云服务器和脚本小子
文章目录
趁着双十一搞活动,阿里云新入手了一台服务器:经济适用版本,99一年,配置不高,作为跳板机代理家里的服务也是不错的,活动持续到2026年。
特意选了上海地区的服务器,低延迟代理家里的机器,win11 和 windows server 2022,server 版本是后面部署的,使用的时候,突然收到拒绝访问的消息,本来以为是服务器更新,等会就能恢复正常。隔了五分钟,再去尝试,依旧拒绝登录,检索相关的报错,提示有人正在尝试登录,并且由于密码错误次数太多,现在无法登录。
以前也是接触过安防攻击的脚本,立马就想到了,这些登录大概率不是正常的行为,是有人在攻击服务,尝试暴力破解登录服务器。服务器防火墙设置图省事,没有设置白名单,代理了两台机器的 3389 端口,在公网里面暴露出来,就和鱼塘里面的鱼饵差不多。既然知道了是脚本小子在攻击,接下来的事情就简单了,设置防火墙白名单,仅允许公司的IP地址和家里的IP地址访问代理服务。
frps代理服务端以前也没配置运行日志,开启日志后,给我看乐了,全国各地的代理IP,都在尝试登录家里的服务器,还好有一台是 server 版本,让我意识到了问题,不然 win11 那台机器,迟早别攻破,密码设置的比较简单。
2023/11/17 16:51:14 [I] [proxy.go:204] [639d8947325142ac] [host-remote] get a user connection [101.43.98.211:50486]
2023/11/17 16:51:14 [I] [proxy.go:204] [639d8947325142ac] [host-remote] get a user connection [218.93.202.63:56970]
2023/11/17 16:51:14 [I] [proxy.go:204] [639d8947325142ac] [host-remote] get a user connection [222.179.106.174:60812]
2023/11/17 16:51:15 [I] [proxy.go:204] [639d8947325142ac] [host-remote] get a user connection [58.16.204.238:2839]
2023/11/17 16:51:15 [I] [proxy.go:204] [639d8947325142ac] [host-remote] get a user connection [124.223.47.24:50274]
2023/11/17 16:51:16 [I] [proxy.go:204] [639d8947325142ac] [host-remote] get a user connection [43.248.128.22:55883]
2023/11/17 16:51:16 [I] [proxy.go:204] [639d8947325142ac] [host-remote] get a user connection [43.143.53.138:56955]
2023/11/17 16:51:16 [I] [proxy.go:204] [639d8947325142ac] [host-remote] get a user connection [43.228.7.250:61550]
2023/11/17 16:51:16 [I] [proxy.go:204] [639d8947325142ac] [host-remote] get a user connection [125.76.228.9:55842]
2023/11/17 16:51:17 [I] [proxy.go:204] [4dfcc2259937dcb9] [winserver-remote] get a user connection [91.240.118.187:49326]
2023/11/17 16:51:17 [I] [proxy.go:204] [639d8947325142ac] [host-remote] get a user connection [91.240.118.187:49324]
2023/11/17 16:51:17 [I] [proxy.go:204] [639d8947325142ac] [host-remote] get a user connection [89.248.163.79:51712]
2023/11/17 16:51:18 [I] [proxy.go:204] [639d8947325142ac] [host-remote] get a user connection [218.63.75.24:62387]
2023/11/17 16:51:19 [I] [proxy.go:204] [639d8947325142ac] [host-remote] get a user connection [103.186.109.227:51396]
2023/11/17 16:51:20 [I] [proxy.go:204] [639d8947325142ac] [host-remote] get a user connection [116.233.234.104:51567]
2023/11/17 16:51:20 [I] [proxy.go:204] [639d8947325142ac] [host-remote] get a user connection [222.187.193.202:51585]
2023/11/17 16:51:20 [I] [proxy.go:204] [639d8947325142ac] [host-remote] get a user connection [59.48.98.42:57489]
2023/11/17 16:51:20 [I] [proxy.go:204] [639d8947325142ac] [host-remote] get a user connection [146.56.241.134:53558]
2023/11/17 16:51:21 [I] [proxy.go:204] [639d8947325142ac] [host-remote] get a user connection [222.179.106.174:30620]
2023/11/17 16:51:23 [I] [proxy.go:204] [639d8947325142ac] [host-remote] get a user connection [183.14.214.51:62128]
捎带手,查了下linux服务的登录日志,除开阿里云这台机器,还有朋友一台华为云的机器
sudo grep "Failed password" /var/log/secure centos系列
sudo grep "Failed password" /var/log/auth.log ubuntu系列
Nov 16 04:46:34 aliyun-sh sshd[156625]: Failed password for root from 120.55.164.64 port 53410 ssh2
Nov 16 04:46:34 aliyun-sh sshd[156623]: Failed password for root from 111.16.215.122 port 36548 ssh2
Nov 16 04:46:58 aliyun-sh sshd[156630]: Failed password for invalid user share from 139.9.233.78 port 53872 ssh2
Nov 16 04:47:23 aliyun-sh sshd[156634]: Failed password for invalid user spark from 139.9.233.78 port 36134 ssh2
