Contenu | Rechercher | Menus

Annonce

Si vous avez des soucis pour rester connecté, déconnectez-vous puis reconnectez-vous depuis ce lien en cochant la case
Me connecter automatiquement lors de mes prochaines visites.

À propos de l'équipe du forum.

Pages : 1

#1 Le 06/08/2016, à 23:14

popelop

tentatives de connexion hostiles en SSH

Bonjour à tous,
J'ai récemment installé logwatch afin de voir ce qu'il se passait sur le système.
Voici le log: http://paste.ubuntu.com/22496416/
On constate qu'il y a un certain nombre de tentatives de connexion au compte root en ssh. A priori ça ne pose pas de problème car le compte root est désactivé. Cependant j'aimerais savoir comment me prémunir de ce genre d'attaques et s'il existe d'autres attaques de ce genre ainsi que les contre mesures possibles.
Vous voyez d'autres choses anormales dans le log ?

merci d'avance smile

Dernière modification par popelop (Le 06/08/2016, à 23:15)

Hors ligne

#2 Le 06/08/2016, à 23:56

patked

Re : tentatives de connexion hostiles en SSH

Hello

Je te recommande d'installer fail2band. Voir la doc très claire dans ubuntu.fr. C'est  du blacklist d'adresse IP.
Je l'ai utilisé, car même pb. Au bout d'un moment, l'attaquant va voir ailleurs, mais il faut du temps parfois  :-)

mais tu es mieux protégé.

A+

Hors ligne

#3 Le 07/08/2016, à 01:09

popelop

Re : tentatives de connexion hostiles en SSH

pas sûr que ça suffise car là les tentatives de connexions ne viennt jamais plus de 2 ou 3 fois de la même IP apparemment.

Hors ligne

#4 Le 07/08/2016, à 09:42

lynn

Re : tentatives de connexion hostiles en SSH

Bonjour,

L'assaillant tente une connexion qui échouera inexorablement; Le système ne fait que t'indiquer, par l'intermédiaire du journal système, que telle ou telle I.P a essayé de se connecter sur le compte root et qu'elle a échoué.
Alors oui, ça "charge" les logs mais en réalité, tu ne peux pas empêcher quelqu'un de venir tenter de se connecter sur ton I.P même si ça échoue...

Voici mon auth.log d'aujourd'hui à partir de minuit. Je n'ai laissé que les parties qui nous intéressent ( sshd ). Il y en a même qui ont tenté des connexions par clés... Petits futés.. lol

