SSH日志分析

今天闲着仔细看了下SSH的secure日志,发现了一些有意思的东西,记录在下!

几种常见的暴力破解提示的错误

  1. Did not receive identification string from
    有人尝试使用账号密码登录你的服务器

  2. vsftpd[11273]: pam_userdb(vsftpd:auth): user ‘acount’ granted access
    vsftpd授权登录

  3. Invalid user nagios from 115.28.108.179
    又是尝试登录

  4. Received disconnect from 121.42.0.88: 11: Terminating connection
    有攻击者尝试使用一些特定的代码暴力破解服务器,然后SSHD服务终止了此行为

    使用fail2ban发现在 /etc/fail2ban/filter.d/sshd.conf 里面就已经描述了常用的登录我错误的情况,具体如下所示:

^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$
^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$
^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$
^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$
^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*$

通过观察日志发现的一些东西

写了个python脚本把攻击都用于尝试的用户名都跑了出来,测试脚本如下所示:

import re
f = open("/var/log/secure-log")
user_set = set()
while 1:
line = f.readline()
if line:
match = re.search(r"Invalid user (\w+) from", line)
if match:
user = match.group(1)
if user not in user_set:
user_set.add(user)
else:
pass
else:
pass
else:
break
f.close()
for username in user_set:
print username

用户名列表结果如下所示:

steve
nagiosuser
informix
francesco
emily
simon
arif
ts
send
zxin10
dell
jack
school
francois
manager
mark1
ei9bohB2
cron
syslog
flw
vmware
victor
hdfs
nano
hostmaster
qorwodns
alina
ts3server
ubuntu
apache
ftpadmin
search
rdp
auction
bot
drw
ranger123
rory
minecraft
hoge
app
auschwitzs5feldtbatalion
sgi
cloud
sanjay
andy
iview
bwadmin
tester
oscar
cashier
vmail
csgo
guest3
jenskin
vpn
webmaster
ace
mc
kodi
taufiq
lukas
dev
install
tpuser
nexus
share
fax
agent
sir
vagrant
css
remax
ovh
data
a
Shoot9ae
susan
wink
123
office
db1
smmsp
siva
cvsroot
developer
porasd
kluser
uoa
glassfish
stephen
finance
alsami
alex
atendimento
srudent
gerrit
smtp
ts3
kang
upload
wwwrun
123456
sandy
rex
ts3dragon
george
daniel
kiwip
jessica
ramon
keith
bash
guest
nagios1
david
oraprod
xbmc
redhat
cssserver
tibero
service
system
user11
weblogic
user15
dff
magda
fabien
qkdlaleldj
toor
windbl0ws
DUP
john
aaa
sandeep
daniele
dani
dbadmin
ana
ram
ming
sysadmin
allen
usuario2
testuser
lin
servidor
contact
derek
RPM
santiago
vnc
deploy
csserver
cs
kb
richard
usuario
itsupport
wolwerine
tps
pruebas
shop
thomas
radio
staff
zte
condor
ftpuser
prueba
de
sunny
ftp1
report
osmc
gusr
zabbix
git123
steam
secretary
mwconf
testing
enigma1
teamspeak3
qkdlaleldj3
utente
moodle
ww
news
vncuser
sniff
admin
vbox
phpmyadmin
foobar
pos
vinay
exploit
amine
linux
tony
user3
solr
sara
cyrus
secret
workshop
pi
mary
walter
website
benoit
c0d3xt3am
usertest
webapp
rding
wangyusheng
asmund
user03
user01
demo
csgoserver
timemachine
postgres
develop
fedora
media
hadoop
appserver
gavrilov
nishant
samp
gaurav
http
jacekk
demo3
vkathf
user
student
novell
antonio
testftp
edge
amandabackup
test1
test2
nan
toby
nicolas
web
devdata
samba
securityagent
apache2
zhangyan
easy
marco
teamspeak
osman
vanessa
hduser
teste
damian
mythtv
faber
server
snort
martin
sebastian
google
centos
hartmann
joan
mcserver
stas
zhengye
ddo
foo
oravis
super
karaf
luigi
backup
image
johnv
steven
topspin
git
log
spam
dasusr1
support
redmine
wordpress
liferay
svn
shoutcast
nagios
invite
davids
info
temp
default
adriana
user5
user2
scanner
user1
sales
student4
dumitrescu
jesse
diego
763xuNBY
boot
sybase
mscott
rolf
test
jenkins
ubnt
jono
webuser
users
chris
debian
ghost
remote
tomcat
reception
oracle
gpadmin
dvs

基本上这些暴力破解的会先根据你的服务器IP反查出所有的域名,然后用域名关键字作为关键词来当作用户名来测试。比如某个IP反查出域名为:xrong.net,就会使用以下的用户名作为测试

www.xrong.net
xrong.net
xrong
xrongnet
xrong_net
xrong-net
www_xrong_net
www-xrong-net
wwwxrong
wwwxrongnet
xrong123
xrongnet123
wwwxrongnet123

当然上面只是一部分,所以能做的事就是尽量别用域名等常见单词作为SSH用户名,以防止被暴力破解。

使用fail2ban来简单的阻止掉这些IP

安装

sudo yum install fail2ban

配置文件

drwxr-xr-x 6 root root 4.0K Jun 14 10:08 .
drwxr-xr-x. 90 root root 4.0K Jun 9 03:42 ..
drwxr-xr-x 2 root root 4.0K Aug 24 2015 action.d
-rw-r--r-- 1 root root 2.3K May 21 2015 fail2ban.conf
drwxr-xr-x 2 root root 4.0K May 21 2015 fail2ban.d
drwxr-xr-x 3 root root 4.0K Aug 24 2015 filter.d
-rw-r--r-- 1 root root 18K Jun 13 23:41 jail.conf
-rw-r--r-- 1 root root 16K Jun 14 10:08 .jail.conf.swp
drwxr-xr-x 2 root root 4.0K Jun 14 10:32 jail.d
-rw-r--r-- 1 root root 1.9K Apr 29 2015 paths-common.conf
-rw-r--r-- 1 root root 645 Apr 29 2015 paths-debian.conf
-rw-r--r-- 1 root root 689 Apr 29 2015 paths-fedora.conf
-rw-r--r-- 1 root root 1.2K Apr 29 2015 paths-freebsd.conf
-rw-r--r-- 1 root root 290 Apr 29 2015 paths-osx.conf
  1. fail2ban.conf 为主配置文件
  2. jail.conf 为jail配置文件,不用修改
  3. paths-*.conf 为独立于系统的通用配置路径文件
  4. jail.d 自定义监jail配置文件

开启sshd的监控

新建 /etc/fail2ban/jail.d/customisation.local 文件
加入如下配置

[DEFAULT]
bantime = 3600
[sshd]
enabled = true

监控命令

查看所有的jail情况
sudo fail2ban-client status
查看某个jail的屏蔽情况
sudo fail2ban-client status sshd

经过一夜的漫长等待以后,使用上面的命令可以看到如下的结果,已经有一个可疑IP被屏蔽过。

Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 21
| `- File list: /var/log/secure
`- Actions
|- Currently banned: 0
|- Total banned: 1
`- Banned IP list:

当然你也可以使用iptables查看具体的屏蔽规则。

iptables -L