Hatena::ブログ(Diary)

私は素人サーバ管理者 このページをアンテナに追加 RSSフィード Twitter

2011-01-19

【Linux】sshの接続ポートをデフォルト(22番)のままにしてインターネットにさらすとどうなるか

sshの接続ポートはデフォルトTCP22番。

これは常識ですね。あまりに常識すぎて、デフォルトインターネットに接続すると攻撃対象になりやすく危険とよく言われますが、本当でしょうか?

実は昨年10月にsshの接続ポートをデフォルトのままにしてサーバインターネットに接続したところ、 実際に攻撃(というほど大げさではないですが)を受けたことがありました。

主な経緯は次の通りです。

2010年10月21日(木) Linuxサーバのセットアップ開始
2010年10月22日(金) セットアップが終わらないので家で続きをやろうと、
                   サーバをインターネットからssh接続可能にして帰宅(ssh接続ポートは22番)
2010年10月23日(土) (夜中にブラジルから攻撃)
                   朝、ログを見て攻撃に気付く 
                   → ssh接続ポート変更(とりあえず)
                   → 以後、攻撃は無し

btmpファイルを見ると攻撃の様子がわかります。
(見やすいように表示を調整してあります)

【bamtファイル】
root     :0           Thu Oct 21 18:31 - 18:31  (00:00)     
root     :0           Fri Oct 22 11:07 - 11:07  (00:00)     
root     ssh:notty    Fri Oct 22 15:45 - 15:45  (00:00)     192.168.1.30
root     ssh:notty    Fri Oct 22 15:45 - 15:45  (00:00)     192.168.1.30
test01   ssh:notty    Fri Oct 22 16:12 - 16:12  (00:00)     *************.co.jp
root     ssh:notty    Fri Oct 22 16:15 - 16:15  (00:00)     *************.co.jp
root     ssh:notty    Fri Oct 22 16:15 - 16:15  (00:00)     *************.co.jp
test01   ssh:notty    Fri Oct 22 17:29 - 17:29  (00:00)     *************.co.jp
test01   ssh:notty    Fri Oct 22 20:13 - 20:13  (00:00)     *************.co.jp
====[ ここから ] ====================================================================
root     ssh:notty    Sat Oct 23 02:50 - 02:50  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:50 - 02:50  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:50 - 02:50  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:50 - 02:50  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:50 - 02:50  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:50 - 02:50  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:50 - 02:50  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:50 - 02:50  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:50 - 02:50  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:50 - 02:50  (00:00)     server.#########.com.br
aussiecr ssh:notty    Sat Oct 23 02:50 - 02:50  (00:00)     server.#########.com.br
aussiecr ssh:notty    Sat Oct 23 02:50 - 02:50  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:50 - 02:50  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:50 - 02:50  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:50 - 02:50  (00:00)     server.#########.com.br
gorzow   ssh:notty    Sat Oct 23 02:50 - 02:50  (00:00)     server.#########.com.br
gorzow   ssh:notty    Sat Oct 23 02:50 - 02:50  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:50 - 02:50  (00:00)     server.#########.com.br
dev      ssh:notty    Sat Oct 23 02:50 - 02:50  (00:00)     server.#########.com.br
dev      ssh:notty    Sat Oct 23 02:51 - 02:51  (00:00)     server.#########.com.br
www      ssh:notty    Sat Oct 23 02:51 - 02:51  (00:00)     server.#########.com.br
www      ssh:notty    Sat Oct 23 02:51 - 02:51  (00:00)     server.#########.com.br
sec      ssh:notty    Sat Oct 23 02:51 - 02:51  (00:00)     server.#########.com.br
sec      ssh:notty    Sat Oct 23 02:51 - 02:51  (00:00)     server.#########.com.br
kylix    ssh:notty    Sat Oct 23 02:51 - 02:51  (00:00)     server.#########.com.br
kylix    ssh:notty    Sat Oct 23 02:51 - 02:51  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:51 - 02:51  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:51 - 02:51  (00:00)     server.#########.com.br
cisco    ssh:notty    Sat Oct 23 02:51 - 02:51  (00:00)     server.#########.com.br
cisco    ssh:notty    Sat Oct 23 02:51 - 02:51  (00:00)     server.#########.com.br
rita     ssh:notty    Sat Oct 23 02:51 - 02:51  (00:00)     server.#########.com.br
rita     ssh:notty    Sat Oct 23 02:51 - 02:51  (00:00)     server.#########.com.br
giovanna ssh:notty    Sat Oct 23 02:51 - 02:51  (00:00)     server.#########.com.br
giovanna ssh:notty    Sat Oct 23 02:51 - 02:51  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:51 - 02:51  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:51 - 02:51  (00:00)     server.#########.com.br
sec      ssh:notty    Sat Oct 23 02:51 - 02:51  (00:00)     server.#########.com.br