Aug  7 00:03:14 ubuntu sshd[13108]: User root not allowed because account is locked
Aug  7 00:03:14 ubuntu sshd[13108]: input_userauth_request: invalid user root [preauth]
Aug  7 00:03:14 ubuntu sshd[13108]: Received disconnect from 221.194.44.219 port 37491:11:  [preauth]
Aug  7 00:03:14 ubuntu sshd[13108]: Disconnected from 221.194.44.219 port 37491 [preauth]
Aug  7 00:16:39 ubuntu sshd[3121]: Received SIGHUP; restarting.
Aug  7 00:16:39 ubuntu sshd[3121]: Server listening on 0.0.0.0 port 22.
Aug  7 00:16:39 ubuntu sshd[3121]: Server listening on :: port 22.
Aug  7 00:16:41 ubuntu sshd[3121]: Received SIGHUP; restarting.
Aug  7 00:16:41 ubuntu sshd[3121]: Server listening on 0.0.0.0 port 22.
Aug  7 00:16:41 ubuntu sshd[3121]: Server listening on :: port 22.
Aug  7 00:16:57 ubuntu sshd[3121]: Received SIGHUP; restarting.
Aug  7 00:16:57 ubuntu sshd[3121]: Server listening on 0.0.0.0 port 22.
Aug  7 00:16:57 ubuntu sshd[3121]: Server listening on :: port 22.
Aug  7 00:16:57 ubuntu sshd[3121]: Received SIGHUP; restarting.
Aug  7 00:16:57 ubuntu sshd[3121]: Server listening on 0.0.0.0 port 22.
Aug  7 00:16:57 ubuntu sshd[3121]: Server listening on :: port 22.
Aug  7 00:30:42 ubuntu sshd[14766]: User root not allowed because account is locked
Aug  7 00:30:42 ubuntu sshd[14766]: input_userauth_request: invalid user root [preauth]
Aug  7 00:30:42 ubuntu sshd[14766]: Received disconnect from 221.194.44.223 port 46640:11:  [preauth]
Aug  7 00:30:42 ubuntu sshd[14766]: Disconnected from 221.194.44.223 port 46640 [preauth]
Aug  7 00:34:13 ubuntu sshd[14890]: Bad protocol version identification 'GET / HTTP/1.1' from 187.49.206.112 port 33479
Aug  7 00:57:41 ubuntu sshd[15831]: User root not allowed because account is locked
Aug  7 00:57:41 ubuntu sshd[15831]: input_userauth_request: invalid user root [preauth]
Aug  7 00:57:41 ubuntu sshd[15831]: Received disconnect from 221.194.44.218 port 42931:11:  [preauth]
Aug  7 00:57:41 ubuntu sshd[15831]: Disconnected from 221.194.44.218 port 42931 [preauth]
Aug  7 00:59:50 ubuntu sshd[15904]: Invalid user richard from 50.206.17.2
Aug  7 00:59:50 ubuntu sshd[15904]: input_userauth_request: invalid user richard [preauth]
Aug  7 00:59:51 ubuntu sshd[15904]: Connection closed by 50.206.17.2 port 12085 [preauth]
Aug  7 01:24:36 ubuntu sshd[16877]: User root not allowed because account is locked
Aug  7 01:24:36 ubuntu sshd[16877]: input_userauth_request: invalid user root [preauth]
Aug  7 01:24:36 ubuntu sshd[16877]: Received disconnect from 221.194.44.223 port 54514:11:  [preauth]
Aug  7 01:24:36 ubuntu sshd[16877]: Disconnected from 221.194.44.223 port 54514 [preauth]
Aug  7 01:43:55 ubuntu sshd[17609]: User root not allowed because account is locked
Aug  7 01:43:55 ubuntu sshd[17609]: input_userauth_request: invalid user root [preauth]
Aug  7 01:43:55 ubuntu sshd[17609]: Received disconnect from 221.194.44.219 port 42713:11:  [preauth]
Aug  7 01:43:55 ubuntu sshd[17609]: Disconnected from 221.194.44.219 port 42713 [preauth]
Aug  7 02:10:23 ubuntu sshd[18642]: User root not allowed because account is locked
Aug  7 02:10:23 ubuntu sshd[18642]: input_userauth_request: invalid user root [preauth]
Aug  7 02:10:23 ubuntu sshd[18642]: Received disconnect from 221.194.44.194 port 47529:11:  [preauth]
Aug  7 02:10:23 ubuntu sshd[18642]: Disconnected from 221.194.44.194 port 47529 [preauth]
Aug  7 02:42:51 ubuntu sshd[19887]: User root not allowed because account is locked
Aug  7 02:42:51 ubuntu sshd[19887]: input_userauth_request: invalid user root [preauth]
Aug  7 02:42:52 ubuntu sshd[19887]: Received disconnect from 221.194.44.216 port 33946:11:  [preauth]
