在 SOHO 环境中实施的最佳 VPN 技术是什么？[关闭]

Question

M. Ozn

Asked: 2017-01-05 05:58:20 +0800 CST2017-01-05 05:58:20 +0800 CST 2017-01-05 05:58:20 +0800 CST

有人试图入侵我的服务器

772

我有一台 linux 机器作为测试服务器运行。我的盒子直接在这台机器上重定向我的端口，比如 80。我创建它来训练所有类型的东西（raid，tcp ...）。

最近我尝试在 VNC 中连接到我的机器，我得到一个错误“太多的身份验证失败”，所以我检查了日志，我得到了一个可怕的惊喜；有人试图通过 VNC 中的蛮力连接到我的机器。这是此日志的简短摘录：

04/01/17 13:53:56 Got connection from client 111.73.46.90
04/01/17 13:53:56 Using protocol version 3.3
04/01/17 13:53:56 Too many authentication failures - client rejected
04/01/17 13:53:56 Client 111.73.46.90 gone
04/01/17 13:53:56 Statistics:
04/01/17 13:53:56   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 13:53:57 Got connection from client 111.73.46.90
04/01/17 13:53:57 Using protocol version 3.3
04/01/17 13:53:57 Too many authentication failures - client rejected
04/01/17 13:53:57 Client 111.73.46.90 gone
04/01/17 13:53:57 Statistics:
04/01/17 13:53:57   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 13:54:26 Got connection from client 111.73.46.90
04/01/17 13:54:26 Using protocol version 3.3
04/01/17 13:54:26 Too many authentication failures - client rejected
04/01/17 13:54:26 Client 111.73.46.90 gone
04/01/17 13:54:26 Statistics:
04/01/17 13:54:26   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 13:56:07 Got connection from client 111.73.46.90
04/01/17 13:56:07 Using protocol version 3.3
04/01/17 13:56:07 Too many authentication failures - client rejected
04/01/17 13:56:07 Client 111.73.46.90 gone
04/01/17 13:56:07 Statistics:
04/01/17 13:56:07   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 13:56:08 Got connection from client 111.73.46.90
04/01/17 13:56:08 Using protocol version 3.3
04/01/17 13:56:08 Too many authentication failures - client rejected
04/01/17 13:56:08 Client 111.73.46.90 gone
04/01/17 13:56:08 Statistics:
04/01/17 13:56:08   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 13:56:43 Got connection from client 111.73.46.90
04/01/17 13:56:43 Using protocol version 3.3
04/01/17 13:56:43 Too many authentication failures - client rejected
04/01/17 13:56:43 Client 111.73.46.90 gone
04/01/17 13:56:43 Statistics:
04/01/17 13:56:43   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 13:57:52 Got connection from client 111.73.46.90
04/01/17 13:57:54 Using protocol version 3.3
04/01/17 13:57:54 Too many authentication failures - client rejected
04/01/17 13:57:54 Client 111.73.46.90 gone
04/01/17 13:57:54 Statistics:
04/01/17 13:57:54   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 13:59:22 Got connection from client 111.73.46.90
04/01/17 13:59:22 Using protocol version 3.3
04/01/17 13:59:22 Too many authentication failures - client rejected
04/01/17 13:59:22 Client 111.73.46.90 gone
04/01/17 13:59:22 Statistics:
04/01/17 13:59:22   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 14:01:20 Got connection from client 111.73.46.90
04/01/17 14:01:21 Using protocol version 3.3
04/01/17 14:01:21 Too many authentication failures - client rejected
04/01/17 14:01:21 Client 111.73.46.90 gone
04/01/17 14:01:21 Statistics:
04/01/17 14:01:21   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 14:03:48 Got connection from client 111.73.46.90
04/01/17 14:03:49 Using protocol version 3.3
04/01/17 14:03:49 Too many authentication failures - client rejected
04/01/17 14:03:49 Client 111.73.46.90 gone
04/01/17 14:03:49 Statistics:
04/01/17 14:03:49   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 14:06:51 Got connection from client 111.73.46.90
04/01/17 14:06:51 Using protocol version 3.3
04/01/17 14:06:51 Too many authentication failures - client rejected
04/01/17 14:06:51 Client 111.73.46.90 gone
04/01/17 14:06:51 Statistics:
04/01/17 14:06:51   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 14:10:18 Got connection from client 111.73.46.90
04/01/17 14:10:20 Using protocol version 3.3
04/01/17 14:10:20 Too many authentication failures - client rejected
04/01/17 14:10:20 Client 111.73.46.90 gone
04/01/17 14:10:20 Statistics:
04/01/17 14:10:20   framebuffer updates 0, rectangles 0, bytes 0

