auth.log中的“ sshd：错误：connect_to…失败”是什么意思？

我注意到/var/log/auth.log服务器上多次重复以下错误消息：

Aug 10 09:10:16 hostname sshd[661]: error: connect_to 1.1.1.1 port
25: failed.

我更改了实际的IP地址，它们是通常属于邮件服务器的外部地址。

我不了解的部分是谁确实试图连接到这些地址，以及sshd与它有什么关系。sshd在端口22上运行，该服务器上的端口25上没有任何运行。

这条线到底是什么意思，谁在发起连接，为什么要使用sshd？

您可以通过设置SSH动态端口转发来重现此内容：

man ssh：

 -D [bind_address:]port
         Specifies a local “dynamic” application-level port forwarding.  This works by allocating a socket
         to listen to port on the local side, optionally bound to the specified bind_address.  Whenever a
         connection is made to this port, the connection is forwarded over the secure channel, and the
         application protocol is then used to determine where to connect to from the remote machine.  Cur‐
         rently the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a SOCKS server.  Only
         root can forward privileged ports.  Dynamic port forwardings can also be specified in the configu‐
         ration file.

         IPv6 addresses can be specified by enclosing the address in square brackets.  Only the superuser
         can forward privileged ports.  By default, the local port is bound in accordance with the
         GatewayPorts setting.  However, an explicit bind_address may be used to bind the connection to a
         specific address.  The bind_address of “localhost” indicates that the listening port be bound for
         local use only, while an empty address or ‘*’ indicates that the port should be available from all
         interfaces.

在本地主机2302端口上启动SOCKS代理：

$ ssh -v -ND 2302 user@host

要在Firefox中通过此隧道路由HTTP通信：

编辑->首选项->高级->网络选项卡->设置->手动代理配置-> SOCKS主机：localhost和端口：2302

为了将SOCKS代理与其他流量一起使用，可以使用socksifier程序，例如tsocks：

[I] net-proxy/tsocks
     Available versions:  1.8_beta5-r3 ~1.8_beta5-r4 1.8_beta5-r5 ~1.8_beta5-r6 {tordns}
     Installed versions:  1.8_beta5-r5(10:08:28 AM 06/15/2010)(-tordns)
     Homepage:            http://tsocks.sourceforge.net/
     Description:         Transparent SOCKS v4 proxying library

在我的Gentoo上，编辑/etc/socks/tsocks.conf以下内容：

# Otherwise we use the server
server = 127.0.0.1
server_port = 2302

测试：

$ tsocks telnet 255.255.255.255 25

您会/var/log/secure在SSH服务器上看到以下内容：

sshd[28491]: error: connect_to 255.255.255.255 port 25: failed.

我不了解的部分是谁正试图连接到这些地址

要缩小范围，请查看/var/log/secure（auth.log在您的发行版上），然后检查谁在此之前登录：

sshd[26898]: pam_unix(sshd:session): session opened for user quanta

将用户的外壳程序设置为/ bin / false不会阻止ssh端口转发。

http://random.cconn.info/2012/05/06/binfalse-sbinnologin-and-ssh/ http://www.semicomplete.com/articles/ssh-security/

因此，我的猜测是，OP的用户登录名使用弱密码或普通密码，通过将Shell设置为/ bin / false或/ bin / nologin来“禁用”该帐户，并且通过ssh端口转发来利用该邮件发送垃圾邮件。

也许有人登录到您的服务器正在尝试建立通往1.1.1.1:25的ssh隧道？