Aug  7 02:42:52 ubuntu sshd[19887]: Disconnected from 221.194.44.216 port 33946 [preauth]
Aug  7 03:09:58 ubuntu sshd[20950]: User root not allowed because account is locked
Aug  7 03:09:58 ubuntu sshd[20950]: input_userauth_request: invalid user root [preauth]
Aug  7 03:09:58 ubuntu sshd[20950]: Received disconnect from 221.194.44.227 port 38779:11:  [preauth]
Aug  7 03:09:58 ubuntu sshd[20950]: Disconnected from 221.194.44.227 port 38779 [preauth]
Aug  7 03:34:18 ubuntu sshd[21845]: User root not allowed because account is locked
Aug  7 03:34:18 ubuntu sshd[21845]: input_userauth_request: invalid user root [preauth]
Aug  7 03:34:23 ubuntu sshd[21845]: Received disconnect from 221.194.44.219 port 33894:11:  [preauth]
Aug  7 03:34:23 ubuntu sshd[21845]: Disconnected from 221.194.44.219 port 33894 [preauth]
Aug  7 04:05:55 ubuntu sshd[23066]: User root not allowed because account is locked
Aug  7 04:05:55 ubuntu sshd[23066]: input_userauth_request: invalid user root [preauth]
Aug  7 04:05:56 ubuntu sshd[23066]: Received disconnect from 221.194.44.227 port 35997:11:  [preauth]
Aug  7 04:05:56 ubuntu sshd[23066]: Disconnected from 221.194.44.227 port 35997 [preauth]
Aug  7 04:11:44 ubuntu sshd[23340]: Did not receive identification string from 191.98.163.9
Aug  7 04:16:29 ubuntu sshd[23499]: User root not allowed because account is locked
Aug  7 04:16:29 ubuntu sshd[23499]: input_userauth_request: invalid user root [preauth]
Aug  7 04:16:30 ubuntu sshd[23499]: Connection closed by 191.98.163.9 port 35156 [preauth]
Aug  7 04:16:36 ubuntu sshd[23501]: User root not allowed because account is locked
Aug  7 04:16:36 ubuntu sshd[23501]: input_userauth_request: invalid user root [preauth]
Aug  7 04:16:37 ubuntu sshd[23501]: Connection closed by 191.98.163.9 port 9224 [preauth]
Aug  7 04:16:43 ubuntu sshd[23513]: User root not allowed because account is locked
Aug  7 04:16:43 ubuntu sshd[23513]: input_userauth_request: invalid user root [preauth]
Aug  7 04:16:43 ubuntu sshd[23513]: Connection closed by 191.98.163.9 port 9224 [preauth]
Aug  7 04:16:46 ubuntu sshd[23515]: User root not allowed because account is locked
Aug  7 04:16:46 ubuntu sshd[23515]: input_userauth_request: invalid user root [preauth]
Aug  7 04:16:47 ubuntu sshd[23515]: Connection closed by 191.98.163.9 port 9224 [preauth]
Aug  7 04:16:50 ubuntu sshd[23517]: User root not allowed because account is locked
Aug  7 04:16:50 ubuntu sshd[23517]: input_userauth_request: invalid user root [preauth]
Aug  7 04:16:51 ubuntu sshd[23517]: Connection closed by 191.98.163.9 port 9224 [preauth]
Aug  7 04:16:53 ubuntu sshd[23519]: User root not allowed because account is locked
Aug  7 04:16:53 ubuntu sshd[23519]: input_userauth_request: invalid user root [preauth]
Aug  7 04:16:54 ubuntu sshd[23519]: Connection closed by 191.98.163.9 port 9224 [preauth]
Aug  7 04:16:57 ubuntu sshd[23521]: User root not allowed because account is locked
Aug  7 04:16:57 ubuntu sshd[23521]: input_userauth_request: invalid user root [preauth]
Aug  7 04:16:57 ubuntu sshd[23521]: Connection closed by 191.98.163.9 port 9224 [preauth]
Aug  7 04:17:00 ubuntu sshd[23523]: User root not allowed because account is locked
Aug  7 04:17:00 ubuntu sshd[23523]: input_userauth_request: invalid user root [preauth]
Aug  7 04:17:01 ubuntu sshd[23523]: Connection closed by 191.98.163.9 port 9224 [preauth]
Aug  7 04:17:04 ubuntu sshd[23528]: Invalid user nagios from 191.98.163.9
Aug  7 04:17:04 ubuntu sshd[23528]: input_userauth_request: invalid user nagios [preauth]
Aug  7 04:17:04 ubuntu sshd[23528]: Connection closed by 191.98.163.9 port 9224 [preauth]