就像 29/12/16 一样，但我认为日志文件不会进一步保存。

我还检查了 ssh，我也有同样的事情：

Jan  3 15:18:00 raspberrypi sshd[24434]: Invalid user alan from 193.248.133.13
Jan  3 16:14:38 raspberrypi sshd[24797]: Invalid user vnc from 46.105.137.2
Jan  3 16:36:33 raspberrypi sshd[24951]: Invalid user user from 107.151.213.61
Jan  3 16:36:46 raspberrypi sshd[24956]: Invalid user user from 107.151.213.61
Jan  3 16:37:01 raspberrypi sshd[24965]: Invalid user admin from 107.151.213.61
Jan  3 16:37:18 raspberrypi sshd[24977]: Invalid user admin from 107.151.213.61
Jan  3 17:00:57 raspberrypi sshd[25128]: Invalid user admin from 182.37.8.7
Jan  3 17:07:48 raspberrypi sshd[25182]: Invalid user admin from 122.191.248.96
Jan  3 17:44:38 raspberrypi sshd[25546]: Invalid user admin from 51.15.59.6
Jan  3 17:44:58 raspberrypi sshd[25584]: Invalid user admin from 51.15.59.6
Jan  3 17:45:01 raspberrypi sshd[25588]: Invalid user guest from 51.15.59.6
Jan  3 17:45:02 raspberrypi sshd[25595]: Invalid user guest from 51.15.59.6
Jan  3 17:45:04 raspberrypi sshd[25599]: Invalid user support from 51.15.59.6
Jan  3 17:45:07 raspberrypi sshd[25603]: Invalid user user from 51.15.59.6
Jan  3 17:45:09 raspberrypi sshd[25607]: Invalid user admin from 51.15.59.6
Jan  3 17:45:16 raspberrypi sshd[25621]: Invalid user admin from 51.15.59.6
Jan  3 17:45:19 raspberrypi sshd[25625]: Invalid user test from 51.15.59.6
Jan  3 17:45:20 raspberrypi sshd[25629]: Invalid user vagrant from 51.15.59.6
Jan  3 17:45:25 raspberrypi sshd[25637]: Invalid user ubnt from 51.15.59.6
Jan  3 17:45:26 raspberrypi sshd[25641]: Invalid user guest from 51.15.59.6
Jan  3 17:45:29 raspberrypi sshd[25645]: Invalid user telnet from 51.15.59.6
Jan  3 17:50:33 raspberrypi sshd[25678]: Invalid user demo from 46.105.137.2
Jan  3 18:06:34 raspberrypi sshd[25853]: Invalid user ubnt from 67.204.49.5
Jan  3 19:10:52 raspberrypi sshd[26321]: Invalid user hello from 193.248.133.13
Jan  3 19:26:44 raspberrypi sshd[26435]: Invalid user ubuntu from 46.105.137.2
Jan  3 21:03:17 raspberrypi sshd[27099]: Invalid user ubuntu from 46.105.137.2
Jan  3 21:18:59 raspberrypi sshd[27236]: Invalid user ubnt from 163.172.233.70
Jan  3 21:19:15 raspberrypi sshd[27244]: Invalid user cusadmin from 163.172.233.70
Jan  3 21:19:38 raspberrypi sshd[27258]: Invalid user ts3 from 163.172.233.70
Jan  3 21:19:45 raspberrypi sshd[27262]: Invalid user tf2 from 163.172.233.70
Jan  3 21:19:53 raspberrypi sshd[27268]: Invalid user css from 163.172.233.70
Jan  3 21:20:00 raspberrypi sshd[27276]: Invalid user gmod from 163.172.233.70
Jan  3 21:20:08 raspberrypi sshd[27283]: Invalid user lgsm from 163.172.233.70
Jan  3 21:20:16 raspberrypi sshd[27287]: Invalid user starbound from 163.172.233.70
Jan  3 22:16:37 raspberrypi sshd[27663]: Invalid user admin from 123.31.34.216
Jan  3 22:16:42 raspberrypi sshd[27667]: Invalid user support from 123.31.34.216
Jan  3 22:40:04 raspberrypi sshd[27858]: Invalid user ubuntu from 46.105.137.2
Jan  3 22:41:51 raspberrypi sshd[27878]: Invalid user usuario from 219.140.230.198
Jan  3 23:15:37 raspberrypi sshd[28149]: Invalid user admin from 205.185.192.157
Jan  3 23:30:59 raspberrypi sshd[28279]: Invalid user admin from 179.233.94.73
Jan  4 00:16:13 raspberrypi sshd[28690]: Invalid user ubuntu from 46.105.137.2
Jan  4 01:50:24 raspberrypi sshd[29339]: Invalid user support from 193.248.133.13
Jan  4 01:52:23 raspberrypi sshd[29360]: Invalid user ubuntu from 46.105.137.2
Jan  4 02:05:31 raspberrypi sshd[29461]: Invalid user a from 213.229.108.216
Jan  4 02:05:40 raspberrypi sshd[29465]: Invalid user oracle from 213.229.108.216
