问题[brute-force-attacks](server)

我有一个 PBX（VOIP 服务器），可以连接电话以拨打电话。我使用的 pbx 是Asterisk。该服务器未被使用，它的唯一目的是分析攻击。

PBX 服务并不重要，如果我有不同的服务，例如 mongodb，我相信互联网上的机器人会搜索漏洞来攻击该数据库。

无论如何，我正在分析所有到达我服务器的 UDP 端口 5060（asterisk 监听的端口）的数据包，到达的数据包如下所示：

IP (tos 0x0, ttl 113, id 654, offset 0, flags [none], proto UDP (17), length 521)
    43.249.129.89.58255 > 171.21.78.225.5060: SIP, length: 493
        REGISTER sip:54.84.215.2:5060 SIP/2.0
        To: <sip:[email protected]>
        From: <sip:[email protected]>;tag=824e5f4a7221279e4f7a
        Via: SIP/2.0/UDP 10.4.1.117:58255;branch=z9hG4bK183d5a24-59ec-4f05-8325-747389112824;rport
        Call-ID: e5f4a722128024e4f7a824
        CSeq: 1 REGISTER
        Contact: <sip:[email protected]:58255>
        Expires: 3600
        Max-Forwards: 70
        Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
        User-Agent: PolycomSoundPointIP SPIP_550 UA 3.3.2.0413
        Content-Length: 0

该数据包来自机器人，因为我没有向我的服务器发送任何数据包。

请注意，该服务器的唯一目的是了解机器人如何工作并查看它们如何攻击我的服务器。我没有使用那个 PBX；因此，任何到达该服务器的请求都必须来自恶意机器人。每次我收到发送到端口 5060 的 UDP 数据包时，我都会阻止该 IP 地址。

现在我的问题是：

我已经运行该服务器一个月了，而且每隔一分钟左右我仍然会受到攻击。我已经屏蔽了超过 15,000 个 IP！互联网上有多少机器人？他们是否在更改源 IP 地址，这就是他们不断访问我的服务器的原因？如果他们能够更改源 IP，是因为我使用的是 UDP 协议吗？我应该使用 TCP 而不是 UDP 来解决这个问题吗？

同样有趣的是，来自不同 ip 的攻击如此相似。例如，他们使用与电话相同的用户代理，而攻击来自不同的 ip。就好像所有的机器人都有相同的代码。

一旦我解决了这个问题并了解了机器人的工作原理，我想在我的真实服务器上实施该解决方案。我没有为此使用真正的服务器，因为从坏数据包中过滤好数据包会很困难。一种解决方案是在我的防火墙上使用 ips 白名单，但我不希望我的用户必须进行一些额外形式的身份验证，特别是如果他们使用手机的服务，其 ip 地址可能会发生很大变化。

我有一台服务器自 1 月以来一直被报告为攻击者，今天我终于找到了有关这些攻击的一些信息，但是我服务器上的日志都没有显示任何类似的东西。结果，该 IP 在许多黑名单中被禁止，并给我的 postfix 用户带来了很大的问题。

从攻击日志中可以看出，这些都是通过浏览器和 Windows NT 进行的，但是我的服务器是 Debian 9，这里有一些例子，62.XXX 是我的 IP（敏感信息已删除）

62.X.X.X - - [01/Mar/2021:14:25:28 +0000] 80 "GET /wp-login.php HTTP/1.1" 403 794 "-" "Mozilla/5.0(Windows NT 6.3; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0"

xmlrpc attack

WP-xmlrpc exploit

Mar 1 06:52:53 h2880623 wordpress(www.zzzzz.zz)[6547]: XML-RPC authentication attempt for unknown user [login] from 62.X.X.X

uvcm 62.X.X.X [27/Feb/2021:19:47:01 "-" "POST /wp-login.php 200 1946
62.X.X.X [28/Feb/2021:12:01:03 "-" "GET /wp-login.php 200 5753
62.X.X.X [28/Feb/2021:12:01:05 "-" "POST /wp-login.php 200 5872

62.X.X.X - - [27/Feb/2021:19:09:53 +0100] "POST /wp-login.php HTTP/1.1" 200 2661 "-" "Mozilla/5.0(Windows NT 6.3; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0"
62.X.X.X - - [27/Feb/2021:19:09:54 +0100] "POST /wp-login.php HTTP/1.1" 200 2637 "-" "Mozilla/5.0(Windows NT 6.3; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0"
62.X.X.X - - [27/Feb/2021:19:10:00 +0100] "POST /wp-login.php HTTP/1.1" 200 2636 "-" "Mozilla/5.0(Windows NT 6.3; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0"

etc.. etc..