Aug  7 04:17:06 ubuntu sshd[23532]: Invalid user xerox from 191.98.163.9
Aug  7 04:17:06 ubuntu sshd[23532]: input_userauth_request: invalid user xerox [preauth]
Aug  7 04:17:07 ubuntu sshd[23532]: Connection closed by 191.98.163.9 port 9224 [preauth]
Aug  7 04:17:09 ubuntu sshd[23555]: Invalid user webadm from 191.98.163.9
Aug  7 04:17:09 ubuntu sshd[23555]: input_userauth_request: invalid user webadm [preauth]
Aug  7 04:17:09 ubuntu sshd[23555]: Connection closed by 191.98.163.9 port 9224 [preauth]
Aug  7 04:17:11 ubuntu sshd[23557]: Invalid user ubuntu from 191.98.163.9
Aug  7 04:17:11 ubuntu sshd[23557]: input_userauth_request: invalid user ubuntu [preauth]
Aug  7 04:17:12 ubuntu sshd[23557]: Connection closed by 191.98.163.9 port 9224 [preauth]
Aug  7 04:17:14 ubuntu sshd[23559]: Invalid user tomcat from 191.98.163.9
Aug  7 04:17:14 ubuntu sshd[23559]: input_userauth_request: invalid user tomcat [preauth]
Aug  7 04:17:15 ubuntu sshd[23559]: Connection closed by 191.98.163.9 port 9224 [preauth]
Aug  7 04:17:17 ubuntu sshd[23561]: Invalid user share from 191.98.163.9
Aug  7 04:17:17 ubuntu sshd[23561]: input_userauth_request: invalid user share [preauth]
Aug  7 04:17:17 ubuntu sshd[23561]: Connection closed by 191.98.163.9 port 9224 [preauth]
Aug  7 04:17:20 ubuntu sshd[23563]: Invalid user postgres from 191.98.163.9
Aug  7 04:17:20 ubuntu sshd[23563]: input_userauth_request: invalid user postgres [preauth]
Aug  7 04:17:20 ubuntu sshd[23563]: Connection closed by 191.98.163.9 port 9224 [preauth]
Aug  7 04:17:22 ubuntu sshd[23565]: Invalid user debian from 191.98.163.9
Aug  7 04:17:22 ubuntu sshd[23565]: input_userauth_request: invalid user debian [preauth]
Aug  7 04:17:23 ubuntu sshd[23565]: Connection closed by 191.98.163.9 port 9224 [preauth]
Aug  7 05:07:42 ubuntu sshd[25533]: User root not allowed because account is locked
Aug  7 05:07:42 ubuntu sshd[25533]: input_userauth_request: invalid user root [preauth]
Aug  7 05:07:42 ubuntu sshd[25533]: Received disconnect from 221.194.44.218 port 45719:11:  [preauth]
Aug  7 05:07:42 ubuntu sshd[25533]: Disconnected from 221.194.44.218 port 45719 [preauth]
Aug  7 05:20:38 ubuntu sshd[25973]: User root not allowed because account is locked
Aug  7 05:20:38 ubuntu sshd[25973]: input_userauth_request: invalid user root [preauth]
Aug  7 05:20:38 ubuntu sshd[25975]: User root not allowed because account is locked
Aug  7 05:20:38 ubuntu sshd[25975]: input_userauth_request: invalid user root [preauth]
Aug  7 05:20:38 ubuntu sshd[25973]: Received disconnect from 116.31.116.43 port 20455:11:  [preauth]
Aug  7 05:20:38 ubuntu sshd[25973]: Disconnected from 116.31.116.43 port 20455 [preauth]
Aug  7 05:20:38 ubuntu sshd[25975]: Received disconnect from 116.31.116.43 port 20541:11:  [preauth]
Aug  7 05:20:38 ubuntu sshd[25975]: Disconnected from 116.31.116.43 port 20541 [preauth]
Aug  7 05:41:06 ubuntu sshd[26805]: Did not receive identification string from 190.60.95.14
Aug  7 05:43:27 ubuntu sshd[26897]: Received disconnect from 190.60.95.14 port 49531:11: Bye Bye [preauth]
Aug  7 05:43:27 ubuntu sshd[26897]: Disconnected from 190.60.95.14 port 49531 [preauth]
Aug  7 05:58:48 ubuntu sshd[27486]: User root not allowed because account is locked
Aug  7 05:58:48 ubuntu sshd[27486]: input_userauth_request: invalid user root [preauth]
Aug  7 05:58:48 ubuntu sshd[27486]: Received disconnect from 221.194.44.223 port 42055:11:  [preauth]
Aug  7 05:58:48 ubuntu sshd[27486]: Disconnected from 221.194.44.223 port 42055 [preauth]
Aug  7 06:38:43 ubuntu sshd[29057]: User root not allowed because account is locked
Aug  7 06:38:43 ubuntu sshd[29057]: input_userauth_request: invalid user root [preauth]