sec      ssh:notty    Sat Oct 23 02:51 - 02:51  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:51 - 02:51  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:51 - 02:51  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:51 - 02:51  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:51 - 02:51  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:51 - 02:51  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:52 - 02:52  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:52 - 02:52  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:52 - 02:52  (00:00)     server.#########.com.br
artem    ssh:notty    Sat Oct 23 02:52 - 02:52  (00:00)     server.#########.com.br
artem    ssh:notty    Sat Oct 23 02:52 - 02:52  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:52 - 02:52  (00:00)     server.#########.com.br
postgres ssh:notty    Sat Oct 23 02:52 - 02:52  (00:00)     server.#########.com.br
postgres ssh:notty    Sat Oct 23 02:52 - 02:52  (00:00)     server.#########.com.br
postgres ssh:notty    Sat Oct 23 02:52 - 02:52  (00:00)     server.#########.com.br
postgres ssh:notty    Sat Oct 23 02:52 - 02:52  (00:00)     server.#########.com.br
dev      ssh:notty    Sat Oct 23 02:52 - 02:52  (00:00)     server.#########.com.br
dev      ssh:notty    Sat Oct 23 02:52 - 02:52  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:52 - 02:52  (00:00)     server.#########.com.br
induacu  ssh:notty    Sat Oct 23 02:52 - 02:52  (00:00)     server.#########.com.br
induacu  ssh:notty    Sat Oct 23 02:52 - 02:52  (00:00)     server.#########.com.br
tollini  ssh:notty    Sat Oct 23 02:52 - 02:52  (00:00)     server.#########.com.br
tollini  ssh:notty    Sat Oct 23 02:52 - 02:52  (00:00)     server.#########.com.br
www      ssh:notty    Sat Oct 23 02:52 - 02:52  (00:00)     server.#########.com.br
www      ssh:notty    Sat Oct 23 02:52 - 02:52  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:52 - 02:52  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:52 - 02:52  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:52 - 02:52  (00:00)     server.#########.com.br
PlcmSpIp ssh:notty    Sat Oct 23 02:52 - 02:52  (00:00)     server.#########.com.br
PlcmSpIp ssh:notty    Sat Oct 23 02:52 - 02:52  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:52 - 02:52  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:53 - 02:53  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:53 - 02:53  (00:00)     server.#########.com.br
work     ssh:notty    Sat Oct 23 02:53 - 02:53  (00:00)     server.#########.com.br
work     ssh:notty    Sat Oct 23 02:53 - 02:53  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:53 - 02:53  (00:00)     server.#########.com.br
sysadmin ssh:notty    Sat Oct 23 02:53 - 02:53  (00:00)     server.#########.com.br
sysadmin ssh:notty    Sat Oct 23 02:53 - 02:53  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:53 - 02:53  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:53 - 02:53  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:53 - 02:53  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:53 - 02:53  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:53 - 02:53  (00:00)     server.#########.com.br
jason    ssh:notty    Sat Oct 23 02:53 - 02:53  (00:00)     server.#########.com.br
jason    ssh:notty    Sat Oct 23 02:53 - 02:53  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:53 - 02:53  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:53 - 02:53  (00:00)     server.#########.com.br
iony     ssh:notty    Sat Oct 23 02:53 - 02:53  (00:00)     server.#########.com.br
iony     ssh:notty    Sat Oct 23 02:53 - 02:53  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:53 - 02:53  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:53 - 02:53  (00:00)     server.#########.com.br
sauticom ssh:notty    Sat Oct 23 02:53 - 02:53  (00:00)     server.#########.com.br
sauticom ssh:notty    Sat Oct 23 02:53 - 02:53  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:53 - 02:53  (00:00)     server.#########.com.br
eak      ssh:notty    Sat Oct 23 02:53 - 02:53  (00:00)     server.#########.com.br
eak      ssh:notty    Sat Oct 23 02:54 - 02:54  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:54 - 02:54  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:54 - 02:54  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:54 - 02:54  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:54 - 02:54  (00:00)     server.#########.com.br
