 26 19:21:41 <my_server_name> sshd[28896]: Invalid user pi from 115.231.212.82 port 2022
Feb 26 19:21:43 <my_server_name> sshd[28899]: Invalid user PlcmSpIp from 115.231.212.82 port 2408
Feb 26 19:21:44 <my_server_name> sshd[28903]: Invalid user admin from 115.231.212.82 port 2774
Feb 26 19:21:46 <my_server_name> sshd[28907]: Invalid user ftpuser from 115.231.212.82 port 3079
Feb 26 19:21:48 <my_server_name> sshd[28910]: Invalid user ftpuser from 115.231.212.82 port 3456
Feb 26 19:21:50 <my_server_name> sshd[28912]: Invalid user guest from 115.231.212.82 port 3889
Feb 26 19:21:52 <my_server_name> sshd[28915]: Invalid user guest from 115.231.212.82 port 4197
Feb 26 19:21:53 <my_server_name> sshd[28917]: Invalid user guest from 115.231.212.82 port 4645
Feb 26 19:21:55 <my_server_name> sshd[28919]: Invalid user ubnt from 115.231.212.82 port 4966
Feb 26 19:21:57 <my_server_name> sshd[28924]: Invalid user test from 115.231.212.82 port 1611
Feb 26 19:21:59 <my_server_name> sshd[28927]: Invalid user test1 from 115.231.212.82 port 1866
Feb 26 19:22:00 <my_server_name> sshd[28930]: Invalid user test from 115.231.212.82 port 2191
Feb 26 19:22:02 <my_server_name> sshd[28932]: Invalid user test from 115.231.212.82 port 2475
Feb 26 19:22:04 <my_server_name> sshd[28934]: Invalid user test from 115.231.212.82 port 2758
Feb 26 19:22:06 <my_server_name> sshd[28936]: Invalid user admin from 115.231.212.82 port 2999
Feb 26 19:22:18 <my_server_name> sshd[28956]: Invalid user ftp from 115.231.212.82 port 1157
Feb 26 19:22:20 <my_server_name> sshd[28959]: Invalid user ftp from 115.231.212.82 port 1375
Feb 26 19:22:22 <my_server_name> sshd[28961]: Invalid user ftp from 115.231.212.82 port 1569
Feb 26 19:22:24 <my_server_name> sshd[28963]: Invalid user vyatta from 115.231.212.82 port 1933
Feb 26 19:22:25 <my_server_name> sshd[28966]: Invalid user user from 115.231.212.82 port 2156
Feb 26 19:22:27 <my_server_name> sshd[28970]: Invalid user user from 115.231.212.82 port 2446
Feb 26 19:22:29 <my_server_name> sshd[28973]: Invalid user www from 115.231.212.82 port 2952
Feb 26 19:22:31 <my_server_name> sshd[28976]: Invalid user info from 115.231.212.82 port 3242
Feb 26 19:22:32 <my_server_name> sshd[28979]: Invalid user admin from 115.231.212.82 port 3658
Feb 26 19:22:34 <my_server_name> sshd[28982]: Invalid user admin from 115.231.212.82 port 3933
Feb 26 19:22:36 <my_server_name> sshd[28984]: Invalid user git from 115.231.212.82 port 4227
Feb 26 19:22:38 <my_server_name> sshd[28989]: Invalid user vyatta from 115.231.212.82 port 4592
Feb 26 19:22:39 <my_server_name> sshd[28991]: Invalid user operator from 115.231.212.82 port 4880
Feb 26 19:22:41 <my_server_name> sshd[28994]: Invalid user webmaster from 115.231.212.82 port 1144
Feb 26 19:22:43 <my_server_name> sshd[28997]: Invalid user nagios from 115.231.212.82 port 1472
Feb 26 19:22:45 <my_server_name> sshd[29000]: Invalid user oracle from 115.231.212.82 port 1937
Feb 26 19:22:46 <my_server_name> sshd[29003]: Invalid user fax from 115.231.212.82 port 2250
Feb 26 19:22:48 <my_server_name> sshd[29008]: Invalid user fax from 115.231.212.82 port 2530
Feb 26 19:22:50 <my_server_name> sshd[29010]: Invalid user sales from 115.231.212.82 port 2753
Feb 26 19:22:52 <my_server_name> sshd[29013]: Invalid user server from 115.231.212.82 port 3009
Feb 26 19:22:54 <my_server_name> sshd[29016]: Invalid user mysql from 115.231.212.82 port 3348
Feb 26 19:22:55 <my_server_name> sshd[29019]: Invalid user public from 115.231.212.82 port 3621
Feb 26 19:22:57 <my_server_name> sshd[29022]: Invalid user demo from 115.231.212.82 port 3875
Esta es la salida de netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
udp 0 0 0.0.0.0:bootpc 0.0.0.0:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 10332 /run/systemd/private
unix 2 [ ACC ] SEQPACKET LISTENING 10343 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 10345 /run/systemd/fsck.progress
unix 2 [ ACC ] STREAM LISTENING 12394 /var/run/nscd/socket
unix 2 [ ACC ] STREAM LISTENING 12396 /var/run/.nscd_socket
unix 2 [ ACC ] STREAM LISTENING 10351 /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 12176 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 28848 /run/user/1000/systemd/private
unix 2 [ ACC ] STREAM LISTENING 28853 /run/user/1000/gnupg/S.gpg-agent
unix 2 [ ACC ] STREAM LISTENING 28856 /run/user/1000/gnupg/S.gpg-agent.browser
unix 2 [ ACC ] STREAM LISTENING 28858 /run/user/1000/gnupg/S.gpg-agent.ssh
unix 2 [ ACC ] STREAM LISTENING 28860 /run/user/1000/gnupg/S.gpg-agent.extra