Aug  7 06:38:43 ubuntu sshd[29057]: Received disconnect from 221.194.44.219 port 52915:11:  [preauth]
Aug  7 06:38:43 ubuntu sshd[29057]: Disconnected from 221.194.44.219 port 52915 [preauth]
Aug  7 08:08:05 ubuntu sshd[32740]: fatal: Unable to negotiate with 212.83.163.52 port 55443: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Aug  7 08:08:07 ubuntu sshd[32742]: fatal: Unable to negotiate with 212.83.163.52 port 56893: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Aug  7 08:08:09 ubuntu sshd[32744]: fatal: Unable to negotiate with 212.83.163.52 port 57454: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Aug  7 08:08:10 ubuntu sshd[32746]: fatal: Unable to negotiate with 212.83.163.52 port 57555: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Aug  7 08:08:11 ubuntu sshd[32748]: fatal: Unable to negotiate with 212.83.163.52 port 57855: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Aug  7 08:08:12 ubuntu sshd[32750]: fatal: Unable to negotiate with 212.83.163.52 port 58057: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Aug  7 08:08:13 ubuntu sshd[32752]: fatal: Unable to negotiate with 212.83.163.52 port 58225: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Aug  7 08:08:15 ubuntu sshd[32754]: fatal: Unable to negotiate with 212.83.163.52 port 59031: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Aug  7 08:08:16 ubuntu sshd[32758]: fatal: Unable to negotiate with 212.83.163.52 port 59230: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Aug  7 08:08:17 ubuntu sshd[32760]: fatal: Unable to negotiate with 212.83.163.52 port 60704: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Aug  7 08:08:19 ubuntu sshd[300]: fatal: Unable to negotiate with 212.83.163.52 port 61493: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Aug  7 08:08:20 ubuntu sshd[302]: fatal: Unable to negotiate with 212.83.163.52 port 62253: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Aug  7 08:08:22 ubuntu sshd[304]: fatal: Unable to negotiate with 212.83.163.52 port 62773: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Aug  7 08:08:23 ubuntu sshd[306]: fatal: Unable to negotiate with 212.83.163.52 port 63127: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Aug  7 08:08:24 ubuntu sshd[308]: fatal: Unable to negotiate with 212.83.163.52 port 63677: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Aug  7 08:08:25 ubuntu sshd[310]: fatal: Unable to negotiate with 212.83.163.52 port 63985: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Aug  7 08:08:26 ubuntu sshd[312]: fatal: Unable to negotiate with 212.83.163.52 port 64631: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Aug  7 08:08:27 ubuntu sshd[314]: fatal: Unable to negotiate with 212.83.163.52 port 49497: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
Aug  7 08:11:15 ubuntu sshd[413]: User root not allowed because account is locked
Aug  7 08:11:15 ubuntu sshd[413]: input_userauth_request: invalid user root [preauth]
Aug  7 08:11:16 ubuntu sshd[413]: Received disconnect from 221.194.44.223 port 56536:11:  [preauth]
Aug  7 08:11:16 ubuntu sshd[413]: Disconnected from 221.194.44.223 port 56536 [preauth]
Aug  7 08:17:03 ubuntu sshd[803]: Did not receive identification string from 113.108.21.16
Aug  7 08:17:45 ubuntu sshd[828]: User root not allowed because account is locked
Aug  7 08:17:45 ubuntu sshd[828]: input_userauth_request: invalid user root [preauth]
Aug  7 08:17:46 ubuntu sshd[828]: Received disconnect from 221.194.44.216 port 44379:11:  [preauth]
Aug  7 08:17:46 ubuntu sshd[828]: Disconnected from 221.194.44.216 port 44379 [preauth]