Jan  4 02:30:18 raspberrypi sshd[29638]: Invalid user admin from 185.110.132.202
Jan  4 02:30:55 raspberrypi sshd[29647]: Invalid user tomcat7 from 193.248.133.13
Jan  4 02:42:14 raspberrypi sshd[29726]: Invalid user support from 185.110.132.202
Jan  4 02:48:08 raspberrypi sshd[29771]: Invalid user user from 185.110.132.202
Jan  4 02:53:58 raspberrypi sshd[29814]: Invalid user test from 185.110.132.202
Jan  4 02:59:49 raspberrypi sshd[29863]: Invalid user guest from 185.110.132.202
Jan  4 03:05:49 raspberrypi sshd[29911]: Invalid user anonymous from 185.110.132.202
Jan  4 03:11:35 raspberrypi sshd[29950]: Invalid user reception from 193.248.133.13
Jan  4 03:11:42 raspberrypi sshd[29956]: Invalid user ubnt from 185.110.132.202
Jan  4 03:17:38 raspberrypi sshd[29998]: Invalid user dlink from 185.110.132.202
Jan  4 03:23:25 raspberrypi sshd[30065]: Invalid user admin from 185.110.132.202
Jan  4 03:29:11 raspberrypi sshd[30146]: Invalid user ubuntu from 46.105.137.2
Jan  4 03:29:12 raspberrypi sshd[30150]: Invalid user admin from 185.110.132.202
Jan  4 04:42:36 raspberrypi sshd[30965]: Invalid user admin from 37.78.244.206
Jan  4 05:00:29 raspberrypi sshd[31105]: Invalid user admin from 8.26.21.218
Jan  4 05:00:31 raspberrypi sshd[31109]: Invalid user admin from 8.26.21.218
Jan  4 05:00:34 raspberrypi sshd[31113]: Invalid user test from 8.26.21.218
Jan  4 05:00:37 raspberrypi sshd[31117]: Invalid user guest from 8.26.21.218
Jan  4 05:00:40 raspberrypi sshd[31121]: Invalid user user from 8.26.21.218
Jan  4 05:00:43 raspberrypi sshd[31126]: Invalid user admin from 8.26.21.218
Jan  4 05:00:46 raspberrypi sshd[31130]: Invalid user admin from 8.26.21.218
Jan  4 05:00:52 raspberrypi sshd[31138]: Invalid user ubnt from 8.26.21.218
Jan  4 05:05:30 raspberrypi sshd[31173]: Invalid user ubuntu from 46.105.137.2
Jan  4 05:37:33 raspberrypi sshd[31404]: Invalid user admin from 122.189.192.75
Jan  4 06:29:09 raspberrypi sshd[31863]: Invalid user admin from 193.248.133.13
Jan  4 06:42:03 raspberrypi sshd[31957]: Invalid user ubuntu from 46.105.137.2
Jan  4 07:38:42 raspberrypi sshd[32641]: Invalid user admin from 175.20.94.253
Jan  4 09:17:42 raspberrypi sshd[1875]: Invalid user festival from 202.100.245.12
Jan  4 09:51:57 raspberrypi sshd[2482]: Invalid user admin from 95.30.228.51
Jan  4 09:51:58 raspberrypi sshd[2486]: Invalid user admin from 95.30.228.51
Jan  4 09:55:53 raspberrypi sshd[2562]: Invalid user ubuntu from 46.105.137.2
Jan  4 09:59:22 raspberrypi sshd[2652]: Invalid user ts from 70.35.196.91
Jan  4 10:44:10 raspberrypi sshd[3576]: Invalid user hadoop from 70.35.196.91
Jan  4 10:46:54 raspberrypi sshd[3646]: Invalid user admin from 95.215.60.223
Jan  4 10:46:57 raspberrypi sshd[3654]: Invalid user test from 95.215.60.223
Jan  4 10:47:00 raspberrypi sshd[3658]: Invalid user guest from 95.215.60.223
Jan  4 10:47:02 raspberrypi sshd[3662]: Invalid user user from 95.215.60.223
Jan  4 10:47:05 raspberrypi sshd[3667]: Invalid user admin from 95.215.60.223
Jan  4 10:47:08 raspberrypi sshd[3671]: Invalid user admin from 95.215.60.223
Jan  4 11:28:28 raspberrypi sshd[4525]: Invalid user username from 70.35.196.91
Jan  4 11:32:48 raspberrypi sshd[4605]: Invalid user ubuntu from 46.105.137.2
Jan  4 11:43:17 raspberrypi sshd[4794]: Invalid user xbian from 193.248.133.13
Jan  4 13:09:55 raspberrypi sshd[6034]: Invalid user ubuntu from 46.105.137.2
Jan  4 13:14:49 raspberrypi sshd[6061]: Invalid user admin from 115.239.230.222
Jan  4 13:14:58 raspberrypi sshd[6070]: Invalid user admin from 115.239.230.222
Jan  4 14:09:44 raspberrypi sshd[6937]: Invalid user admin from 218.108.215.128

