sshd日志已满,“未从接收标识字符串”

17 
Mar  2 02:34:02 freetalker3 sshd[28436]: Did not receive identification string from 211.110.33.50
Mar  2 02:34:08 freetalker3 sshd[28439]: Did not receive identification string from 211.110.33.50
Mar  2 02:34:13 freetalker3 sshd[28442]: Did not receive identification string from 211.110.33.50
Mar  2 02:34:19 freetalker3 sshd[28445]: Did not receive identification string from 211.110.33.50
Mar  2 02:34:24 freetalker3 sshd[28448]: Did not receive identification string from 211.110.33.50
Mar  2 02:34:30 freetalker3 sshd[28451]: Did not receive identification string from 211.110.33.50
Mar  2 02:34:35 freetalker3 sshd[28454]: Did not receive identification string from 211.110.33.50
Mar  2 02:34:41 freetalker3 sshd[28457]: Did not receive identification string from 211.110.33.50
Mar  2 02:34:46 freetalker3 sshd[28460]: Did not receive identification string from 211.110.33.50
Mar  2 02:34:52 freetalker3 sshd[28463]: Did not receive identification string from 211.110.33.50
Mar  2 02:34:57 freetalker3 sshd[28466]: Did not receive identification string from 211.110.33.50
Mar  2 02:35:03 freetalker3 sshd[28469]: Did not receive identification string from 211.110.33.50
Mar  2 02:35:08 freetalker3 sshd[28472]: Did not receive identification string from 211.110.33.50
Mar  2 02:35:14 freetalker3 sshd[28475]: Did not receive identification string from 211.110.33.50
Mar  2 02:35:20 freetalker3 sshd[28478]: Did not receive identification string from 211.110.33.50
Mar  2 02:35:25 freetalker3 sshd[28481]: Did not receive identification string from 211.110.33.50
Mar  2 02:35:31 freetalker3 sshd[28484]: Did not receive identification string from 211.110.33.50
Mar  2 02:35:36 freetalker3 sshd[28488]: Did not receive identification string from 211.110.33.50

我的/var/log/auth.log充满了这些消息,每6秒发送一次垃圾邮件。我的服务器在vps上,该IP似乎是一个内部IP。这可能是什么原因造成的?

ssh 
泰康
source
您是否在root下运行cron作业?
Shimon Rachlenko 2013年

Answers:

4

一些不道德的行为(惊奇!)正在ssh上努力尝试找到将用户名/密码组合放入系统的用户名/密码。可能是从某些僵尸网络做的一样,谁知道还有多少其他毫无戒心的受害者。

安装诸如fail2banDenyHosts之类的东西(两者都应适用于任何Linux发行版),或设置本地防火墙以限制SSH连接尝试。更改SSH端口会使愚蠢的暴力尝试失败,但也会使合法使用失败。

冯布兰德
source
别忘了:sshguard
0xC0000022L13
3
如果他们没有足够的距离来协商密码集,他们就不会尝试使用密码。
Jo Rhett
15
这个答案是完全错误的,并且有点误导。如下所述,如果收到此消息,则说明连接未进入提供用户名的阶段,因此它无法尝试猜测一个用户名。可以是(a)合法检查您的计算机是否还活着-很好;或者(b)扫描将攻击的ssh端口。但是,在情况b)中,您通常只会看到来自任何给定其他地址的一条消息。如果执行了keepalive监视,则可能导致某人或系统重新启动计算机以尝试解决问题。
迈克尔•迈克尔(Michael
33

实际上,这是来自我的托管服务提供商-他们每6秒钟对我的VPS进行一次垃圾邮件发送,以在其Web控制台上显示我的服务器状态。如果我的sshd回答了问题,我的服务器将显示为活动状态。

我刚刚安装OpenVPN并仅允许通过SSH-因此,根据我的提供商的说法,我的服务器停机时间为100%。

泰康
source
9
协议不敏感的心跳检查器很烦人。
Falcon Momot
是的-例如,如果您的sshd服务器在AWS EC2实例上运行,并且已在SSH端口上通过运行状况检查在Elastic Load Balancer后面配置了该服务器,则每次运行状况检查都会在日志中看到此消息。
休W
10

这很可能是来自通讯的保持连接状态(验证服务器是否正在响应)。设备。

JTrunk
source
您能解释一下哪种类型的通讯设备可以执行此操作,为什么?
Elliott B
7

当有人尝试访问SSH但未完成这些步骤时,SSH会抛出此类消息。例如,如果NMS正在检查端口ssh 22是否已启动,它将简单地尝试在端口22上进行连接,如果连接成功,则它将挂断,在这种情况下SSH报告相同。

这是因为SSH端口扫描。

苏亚什·贾恩(Suyash Jain)
source
0

如果您想知道谁在扫描端口或尝试在您的计算机上进行身份验证,请检查:

# whois 211.110.33.50

# KOREAN(UTF8)

조회하신 IPv4주소는 한국인터넷진흥원으로부터 아래의 관리대행자에게 할당되었으며, 할당 정보는 다음과 같습니다.

[ 네트워크 할당 정보 ]
IPv4주소           : 211.110.0.0 - 211.110.239.255 (/17+/18+/19+/20)

等等

private_nodez
source
0

也可能是尝试执行众所周知的缓冲区溢出漏洞利用。

它记录在过滤器中/etc/fail2ban/filter.d/sshd-ddos.conf,您可以通过以下黑客尝试来保护自己:

Fail2Ban ssh filter for at attempted exploit
The regex here also relates to a exploit:
http://www.securityfocus.com/bid/17958/exploit
The example code here shows the pushing of the exploit straight after
reading the server version. This is where the client version string normally
pushed. As such the server will read this unparsible information as
"Did not receive identification string".

此漏洞利用的目标字符串是(猜怎么着?)“没有从...接收标识字符串”。

您只需检查远程IP地址的网络范围,就可以通过其他任何未经授权的来源来区分来自提供商网络的合法连接以进行监视。

可以指示fail2ban过滤器(通过'ignoreregex'指令)以相应地忽略合法尝试。

黛米丝·帕尔玛(Demis Palma)ツ
source
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.