关于强烈谴责攻击我县政府门户网站服务器的声明
调整前:(截取的部分攻击记录)
时 间 服务器 端 口 类 型 攻击地址
Aug 17 01:48:44 gqweb sshd[4244]: Illegal user mailman from ::ffff:218.75.79.18
Aug 17 01:48:44 gqweb sshd[4244]: Failed password for illegal user mailman from ::ffff:218.75.79.18 port 53733 ssh2
Aug 17 01:48:44 gqweb sshd[4246]: Illegal user hadoop from ::ffff:218.75.79.18
Aug 17 01:48:45 gqweb sshd[4248]: Failed password for illegal user vsifax from ::ffff:218.75.79.18 port 54205 ssh2
Aug 17 01:48:46 gqweb sshd[4250]: Failed password for squid from ::ffff:218.75.79.18 port 54445 ssh2
Aug 17 01:48:46 gqweb sshd[4252]: Illegal user nutch from ::ffff:218.75.79.18
Aug 17 01:48:46 gqweb sshd[4252]: Failed password for illegal user nutch from ::ffff:218.75.79.18 port 54673 ssh2
Aug 16 20:46:04 gqweb sshd[2225]: Illegal user vicky from ::ffff:60.195.250.54
Aug 16 20:46:04 gqweb sshd[2225]: Failed password for illegal user vicky from ::ffff:60.195.250.54 port 43114 ssh2
Aug 16 20:46:04 gqweb sshd[2227]: Illegal user setup from ::ffff:60.195.250.54
Aug 16 20:46:04 gqweb sshd[2227]: Failed password for illegal user setup from ::ffff:60.195.250.54 port 43227 ssh2
Aug 16 20:46:04 gqweb sshd[2229]: Illegal user setup from ::ffff:60.195.250.54
Aug 16 20:46:04 gqweb sshd[2229]: Failed password for illegal user setup from ::ffff:60.195.250.54 port 43339 ssh2
Aug 16 20:46:05 gqweb sshd[2231]: Illegal user print from ::ffff:60.195.250.54
Aug 16 20:46:05 gqweb sshd[2235]: Failed password for illegal user raul from ::ffff:60.195.250.54 port 43682 ssh2
Aug 15 08:49:40 gqweb sshd[5819]: Illegal user mythtv from ::ffff:211.234.122.134
Aug 15 08:49:40 gqweb sshd[5819]: Failed password for illegal user mythtv from ::ffff:211.234.122.134 port 50319 ssh2
Aug 15 08:49:42 gqweb sshd[5821]: Failed password for root from ::ffff:211.234.122.134 port 50405 ssh2
Aug 15 08:49:47 gqweb sshd[5824]: Illegal user upload from ::ffff:211.234.122.134
Aug 15 08:49:49 gqweb sshd[5840]: Failed password for illegal user status from ::ffff:211.234.122.134 port 51565 ssh2
Aug 15 08:49:50 gqweb sshd[5842]: Failed password for root from ::ffff:211.234.122.134 port 51899 ssh2
Aug 15 08:49:51 gqweb sshd[5844]: Illegal user tomcat from ::ffff:211.234.122.134
Aug 15 08:49:51 gqweb sshd[5844]: Failed password for illegal user tomcat from ::ffff:211.234.122.134 port 51988 ssh2
Aug 15 08:49:51 gqweb sshd[5846]: Illegal user postgres from ::ffff:211.234.122.134
Aug 15 08:49:51 gqweb sshd[5846]: Failed password for illegal user postgres from ::ffff:211.234.122.134 port 52098 ssh2
Aug 7 21:35:52 gqweb sshd[2773]: Failed password for illegal user notes from ::ffff:8.25.128.69 port 60401 ssh2
Aug 7 21:35:54 gqweb sshd[2775]: Illegal user turbo from ::ffff:8.25.128.69
Aug 7 21:35:54 gqweb sshd[2775]: Failed password for illegal user turbo from ::ffff:8.25.128.69 port 60652 ssh2
Aug 7 21:35:57 gqweb sshd[2777]: Illegal user usuario from ::ffff:8.25.128.69