我用一个站点检查了 ip 位置（不知道我是否可以相信结果？）它来自美国和中国。我认为他正在使用VPN。

我能做些什么？我刚刚关闭了我的机器，但我正在寻找更好的解决方案……我能知道是谁吗？我可以提出索赔吗？或者甚至只是阻止他试图入侵我？

感谢您的回答。

2 个回答

Voted

mzhaase · Answer 1 · 2017-01-05T06:30:44+08:00

首先，不要惊慌。检查是否发生了任何实际登录。

如果有，恐慌。

如果没有，一切仍然正常。有许多机器试图在他们能找到的每台机器上使用常见的用户/密码组合和安全漏洞，以窃取数据或使僵尸网络变得更大。

因此，登录尝试本身并不令人惊讶，只是您必须处理的事情。那么如何才能真正让您的机器更安全呢？

遵循强化软件的最佳实践

这些因软件而异。对于 SSH，最常见的事情是：

禁用root登录
禁用键盘身份验证

每个脚本都会尝试使用 root、user、guest、backup、monitoring、nagios、icinga、veeam 等用户名登录。那里有常用名称列表，脚本只是遍历它们。例如，谷歌搜索显示了这一点。使用不在您列表中的用户名，例如您的真实姓名。

仅使用 SSH 密钥登录也使得暴力破解密码几乎是不可能的。

只向互联网公开必要的服务

无法从 Internet 访问的服务无法从 Internet 进行攻击。如果您的机器上有一个数据库服务器，但只在内部需要它，则没有理由将端口暴露给外部。如果其他机器需要通过 Internet 访问它，请明确允许这些 IP。事实上，您应该默认丢弃所有流量，只打开特别需要的端口，例如 80 或 22。

请参阅此处以获取 iptables 配置示例：对于特定端口/ip 对使用 ACCEPT 然后 DROP 是否允许该 ip 但该端口上没有其他内容？

实施限速

特别是在您可以登录的服务上，您应该安装某种形式的速率限制。如果发生了一定次数的不成功登录尝试，则应阻止该 IP。linux 实现这一点最常用的软件可能是fail2ban。它有各种软件的预设，你可以简单地激活它，让你高枕无忧。

更改默认端口

这通常不被认为是最佳实践，主要是因为它需要与组织的其他部分进行通信，例如 SSH 现在是端口 56298，而不是众所周知的 22。开放端口也可以通过端口扫描来检测。但是，端口 22 上的自动登录尝试比端口扫描更频繁。如果您这样做，最简单的攻击脚本只会失败。它对专门的攻击者没有帮助。

user393380 · Answer 2 · 2017-01-05T06:10:35+08:00

user393380

2017-01-05T06:10:35+08:002017-01-05T06:10:35+08:00

看起来它是一个无害的自动化软件。如果 IP 始终没有变化，您可以在服务器之前使用 iptables 或使用 IPS/IDS。此外，您可以对此类脚本/软件使用此技巧：更改您的默认服务端口。我不认为有什么额外的。

-2

有人试图入侵我的服务器

遵循强化软件的最佳实践

只向互联网公开必要的服务

实施限速

更改默认端口

新安装后 postgres 的默认超级用户用户名/密码是什么？

SFTP 使用什么端口？

命令行列出 Windows Active Directory 组中的用户？

什么是 Pem 文件，它与其他 OpenSSL 生成的密钥文件格式有何不同？

如何确定bash变量是否为空？

有人试图入侵我的服务器

2 个回答

遵循强化软件的最佳实践

只向互联网公开必要的服务

实施限速

更改默认端口

相关问题