有人可以欺骗我的 IP 来执行这些攻击吗？我可以做些什么来减轻它吗？

编辑：我很久以前就读过这篇文章如何处理受损的服务器？，并仔细遵循它，但即使遵循了这些建议，我的服务器也受到了损害，或者还有其他事情超出了我的范围。

看来我正在尝试来自未知来源的 FTP 连接。SYN_RECEIVED 状态几乎总是显示。

网络统计输出

        C:\Users\Administrator>netstat -aon | findstr "1596"
  TCP    0.0.0.0:21             0.0.0.0:0              LISTENING       1596
  TCP    198.XXX.XX.XX:21       121.254.204.3:21       SYN_RECEIVED    1596
  TCP    [::]:21                [::]:0                 LISTENING       1596

我已经在“IIS - FTP IP 地址和域限制”中添加了我的远程 IP 地址，够了吗？我还能做些什么，比如防火墙上的传入规则？

谢谢。

今天，我的数据库服务器意外重启。查了一下，发现从12月初就收到了这个事件，Network Threat Protection Event。这是活动

Object detected.

 Object name: 64.76.157.3:51747 (different IP every time).
 Object type: N/A.
 Severity level: high.
 Certainty level: complete signature match.
 Detected object type: network attack.
 Detected: Bruteforce.Generic.Rdp.d.
 Task name: Network Threat Protection.
 User name: N/A.
 Computer name: DB01.
 Process: 192.168.0.11:3389.
 PID: 6.

该服务器是 5 个服务器的一部分，它们具有相同的公共 IP，每个服务器都有不同的端口，所有服务器都收到了事件。所以，我的问题是：攻击者是否必须知道公共 IP 才能进行攻击？我怎样才能知道攻击的来源？另外，由于我没有防火墙设备，我是否需要放置防火墙设备。
活动图片

在看似人为的勒索软件攻击之后，我正在分析系统。这是一个 Windows Server 2016，我创建了通常的管理员帐户。现在我看到在攻击过程中，C:\Users 文件夹下出现了一个新的“Administrador.WIN-RSDLE3HIAER”帐户。旧的普通管理员仍然存在，但似乎所有文件现在都在新创建的帐户下（下载、收藏夹、桌面等......仍在原始帐户中，但为空）。就像个人资料已移至新帐户一样。

我的问题是，在寻找学习的过程中，为什么要这样做，为什么要创建一个新帐户？这是对攻击者的某种自我保护吗？为什么我所有的原创内容现在都在新创建的帐户下？我仍然可以在登录页面下输入“管理员”并访问我的个人资料，所以这就是为什么我无法理解新帐户/文件夹的性质，我是如何被重定向的......总之......这东西是如何工作的？

干杯

我的 netstat 显示超过 2,000 个 mysql 连接，其 TIME_WAIT 状态似乎被卡住并且不会消失。几个小时以来都是这样，许多连接来自一个对我的数据库服务器没有权限的 IP 地址。好像挂了，怎么清除？这是蛮力攻击吗？我所有的用户权限都有特定的主机，我不使用任何通配符。

这是netstat的片段：

tcp        0      0 server:mysql       static.98.17.76.1:45222 TIME_WAIT  
tcp        0      0 server:mysql       static.98.17.76.1:34341 TIME_WAIT  
tcp        0      0 server:mysql       static.98.17.76.1:51888 TIME_WAIT  
tcp        0      0 server:mysql       static.98.17.76.1:54459 TIME_WAIT  
tcp        0      0 server:mysql       static.98.17.76.1:49599 TIME_WAIT  
tcp        0      0 server:mysql       static.98.17.76.1:50751 TIME_WAIT  
tcp        0      0 server:mysql       static.98.17.76.1:50731 TIME_WAIT  
tcp        0      0 server:mysql       static.98.17.76.1:54658 TIME_WAIT  
tcp        0      0 server:mysql       static.98.17.76.1:58974 TIME_WAIT  
tcp        0      0 server:mysql       static.98.17.76.1:33800 TIME_WAIT  
tcp        0      0 server:mysql       static.98.17.76.1:59840 TIME_WAIT  
tcp        0      0 server:mysql       static.98.17.76.1:53495 TIME_WAIT  
tcp        0      0 server:mysql       static.98.17.76.1:51561 TIME_WAIT 