Aug 7 21:36:08 gqweb sshd[2784]: Failed password for illegal user elite from ::ffff:8.25.128.69 port 33351 ssh2
Aug 7 21:36:11 gqweb sshd[2786]: Illegal user ftpuser from ::ffff:8.25.128.69
Aug 7 21:36:11 gqweb sshd[2786]: Failed password for illegal user ftpuser from ::ffff:8.25.128.69 port 33789 ssh2
Aug 7 21:36:14 gqweb sshd[2791]: Illegal user radmin from ::ffff:8.25.128.69
Aug 7 21:36:14 gqweb sshd[2791]: Failed password for illegal user radmin from ::ffff:8.25.128.69 port 33991 ssh2
Aug 7 21:36:16 gqweb sshd[2805]: Illegal user portal from ::ffff:8.25.128.69
Aug 7 21:36:16 gqweb sshd[2805]: Failed password for illegal user portal from ::ffff:8.25.128.69 port 34247 ssh2
Aug 7 21:36:23 gqweb sshd[2807]: Illegal user master from ::ffff:8.25.128.69
Aug 7 21:36:23 gqweb sshd[2807]: Failed password for illegal user master from ::ffff:8.25.128.69 port 34442 ssh2
Aug 7 21:36:25 gqweb sshd[2809]: Illegal user sales from ::ffff:8.25.128.69
Aug 6 22:20:13 gqweb sshd[17294]: Illegal user smikh from ::ffff:124.225.122.1***
Aug 6 22:20:13 gqweb sshd[17294]: Failed password for illegal user smikh from ::ffff:124.225.122.1*** port 46186 ssh2
Aug 6 22:20:14 gqweb sshd[17296]: Illegal user ocadmin from ::ffff:124.225.122.1***
Aug 6 22:20:14 gqweb sshd[17296]: Failed password for illegal user ocadmin from ::ffff:124.225.122.1*** port 46613 ssh2
Aug 6 22:20:15 gqweb sshd[17298]: Illegal user andrius from ::ffff:124.225.122.1***
Aug 6 22:20:15 gqweb sshd[17298]: Failed password for illegal user andrius from ::ffff:124.225.122.1*** port 47144 ssh2
Aug 6 22:20:15 gqweb sshd[17300]: Illegal user backuppc from ::ffff:124.225.122.1***
Aug 6 22:20:15 gqweb sshd[17300]: Failed password for illegal user backuppc from ::ffff:124.225.122.1*** port 47600 ssh2
Aug 6 22:20:16 gqweb sshd[17302]: Illegal user kenneth from ::ffff:124.225.122.1***
Aug 4 23:32:53 gqweb sshd[13443]: Failed password for illegal user setup from ::ffff:61.153.83.93 port 44555 ssh2
Aug 4 23:32:54 gqweb sshd[13445]: Illegal user cvsuser from ::ffff:61.153.83.93
Aug 4 23:32:54 gqweb sshd[13445]: Failed password for illegal user cvsuser from ::ffff:61.153.83.93 port 45073 ssh2
Aug 4 23:32:55 gqweb sshd[13447]: Failed password for root from ::ffff:61.153.83.93 port 45626 ssh2
Aug 4 23:32:56 gqweb sshd[13449]: Illegal user nagios from ::ffff:61.153.83.93
Aug 4 23:32:56 gqweb sshd[13449]: Failed password for illegal user nagios from ::ffff:61.153.83.93 port 46153 ssh2
Aug 4 23:32:57 gqweb sshd[13451]: Illegal user mythtv from ::ffff:61.153.83.93
Aug 4 23:32:57 gqweb sshd[13451]: Failed password for illegal user mythtv from ::ffff:61.153.83.93 port 46791 ssh2
Aug 4 23:32:58 gqweb sshd[13453]: Illegal user fedora from ::ffff:61.153.83.93
调整后:(自调整后的ssh端口访问日志)
Aug 17 13:10:12 gqweb passwd(pam_unix)[15209]: password changed for root
Aug 17 13:10:41 gqweb sshd[15174]: Received disconnect from ::ffff:10.18.60.2: 11: Disconnect requested by Windows SSH Client.