Modération : merci à l'avenir d'utiliser les balises code (explications ici).

Dernière modification par cqfd93 (Le 07/08/2016, à 18:15)

«C'est pas parce qu'ils sont nombreux à avoir tort qu'ils ont raison!»

Coluche

Hors ligne

#5 Le 07/08/2016, à 10:03

popelop

Re : tentatives de connexion hostiles en SSH

Est ce que ce genre d'attaque est courant ou bien mon ip est-elle ciblée en particulier (je fait tourner un noeud relatif aux cryptomonnaies)?

Hors ligne

#6 Le 07/08/2016, à 10:28

patked

Re : tentatives de connexion hostiles en SSH

C'est courant.  Si tu as un très bon réseau genre fibre, tu peux être "intéressant". As tu un site internet genre Wordpress sur ta machine ?  ou tout simplement un site. Je crois que c'est le cas avec ton "noeud" ?  Donc répérable d'entrée de jeu.
Maintenant, j'avais paramétré à 1 le nbr de connexion ssh pour répondre à ton post 3. Donc efficacité maximum. Par contre, si toi même à distance tu te loupes une fois, tu es blacklisté :-)  . Tu peux alors paramétrer un délai de blacklist d'une heure, histoire que tu ne sois pas toi même bloqué la journée.
Tu mettre un BL=2 mais j'ai préféré 1 de mon coté.

En sécurité, l'outil qui te protège à 100% n'existe pas. Par contre, plus tu emm...... le hacker, plus tu as de chance qu'il passe ailleurs, surtout pour les proc auto.

Hors ligne

#7 Le 07/08/2016, à 10:30

lynn

Re : tentatives de connexion hostiles en SSH

@popelop

Tous les ordinateurs subissent ce genre d'attaque. Ton I.P n'est pas une cible en particulier mais une cible parmi plusieurs milliards d'éléments connectés à l'internet.

Comprends bien que sur le nombre de tentatives que font ces botnet, à un moment donné et si on prend pour exemple le P.C de bureau, il va bien y avoir quelqu'un qui aura crée un compte root avec un accès ssh et une authentification par mot de passe, qu'il aura choisis judicieusement tongue  (du genre 123456, voire pas de mot de passe du tout...) et la, bingo! lol

Si tu as une connexion ssh active sur ton pc, assures toi de ne pas avoir de compte root ( ça ne sert à rien pour l'utilisateur lambda ) et utilises l'authentification par un système de clés publique/privée.

Dernière modification par lynn (Le 07/08/2016, à 10:32)

«C'est pas parce qu'ils sont nombreux à avoir tort qu'ils ont raison!»

Coluche

Hors ligne

#8 Le 07/08/2016, à 11:12

Oedipe

Re : tentatives de connexion hostiles en SSH

Autre "précaution" fort utile smile

Ne pas faire tourner son ssh sur le port 22 ! (c'est le plus "testé" de tout l'internet, et pour cause...)
Choisir un port > 50000

[Kubuntu 16.04.1 LTS "Xenial" - Noyau 4.4.0-53 (x86_64) + Plasma 5.8.4 + Framework 5.28.0 + Qt 5.6.1]
Serveur Nextcloud 11.0.0 "running at home" - Apache/2.4.25 - PHP/7.0.14.2  (IPV6 & HTTP/2 - WebRTC)

Hors ligne

#9 Le 07/08/2016, à 23:07

popelop

Re : tentatives de connexion hostiles en SSH

merci pour les infos smile

Hors ligne

Pages : 1