另外，我在 mysql 中的 PROCESSLIST 没有显示这些连接，所以我认为它们会立即被删除，但不确定为什么它们不会消失。这会导致 mysql 的最大连接数出现任何问题吗？

如果我从中修改后缀fail2ban规则是否明智：

failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .*$
        ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
        ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
        ^%(__prefix_line)sNOQUEUE: reject: EHLO from \S+\[<HOST>\]: 504 5\.5\.2 <\S+>: Helo command rejected: need fully-qualified hostname;
        ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[<HOST>\]: 550 5\.1\.1 .*$
        ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 450 4\.1\.8 <\S*>: Sender address rejected: Domain not found; from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
        ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[<HOST>\]:?$

通过添加以下行：

  ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 550 5\.1\.1 .*$

因为我试图防止这样的攻击：

Jan 27 09:42:02 host1 postfix/smtpd[3416]: NOQUEUE: reject: RCPT from unknown[109.107.106.180]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unkn
own in virtual alias table; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[109.107.106.180]>
Jan 27 09:42:03 host1 postfix/smtpd[3416]: NOQUEUE: reject: RCPT from unknown[109.107.106.180]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown 
in virtual alias table; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[109.107.106.180]>
Jan 27 09:55:32 host1 postfix/smtpd[4914]: NOQUEUE: reject: RCPT from unknown[109.107.106.180]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unk
nown in virtual alias table; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[109.107.106.180]>
Jan 27 09:55:32 host1 postfix/smtpd[4914]: NOQUEUE: reject: RCPT from unknown[109.107.106.180]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown
 in virtual alias table; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[109.107.106.180]>

我担心的是，它会丢弃无意的错误电子邮件，这些电子邮件应该被退回给意外错过电子邮件地址的用户。

你有什么建议？

我有一台 linux 机器作为测试服务器运行。我的盒子直接在这台机器上重定向我的端口，比如 80。我创建它来训练所有类型的东西（raid，tcp ...）。

最近我尝试在 VNC 中连接到我的机器，我得到一个错误“太多的身份验证失败”，所以我检查了日志，我得到了一个可怕的惊喜；有人试图通过 VNC 中的蛮力连接到我的机器。这是此日志的简短摘录：

04/01/17 13:53:56 Got connection from client 111.73.46.90
04/01/17 13:53:56 Using protocol version 3.3
04/01/17 13:53:56 Too many authentication failures - client rejected
04/01/17 13:53:56 Client 111.73.46.90 gone
04/01/17 13:53:56 Statistics:
04/01/17 13:53:56   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 13:53:57 Got connection from client 111.73.46.90
04/01/17 13:53:57 Using protocol version 3.3
04/01/17 13:53:57 Too many authentication failures - client rejected
04/01/17 13:53:57 Client 111.73.46.90 gone
04/01/17 13:53:57 Statistics:
04/01/17 13:53:57   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 13:54:26 Got connection from client 111.73.46.90
04/01/17 13:54:26 Using protocol version 3.3
04/01/17 13:54:26 Too many authentication failures - client rejected
04/01/17 13:54:26 Client 111.73.46.90 gone
04/01/17 13:54:26 Statistics:
04/01/17 13:54:26   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 13:56:07 Got connection from client 111.73.46.90
04/01/17 13:56:07 Using protocol version 3.3
04/01/17 13:56:07 Too many authentication failures - client rejected
04/01/17 13:56:07 Client 111.73.46.90 gone
04/01/17 13:56:07 Statistics:
04/01/17 13:56:07   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 13:56:08 Got connection from client 111.73.46.90
04/01/17 13:56:08 Using protocol version 3.3
04/01/17 13:56:08 Too many authentication failures - client rejected
04/01/17 13:56:08 Client 111.73.46.90 gone
04/01/17 13:56:08 Statistics:
04/01/17 13:56:08   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 13:56:43 Got connection from client 111.73.46.90
04/01/17 13:56:43 Using protocol version 3.3
04/01/17 13:56:43 Too many authentication failures - client rejected
04/01/17 13:56:43 Client 111.73.46.90 gone
04/01/17 13:56:43 Statistics:
04/01/17 13:56:43   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 13:57:52 Got connection from client 111.73.46.90
04/01/17 13:57:54 Using protocol version 3.3
04/01/17 13:57:54 Too many authentication failures - client rejected
04/01/17 13:57:54 Client 111.73.46.90 gone
04/01/17 13:57:54 Statistics:
04/01/17 13:57:54   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 13:59:22 Got connection from client 111.73.46.90
04/01/17 13:59:22 Using protocol version 3.3
04/01/17 13:59:22 Too many authentication failures - client rejected
04/01/17 13:59:22 Client 111.73.46.90 gone
04/01/17 13:59:22 Statistics:
04/01/17 13:59:22   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 14:01:20 Got connection from client 111.73.46.90
04/01/17 14:01:21 Using protocol version 3.3
04/01/17 14:01:21 Too many authentication failures - client rejected
04/01/17 14:01:21 Client 111.73.46.90 gone
04/01/17 14:01:21 Statistics:
04/01/17 14:01:21   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 14:03:48 Got connection from client 111.73.46.90
04/01/17 14:03:49 Using protocol version 3.3
04/01/17 14:03:49 Too many authentication failures - client rejected
04/01/17 14:03:49 Client 111.73.46.90 gone
04/01/17 14:03:49 Statistics:
04/01/17 14:03:49   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 14:06:51 Got connection from client 111.73.46.90
04/01/17 14:06:51 Using protocol version 3.3
04/01/17 14:06:51 Too many authentication failures - client rejected
04/01/17 14:06:51 Client 111.73.46.90 gone
04/01/17 14:06:51 Statistics:
04/01/17 14:06:51   framebuffer updates 0, rectangles 0, bytes 0