Aug 17 13:10:53 gqweb sshd[15236]: Failed password for weblogic from ::ffff:10.18.60.2 port 2090 ssh2
Aug 17 13:10:57 gqweb sshd[15236]: Failed password for weblogic from ::ffff:10.18.60.2 port 2090 ssh2
Aug 17 13:11:09 gqweb sshd[15238]: Accepted password for root from ::ffff:10.18.60.2 port 2091 ssh2
Aug 17 13:32:58 gqweb sshd[15238]: subsystem request for sftp
Aug 17 13:56:50 gqweb sshd[16344]: Failed password for root from ::ffff:10.18.2.5 port 1053 ssh2
Aug 17 13:56:55 gqweb sshd[16344]: Failed password for root from ::ffff:10.18.2.5 port 1053 ssh2
Aug 17 13:57:23 gqweb sshd[16344]: Accepted password for root from ::ffff:10.18.2.5 port 1053 ssh2
Aug 17 14:00:04 gqweb sshd[16344]: subsystem request for sftp
Aug 17 14:01:12 gqweb sshd[16344]: subsystem request for sftp
Aug 17 14:18:28 gqweb sshd[15238]: Received disconnect from ::ffff:10.18.60.2: 11: Disconnect requested by Windows SSH Client.
Aug 17 14:29:34 gqweb sshd[16344]: Received disconnect from ::ffff:10.18.2.5: 11: Disconnect requested by Windows SSH Client.
Aug 17 14:52:27 gqweb sshd[17746]: Accepted password for root from ::ffff:10.18.60.2 port 1665 ssh2
Aug 17 14:52:33 gqweb sshd[17746]: subsystem request for sftp
Aug 17 15:11:11 gqweb sshd[17746]: Received disconnect from ::ffff:10.18.60.2: 11: Disconnect requested by Windows SSH Client.
Aug 18 06:42:31 gqweb sshd[24668]: Accepted password for root from ::ffff:10.18.60.2 port 1704 ssh2
Aug 18 06:42:34 gqweb sshd[24668]: subsystem request for sftp
Aug 19 06:13:24 gqweb sshd[9542]: Accepted password for root from ::ffff:10.18.60.2 port 2378 ssh2
Aug 19 06:13:27 gqweb sshd[9542]: subsystem request for sftp
Aug 19 10:14:09 gqweb sshd[12530]: Accepted password for root from ::ffff:10.18.60.2 port 3588 ssh2
Aug 19 10:14:11 gqweb sshd[12530]: subsystem request for sftp
Aug 19 10:16:48 gqweb sshd[9542]: Received disconnect from ::ffff:10.18.60.2: 11: Disconnect requested by Windows SSH Client.
Aug 19 10:54:58 gqweb sshd[12530]: Received disconnect from ::ffff:10.18.60.2: 11: Disconnect requested by Windows SSH Client.
Aug 19 15:31:40 gqweb sshd[18695]: Accepted password for root from ::ffff:10.18.2.5 port 1276 ssh2
Aug 19 15:31:52 gqweb sshd[18695]: subsystem request for sftp
Aug 19 17:03:12 gqweb sshd[18695]: Received disconnect from ::ffff:10.18.2.5: 11: Disconnect requested by Windows SSH Client.
Aug 20 10:12:51 gqweb sshd[29971]: Accepted password for root from ::ffff:10.18.60.2 port 3397 ssh2
Aug 20 10:12:54 gqweb sshd[29971]: subsystem request for sftp
Aug 20 10:59:10 gqweb sshd[29971]: Received disconnect from ::ffff:10.18.60.2: 11: Disconnect requested by Windows SSH Client.
近期县政府门户网站发布服务器(LINUX操作系统)受到多个ip地址非法攻击,从8月1日到8月17日系统日志攻击记录超过3000条,密集时段每秒可以超过5次,攻击者主要攻击手段为暴力***ssh(使用22端口)远程登录密码,尽管没有得逞,但是我们对于这种攻击行为表示强烈谴责,并保留进一步追究攻击者法律责任的权利。通过我们排查,近期攻击地址主要集中在218.75.79.18(杭州市电信用户)、60.195.250.54 (北京市电信通用户)、211.234.122.134 (韩国)、8.25.128.69(美国科罗拉多州布隆菲尔德市)、124.225.122.1***(海南省海口市电信)、61.153.83.93(浙江省宁波市电信)等。
在保留追究攻击者法律责任的同时,县信息中心本月17号对网络设置和外网服务器安全进行了大的调整,在防火墙上将外网服务器从先前的ip地址全端口映射转换成单端口映射,并封闭了90%以上的对外开放端口,特别是近期遭到大量攻击的ssh(22)端口。从近期日志上看,效果非常明显,从17号调整以后,除工作需要正常登录之外,没有发现一次非法攻击记录。(县信息中心:李波)