Schönen guten Tag,
mein vServer unter kab-s.de wird ständig von Bots gescannt und es wird versucht per Brute Force an offene Benutzer zu gelangen. Nun ist die Frage, wie man am besten darauf reagiert. Zunächst mal ein paar Zeilen aus den Logfiles:
auth.log
Beispiel Brute Force
Sep 10 10:00:11 kab-s sshd[20416]: Failed password for root from 223.4.26.144 port 24511 ssh2
Sep 10 10:00:14 kab-s sshd[21365]: reverse mapping checking getaddrinfo for ip223.hichina.com [223.4.26.144] failed - POSSIBLE BREAK-IN ATTEMPT!
Sep 10 10:00:14 kab-s sshd[21365]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.4.26.144 user=root
Sep 10 10:00:16 kab-s sshd[21365]: Failed password for root from 223.4.26.144 port 24697 ssh2
Sep 10 10:00:19 kab-s sshd[21810]: reverse mapping checking getaddrinfo for ip223.hichina.com [223.4.26.144] failed - POSSIBLE BREAK-IN ATTEMPT!
Sep 10 10:00:19 kab-s sshd[21810]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.4.26.144 user=root
Sep 10 10:00:21 kab-s sshd[21810]: Failed password for root from 223.4.26.144 port 24881 ssh2
Sep 10 10:00:24 kab-s sshd[21903]: reverse mapping checking getaddrinfo for ip223.hichina.com [223.4.26.144] failed - POSSIBLE BREAK-IN ATTEMPT!
und
Sep 10 05:06:43 kab-s sshd[842]: pam_unix(sshd:auth): check pass; user unknown
Sep 10 05:06:43 kab-s sshd[842]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.4.26.144
Sep 10 05:06:46 kab-s sshd[842]: Failed password for invalid user www from 223.4.26.144 port 63892 ssh2
Sep 10 05:06:48 kab-s sshd[986]: reverse mapping checking getaddrinfo for ip223.hichina.com [223.4.26.144] failed - POSSIBLE BREAK-IN ATTEMPT!
Sep 10 05:06:48 kab-s sshd[986]: Invalid user www from 223.4.26.144
Sep 10 05:06:48 kab-s sshd[986]: pam_unix(sshd:auth): check pass; user unknown
Sep 10 05:06:48 kab-s sshd[986]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.4.26.144
Sep 10 05:06:50 kab-s sshd[986]: Failed password for invalid user www from 223.4.26.144 port 64094 ssh2
Sep 10 05:06:53 kab-s sshd[1186]: reverse mapping checking getaddrinfo for ip223.hichina.com [223.4.26.144] failed - POSSIBLE BREAK-IN ATTEMPT!
Sep 10 05:06:53 kab-s sshd[1186]: Invalid user www from 223.4.26.144
Sep 10 05:06:53 kab-s sshd[1186]: pam_unix(sshd:auth): check pass; user unknown
Sep 10 05:06:53 kab-s sshd[1186]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.4.26.144
Sep 10 05:06:55 kab-s sshd[1186]: Failed password for invalid user www from 223.4.26.144 port 64295 ssh2
Sep 10 05:06:58 kab-s sshd[1376]: reverse mapping checking getaddrinfo for ip223.hichina.com [223.4.26.144] failed - POSSIBLE BREAK-IN ATTEMPT!
Sep 10 05:06:58 kab-s sshd[1376]: Invalid user www from 223.4.26.144
Sep 10 05:06:58 kab-s sshd[1376]: pam_unix(sshd:auth): check pass; user unknown
Sep 10 05:06:58 kab-s sshd[1376]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.4.26.144
Sep 10 05:07:00 kab-s sshd[1376]: Failed password for invalid user www from 223.4.26.144 port 64493 ssh2
Sep 10 05:07:03 kab-s sshd[1714]: reverse mapping checking getaddrinfo for ip223.hichina.com [223.4.26.144] failed - POSSIBLE BREAK-IN ATTEMPT!
Sep 10 05:07:03 kab-s sshd[1714]: Invalid user www from 223.4.26.144
Sep 10 05:07:03 kab-s sshd[1714]: pam_unix(sshd:auth): check pass; user unknown
Sep 10 05:07:03 kab-s sshd[1714]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.4.26.144
Sep 10 05:07:05 kab-s sshd[1714]: Failed password for invalid user www from 223.4.26.144 port 64695 ssh2
Sep 10 05:07:08 kab-s sshd[2257]: reverse mapping checking getaddrinfo for ip223.hichina.com [223.4.26.144] failed - POSSIBLE BREAK-IN ATTEMPT!
Alles anzeigen
Zudem finden sich in den Logfiles vom Apache ebenfalls Scans:
218.201.121.99 - - [04/Sep/2012:17:14:42 +0200] "GET /manager/html HTTP/1.1" 404 530 "-" "-"
91.150.201.195 - - [04/Sep/2012:17:33:09 +0200] "POST /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n HTTP/1.1" 200 1187 "-" "Mozilla/5.0"
211.154.213.122 - - [04/Sep/2012:21:40:13 +0200] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 489 "-" "ZmEu"
211.154.213.122 - - [04/Sep/2012:21:40:14 +0200] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 479 "-" "ZmEu"
211.154.213.122 - - [04/Sep/2012:21:40:15 +0200] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 479 "-" "ZmEu"
211.154.213.122 - - [04/Sep/2012:21:40:15 +0200] "GET /pma/scripts/setup.php HTTP/1.1" 404 474 "-" "ZmEu"
211.154.213.122 - - [04/Sep/2012:21:40:16 +0200] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 478 "-" "ZmEu"
211.154.213.122 - - [04/Sep/2012:21:40:17 +0200] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 404 478 "-" "ZmEu"
94.75.209.131 - - [05/Sep/2012:14:11:27 +0200] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 505 "-" "-"
ich werde wohl ein Fail2Ban Script installieren und habe bereits dafür gesorgt, dass man sich über das Benutzerkonto root nur per Keyfile über SSH anmelden kann. Außerdem laufen PHP-Scripte unter dem jeweiligen Benutzer um Rechteerweiterungen zu vermeiden. Ich bin mit der Situation trotzdem unzufrieden, da permanent meine Logs explodieren und ich diese überprüfen muss um sicherzustellen, dass kein unbefugter den Server missbraucht. Habt ihr mit solchen Scans Erfahrungen gemacht und wie sollte man darauf reagieren?
Grüße aus Marburg