04/01/17 14:10:18 Got connection from client 111.73.46.90
04/01/17 14:10:20 Using protocol version 3.3
04/01/17 14:10:20 Too many authentication failures - client rejected
04/01/17 14:10:20 Client 111.73.46.90 gone
04/01/17 14:10:20 Statistics:
04/01/17 14:10:20   framebuffer updates 0, rectangles 0, bytes 0

就像 29/12/16 一样，但我认为日志文件不会进一步保存。

我还检查了 ssh，我也有同样的事情：

Jan  3 15:18:00 raspberrypi sshd[24434]: Invalid user alan from 193.248.133.13
Jan  3 16:14:38 raspberrypi sshd[24797]: Invalid user vnc from 46.105.137.2
Jan  3 16:36:33 raspberrypi sshd[24951]: Invalid user user from 107.151.213.61
Jan  3 16:36:46 raspberrypi sshd[24956]: Invalid user user from 107.151.213.61
Jan  3 16:37:01 raspberrypi sshd[24965]: Invalid user admin from 107.151.213.61
Jan  3 16:37:18 raspberrypi sshd[24977]: Invalid user admin from 107.151.213.61
Jan  3 17:00:57 raspberrypi sshd[25128]: Invalid user admin from 182.37.8.7
Jan  3 17:07:48 raspberrypi sshd[25182]: Invalid user admin from 122.191.248.96
Jan  3 17:44:38 raspberrypi sshd[25546]: Invalid user admin from 51.15.59.6
Jan  3 17:44:58 raspberrypi sshd[25584]: Invalid user admin from 51.15.59.6
Jan  3 17:45:01 raspberrypi sshd[25588]: Invalid user guest from 51.15.59.6
Jan  3 17:45:02 raspberrypi sshd[25595]: Invalid user guest from 51.15.59.6
Jan  3 17:45:04 raspberrypi sshd[25599]: Invalid user support from 51.15.59.6
Jan  3 17:45:07 raspberrypi sshd[25603]: Invalid user user from 51.15.59.6
Jan  3 17:45:09 raspberrypi sshd[25607]: Invalid user admin from 51.15.59.6
Jan  3 17:45:16 raspberrypi sshd[25621]: Invalid user admin from 51.15.59.6
Jan  3 17:45:19 raspberrypi sshd[25625]: Invalid user test from 51.15.59.6
Jan  3 17:45:20 raspberrypi sshd[25629]: Invalid user vagrant from 51.15.59.6
Jan  3 17:45:25 raspberrypi sshd[25637]: Invalid user ubnt from 51.15.59.6
Jan  3 17:45:26 raspberrypi sshd[25641]: Invalid user guest from 51.15.59.6
Jan  3 17:45:29 raspberrypi sshd[25645]: Invalid user telnet from 51.15.59.6
Jan  3 17:50:33 raspberrypi sshd[25678]: Invalid user demo from 46.105.137.2
Jan  3 18:06:34 raspberrypi sshd[25853]: Invalid user ubnt from 67.204.49.5
Jan  3 19:10:52 raspberrypi sshd[26321]: Invalid user hello from 193.248.133.13
Jan  3 19:26:44 raspberrypi sshd[26435]: Invalid user ubuntu from 46.105.137.2
Jan  3 21:03:17 raspberrypi sshd[27099]: Invalid user ubuntu from 46.105.137.2
Jan  3 21:18:59 raspberrypi sshd[27236]: Invalid user ubnt from 163.172.233.70
Jan  3 21:19:15 raspberrypi sshd[27244]: Invalid user cusadmin from 163.172.233.70
Jan  3 21:19:38 raspberrypi sshd[27258]: Invalid user ts3 from 163.172.233.70
Jan  3 21:19:45 raspberrypi sshd[27262]: Invalid user tf2 from 163.172.233.70
Jan  3 21:19:53 raspberrypi sshd[27268]: Invalid user css from 163.172.233.70
Jan  3 21:20:00 raspberrypi sshd[27276]: Invalid user gmod from 163.172.233.70
Jan  3 21:20:08 raspberrypi sshd[27283]: Invalid user lgsm from 163.172.233.70
Jan  3 21:20:16 raspberrypi sshd[27287]: Invalid user starbound from 163.172.233.70
Jan  3 22:16:37 raspberrypi sshd[27663]: Invalid user admin from 123.31.34.216
Jan  3 22:16:42 raspberrypi sshd[27667]: Invalid user support from 123.31.34.216
Jan  3 22:40:04 raspberrypi sshd[27858]: Invalid user ubuntu from 46.105.137.2
Jan  3 22:41:51 raspberrypi sshd[27878]: Invalid user usuario from 219.140.230.198
Jan  3 23:15:37 raspberrypi sshd[28149]: Invalid user admin from 205.185.192.157
Jan  3 23:30:59 raspberrypi sshd[28279]: Invalid user admin from 179.233.94.73
Jan  4 00:16:13 raspberrypi sshd[28690]: Invalid user ubuntu from 46.105.137.2
Jan  4 01:50:24 raspberrypi sshd[29339]: Invalid user support from 193.248.133.13
Jan  4 01:52:23 raspberrypi sshd[29360]: Invalid user ubuntu from 46.105.137.2
