Ícone RSS Ícone Página Principal
  • Tentativa de Acesso força bruta

    Publicado em 20 de julho de 2016 omyasuda Sem comentários

    É só abrir a máquina ao acesso externo que começam as tentativas de acesso “força bruta”!

    ==> /var/log/auth.log <==
    Jul 20 09:58:25 Tardigrado-2 sshd[516]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.194.229.6 user=root
    Jul 20 09:58:27 Tardigrado-2 sshd[516]: Failed password for root from 122.194.229.6 port 17778 ssh2
    Jul 20 09:58:30 Tardigrado-2 sshd[516]: Failed password for root from 122.194.229.6 port 17778 ssh2
    Jul 20 09:58:32 Tardigrado-2 sshd[516]: Failed password for root from 122.194.229.6 port 17778 ssh2
    Jul 20 09:58:32 Tardigrado-2 sshd[516]: Received disconnect from 122.194.229.6: 11: [preauth]

    Um recurso que tem ajudado é o fail2ban.

    ==> /var/log/fail2ban.log <==
    2016-07-20 10:01:00,147 fail2ban.actions[1213]: WARNING [ssh] Ban 122.194.229.6
    2016-07-20 10:11:00,803 fail2ban.actions[1213]: WARNING [ssh] Unban 218.65.30.4

     

     

     

     

     

  • Tardigrado: Tentativa de Acesso não-autorizado

    Publicado em 4 de janeiro de 2016 omyasuda Sem comentários

    Venho observando as mensagens

    Jan 4 10:09:32 tardigrado sshd[10582]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.145.85 user=root
    Jan 4 10:09:34 tardigrado sshd[10582]: Failed password for root from 113.195.145.85 port 7408 ssh2
    Jan 4 10:09:37 tardigrado sshd[10582]: Failed password for root from 113.195.145.85 port 7408 ssh2
    Jan 4 10:09:41 tardigrado sshd[10582]: Failed password for root from 113.195.145.85 port 7408 ssh2
    Jan 4 10:09:45 tardigrado sshd[10582]: Failed password for root from 113.195.145.85 port 7408 ssh2
    Jan 4 10:09:49 tardigrado sshd[10582]: Failed password for root from 113.195.145.85 port 7408 ssh2
    Jan 4 10:09:53 tardigrado sshd[10582]: Failed password for root from 113.195.145.85 port 7408 ssh2
    Jan 4 10:09:53 tardigrado sshd[10582]: Disconnecting: Too many authentication failures for root from 113.195.145.85 port 7408 ssh2 [preauth]
    Jan 4 10:09:53 tardigrado sshd[10582]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.145.85 user=root
    Jan 4 10:09:53 tardigrado sshd[10582]: PAM service(sshd) ignoring max retries; 6 > 3
    Jan 4 10:10:01 tardigrado sshd[10584]: reverse mapping checking getaddrinfo for 85.145.195.113.adsl-pool.jx.chinaunicom.com [113.195.145.85] failed – POSSIBLE BREAK-IN ATTEMP

    No log /var/log/auth.log do Tardigrado! A suspeita é de tentativa de acesso indevido a este sistema por ataque “força-bruta”!

    fail2ban

    Este programa escrito em python, monitora os arquivos de log e ajusta as configurações de segurança tentando dificultar a vida dos atacantes.

    Referências

    1. ~$ sudo tail -F /var/log/*.log – para acompanhar as linhas mais recentes dos logs do sistema.
    2. The Beginner’s Guide to iptables, the Linux Firewall