Nov 16 04:47:26 aliyun-sh sshd[156636]: Failed password for root from 120.55.164.64 port 46142 ssh2
Nov 16 04:47:47 aliyun-sh sshd[156640]: Failed password for root from 111.16.215.122 port 42962 ssh2
Nov 16 04:48:24 aliyun-sh sshd[156652]: Failed password for root from 120.55.164.64 port 38868 ssh2
Nov 16 04:48:25 aliyun-sh sshd[156654]: Failed password for root from 111.16.215.122 port 46164 ssh2
Nov 16 04:48:39 aliyun-sh sshd[156657]: Failed password for invalid user test from 139.9.233.78 port 39386 ssh2
Nov 16 04:48:50 aliyun-sh sshd[156659]: Failed password for root from 111.16.215.122 port 38892 ssh2
Nov 16 04:48:53 aliyun-sh sshd[156662]: Failed password for root from 120.55.164.64 port 49348 ssh2
Nov 16 04:48:53 aliyun-sh sshd[156664]: Failed password for invalid user test from 139.9.233.78 port 49864 ssh2
Nov 16 04:50:02 aliyun-sh sshd[156672]: Failed password for root from 111.16.215.122 port 45294 ssh2
Nov 16 04:50:30 aliyun-sh sshd[156680]: Failed password for invalid user zabbix from 139.9.233.78 port 52206 ssh2
Nov 16 04:50:50 aliyun-sh sshd[156683]: Failed password for root from 120.55.164.64 port 34820 ssh2
Nov 16 04:50:51 aliyun-sh sshd[156685]: Failed password for root from 111.16.215.122 port 58978 ssh2
Nov 16 04:51:18 aliyun-sh sshd[156689]: Failed password for root from 120.55.164.64 port 45306 ssh2
Nov 16 04:51:25 aliyun-sh sshd[156692]: Failed password for root from 111.16.215.122 port 33938 ssh2
华为云这台机器开启的时间比较长,已经开始进入字典爆破的中期,各种奇怪的用户都开始出现。
Nov 16 20:30:35 hecs-411458 sshd[182965]: Failed password for invalid user oeh from 39.129.9.180 port 26459 ssh2
Nov 16 20:32:17 hecs-411458 sshd[182967]: Failed password for invalid user dnu from 39.129.9.180 port 27079 ssh2
Nov 16 20:34:12 hecs-411458 sshd[182971]: Failed password for invalid user rq from 39.129.9.180 port 27742 ssh2
Nov 16 20:36:07 hecs-411458 sshd[182979]: Failed password for invalid user zw from 39.129.9.180 port 28415 ssh2
Nov 16 20:37:59 hecs-411458 sshd[182981]: Failed password for invalid user egi from 39.129.9.180 port 29068 ssh2
Nov 16 20:39:52 hecs-411458 sshd[182984]: Failed password for invalid user bjb from 39.129.9.180 port 29723 ssh2
Nov 16 20:41:53 hecs-411458 sshd[182988]: Failed password for invalid user hna from 39.129.9.180 port 30375 ssh2
Nov 16 20:43:46 hecs-411458 sshd[182994]: Failed password for invalid user gar from 39.129.9.180 port 31036 ssh2
Nov 16 20:45:40 hecs-411458 sshd[183003]: Failed password for invalid user mze from 39.129.9.180 port 31703 ssh2
Nov 16 20:47:35 hecs-411458 sshd[183007]: Failed password for invalid user tmh from 39.129.9.180 port 32381 ssh2
Nov 16 21:23:01 hecs-411458 sshd[183047]: Failed password for invalid user amax from 112.4.65.118 port 41188 ssh2
Nov 16 22:31:20 hecs-411458 sshd[183116]: Failed password for root from 211.228.203.123 port 60213 ssh2
Nov 16 22:53:44 hecs-411458 sshd[183162]: Failed password for root from 112.132.249.164 port 39272 ssh2
Nov 17 11:44:26 hecs-411458 sshd[184811]: Failed password for invalid user jsh from 43.157.103.27 port 54608 ssh2
Nov 17 11:47:23 hecs-411458 sshd[184818]: Failed password for invalid user mrunal from 43.157.103.27 port 50448 ssh2
Nov 17 11:48:46 hecs-411458 sshd[184820]: Failed password for invalid user robertsheen from 43.157.103.27 port 50560 ssh2
后记
开发自用的服务器,windows 公网访问需要设置白名单,linux 建议禁止密码登录,开启秘钥文件登录。