Jan  4 02:05:31 raspberrypi sshd[29461]: Invalid user a from 213.229.108.216
Jan  4 02:05:40 raspberrypi sshd[29465]: Invalid user oracle from 213.229.108.216
Jan  4 02:30:18 raspberrypi sshd[29638]: Invalid user admin from 185.110.132.202
Jan  4 02:30:55 raspberrypi sshd[29647]: Invalid user tomcat7 from 193.248.133.13
Jan  4 02:42:14 raspberrypi sshd[29726]: Invalid user support from 185.110.132.202
Jan  4 02:48:08 raspberrypi sshd[29771]: Invalid user user from 185.110.132.202
Jan  4 02:53:58 raspberrypi sshd[29814]: Invalid user test from 185.110.132.202
Jan  4 02:59:49 raspberrypi sshd[29863]: Invalid user guest from 185.110.132.202
Jan  4 03:05:49 raspberrypi sshd[29911]: Invalid user anonymous from 185.110.132.202
Jan  4 03:11:35 raspberrypi sshd[29950]: Invalid user reception from 193.248.133.13
Jan  4 03:11:42 raspberrypi sshd[29956]: Invalid user ubnt from 185.110.132.202
Jan  4 03:17:38 raspberrypi sshd[29998]: Invalid user dlink from 185.110.132.202
Jan  4 03:23:25 raspberrypi sshd[30065]: Invalid user admin from 185.110.132.202
Jan  4 03:29:11 raspberrypi sshd[30146]: Invalid user ubuntu from 46.105.137.2
Jan  4 03:29:12 raspberrypi sshd[30150]: Invalid user admin from 185.110.132.202
Jan  4 04:42:36 raspberrypi sshd[30965]: Invalid user admin from 37.78.244.206
Jan  4 05:00:29 raspberrypi sshd[31105]: Invalid user admin from 8.26.21.218
Jan  4 05:00:31 raspberrypi sshd[31109]: Invalid user admin from 8.26.21.218
Jan  4 05:00:34 raspberrypi sshd[31113]: Invalid user test from 8.26.21.218
Jan  4 05:00:37 raspberrypi sshd[31117]: Invalid user guest from 8.26.21.218
Jan  4 05:00:40 raspberrypi sshd[31121]: Invalid user user from 8.26.21.218
Jan  4 05:00:43 raspberrypi sshd[31126]: Invalid user admin from 8.26.21.218
Jan  4 05:00:46 raspberrypi sshd[31130]: Invalid user admin from 8.26.21.218
Jan  4 05:00:52 raspberrypi sshd[31138]: Invalid user ubnt from 8.26.21.218
Jan  4 05:05:30 raspberrypi sshd[31173]: Invalid user ubuntu from 46.105.137.2
Jan  4 05:37:33 raspberrypi sshd[31404]: Invalid user admin from 122.189.192.75
Jan  4 06:29:09 raspberrypi sshd[31863]: Invalid user admin from 193.248.133.13
Jan  4 06:42:03 raspberrypi sshd[31957]: Invalid user ubuntu from 46.105.137.2
Jan  4 07:38:42 raspberrypi sshd[32641]: Invalid user admin from 175.20.94.253
Jan  4 09:17:42 raspberrypi sshd[1875]: Invalid user festival from 202.100.245.12
Jan  4 09:51:57 raspberrypi sshd[2482]: Invalid user admin from 95.30.228.51
Jan  4 09:51:58 raspberrypi sshd[2486]: Invalid user admin from 95.30.228.51
Jan  4 09:55:53 raspberrypi sshd[2562]: Invalid user ubuntu from 46.105.137.2
Jan  4 09:59:22 raspberrypi sshd[2652]: Invalid user ts from 70.35.196.91
Jan  4 10:44:10 raspberrypi sshd[3576]: Invalid user hadoop from 70.35.196.91
Jan  4 10:46:54 raspberrypi sshd[3646]: Invalid user admin from 95.215.60.223
Jan  4 10:46:57 raspberrypi sshd[3654]: Invalid user test from 95.215.60.223
Jan  4 10:47:00 raspberrypi sshd[3658]: Invalid user guest from 95.215.60.223
Jan  4 10:47:02 raspberrypi sshd[3662]: Invalid user user from 95.215.60.223
Jan  4 10:47:05 raspberrypi sshd[3667]: Invalid user admin from 95.215.60.223
Jan  4 10:47:08 raspberrypi sshd[3671]: Invalid user admin from 95.215.60.223
Jan  4 11:28:28 raspberrypi sshd[4525]: Invalid user username from 70.35.196.91
Jan  4 11:32:48 raspberrypi sshd[4605]: Invalid user ubuntu from 46.105.137.2
Jan  4 11:43:17 raspberrypi sshd[4794]: Invalid user xbian from 193.248.133.13
Jan  4 13:09:55 raspberrypi sshd[6034]: Invalid user ubuntu from 46.105.137.2
Jan  4 13:14:49 raspberrypi sshd[6061]: Invalid user admin from 115.239.230.222
Jan  4 13:14:58 raspberrypi sshd[6070]: Invalid user admin from 115.239.230.222
Jan  4 14:09:44 raspberrypi sshd[6937]: Invalid user admin from 218.108.215.128