sysadmin ssh:notty    Sat Oct 23 02:54 - 02:54  (00:00)     server.#########.com.br
sysadmin ssh:notty    Sat Oct 23 02:54 - 02:54  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:54 - 02:54  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:54 - 02:54  (00:00)     server.#########.com.br
provis   ssh:notty    Sat Oct 23 02:54 - 02:54  (00:00)     server.#########.com.br
provis   ssh:notty    Sat Oct 23 02:54 - 02:54  (00:00)     server.#########.com.br
halley   ssh:notty    Sat Oct 23 02:54 - 02:54  (00:00)     server.#########.com.br
halley   ssh:notty    Sat Oct 23 02:54 - 02:54  (00:00)     server.#########.com.br
prasoot  ssh:notty    Sat Oct 23 02:54 - 02:54  (00:00)     server.#########.com.br
prasoot  ssh:notty    Sat Oct 23 02:54 - 02:54  (00:00)     server.#########.com.br
thairepo ssh:notty    Sat Oct 23 02:54 - 02:54  (00:00)     server.#########.com.br
thairepo ssh:notty    Sat Oct 23 02:54 - 02:54  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:54 - 02:54  (00:00)     server.#########.com.br
georgeli ssh:notty    Sat Oct 23 02:54 - 02:54  (00:00)     server.#########.com.br
georgeli ssh:notty    Sat Oct 23 02:54 - 02:54  (00:00)     server.#########.com.br
edwardli ssh:notty    Sat Oct 23 02:54 - 02:54  (00:00)     server.#########.com.br
edwardli ssh:notty    Sat Oct 23 02:54 - 02:54  (00:00)     server.#########.com.br
dinochan ssh:notty    Sat Oct 23 02:54 - 02:54  (00:00)     server.#########.com.br
dinochan ssh:notty    Sat Oct 23 02:54 - 02:54  (00:00)     server.#########.com.br
sigcomm  ssh:notty    Sat Oct 23 02:54 - 02:54  (00:00)     server.#########.com.br
sigcomm  ssh:notty    Sat Oct 23 02:54 - 02:54  (00:00)     server.#########.com.br
test     ssh:notty    Sat Oct 23 02:54 - 02:54  (00:00)     server.#########.com.br
test     ssh:notty    Sat Oct 23 02:54 - 02:54  (00:00)     server.#########.com.br
test     ssh:notty    Sat Oct 23 02:55 - 02:55  (00:00)     server.#########.com.br
test     ssh:notty    Sat Oct 23 02:55 - 02:55  (00:00)     server.#########.com.br
sigcomm  ssh:notty    Sat Oct 23 02:55 - 02:55  (00:00)     server.#########.com.br
sigcomm  ssh:notty    Sat Oct 23 02:55 - 02:55  (00:00)     server.#########.com.br
tklc     ssh:notty    Sat Oct 23 02:55 - 02:55  (00:00)     server.#########.com.br
tklc     ssh:notty    Sat Oct 23 02:55 - 02:55  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:55 - 02:55  (00:00)     server.#########.com.br
kylix    ssh:notty    Sat Oct 23 02:55 - 02:55  (00:00)     server.#########.com.br
kylix    ssh:notty    Sat Oct 23 02:55 - 02:55  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:55 - 02:55  (00:00)     server.#########.com.br
tedbaker ssh:notty    Sat Oct 23 02:55 - 02:55  (00:00)     server.#########.com.br
tedbaker ssh:notty    Sat Oct 23 02:55 - 02:55  (00:00)     server.#########.com.br
root     ssh:notty    Sat Oct 23 02:55 - 02:55  (00:00)     server.#########.com.br
cyrus    ssh:notty    Sat Oct 23 02:55 - 02:55  (00:00)     server.#########.com.br
cyrus    ssh:notty    Sat Oct 23 02:55 - 02:55  (00:00)     server.#########.com.br
bin      ssh:notty    Sat Oct 23 02:55 - 02:55  (00:00)     server.#########.com.br
sercon   ssh:notty    Sat Oct 23 02:55 - 02:55  (00:00)     server.#########.com.br
sercon   ssh:notty    Sat Oct 23 02:55 - 02:55  (00:00)     server.#########.com.br
sec      ssh:notty    Sat Oct 23 02:55 - 02:55  (00:00)     server.#########.com.br
sec      ssh:notty    Sat Oct 23 02:55 - 02:55  (00:00)     server.#########.com.br
nfsnobod ssh:notty    Sat Oct 23 02:55 - 02:55  (00:00)     server.#########.com.br
nfsnobod ssh:notty    Sat Oct 23 02:55 - 02:55  (00:00)     server.#########.com.br
====[ ここまで ] ====================================================================
test01   ssh:notty    Mon Oct 25 08:43 - 08:43  (00:00)     *************.*****.ne.jp
test01   ssh:notty    Mon Oct 25 08:43 - 08:43  (00:00)     *************.*****.ne.jp
test01   ssh:notty    Mon Oct 25 08:43 - 08:43  (00:00)     *************.*****.ne.jp

5分間に284回もトライするなんて、ブラジル人やり過ぎだよ・・・
幸いrootログインは禁止してあり、パスワードもランダムな文字列にしていたので実害はありませんでしたが、本当に攻撃を受けるんだなと身をもって感じました。

皆さんも気をつけてください。

だだだだだだ 2017/08/04 13:33 だいたいこういたことが原因でセキュアになってく
私も始め中国から集中攻撃受けてた

スパム対策のためのダミーです。もし見えても何も入力しないでください
ゲスト


画像認証

トラックバック - http://d.hatena.ne.jp/horus531/20110119/1295430024