我用一个站点检查了 ip 位置（不知道我是否可以相信结果？）它来自美国和中国。我认为他正在使用VPN。

我能做些什么 ？我刚刚关闭了我的机器，但我正在寻找更好的解决方案……我能知道是谁吗？我可以提出索赔吗？或者甚至只是阻止他试图入侵我？

感谢您的回答。

当我检查我的 nginx access.log 时，/wp-login.php 上每两分钟就有一次请求（GET 请求后跟 POST）。

然后我记录那些 POST 请求（将登录页面更改为空页面并将 POST 请求保存到文件）。该请求包含登录凭据、正确的用户名和错误的密码。即使响应是空页面（可能是脚本），这些请求也没有停止。

然后，我拒绝 nginx 配置上的 IP 地址。第二天，同样的情况发生在不同的 IP（但相同的国家）。

困扰我的是该客户如何知道我的管理员用户名？wordpress 网站是这样的吗？因为这是我第一次在真实服务器上编写 wordpress。

我一直在对高级策略防火墙 (APF) 和 Fail2Ban 进行大量研究。我有一个受到 SSH 暴力攻击的 VPS。我倾向于 APF，只允许我的几个 IP 通过。但是，我希望能够方便地使用我想要的任何 iP——这可以通过 Fail2Ban 实现。

由于 Fail2Ban 会扫描日志并写入 IP 表，有没有人体验过哪一个更能提高安全性和 VPS 性能以节省资源？我知道他们可以一起工作，但想选择一个。