Virtual Box 内部运行着 Oracle Linux,而 Virtual Box 则运行在 Windows 11 home 上。
需要帮助理解:
是否有可能存在 Linux 或 ,因为这显然是暴力字典攻击。但是,由于 IPv6 问题似乎是路由器的问题,那么底层系统是否可能被黑客入侵?
如何缓解这种情况。入口点可能是什么 - 至少要找到入口点的方法。如果存在后门,如何找到它们。
在安装 Oracle Linux 后,我发现 root 用户有很多次尝试失败。
日志文件路径:/var/log/secure
有问题的 IP 是:fe80::e20e:e4ff:fe26:d5a6
Nov 9 18:26:44 OracleLinux polkitd[1038]: Loading rules from directory /etc/polkit-1/rules.d
Nov 9 18:26:44 OracleLinux polkitd[1038]: Loading rules from directory /usr/share/polkit-1/rules.d
Nov 9 18:26:44 OracleLinux polkitd[1038]: Finished loading, compiling and executing 5 rules
Nov 9 18:26:44 OracleLinux polkitd[1038]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Nov 9 18:26:45 OracleLinux unix_chkpwd[1088]: password check failed for user (root)
Nov 9 18:26:45 OracleLinux sshd[1057]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=fe80::e20e:e4ff:fe26:d5a6%enp0s8 user=root
Nov 9 18:26:46 OracleLinux unix_chkpwd[1358]: password check failed for user (root)
Nov 9 18:26:46 OracleLinux sshd[1261]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.29.1 user=root
Nov 9 18:26:47 OracleLinux sshd[1057]: Failed password for root from fe80::e20e:e4ff:fe26:d5a6%enp0s8 port 45545 ssh2
Nov 9 18:27:46 OracleLinux sshd[1261]: Failed password for root from 192.168.29.1 port 43718 ssh2
Nov 9 18:27:47 OracleLinux sshd[1057]: Received disconnect from fe80::e20e:e4ff:fe26:d5a6%enp0s8 port 45545:11: SSH client disconnected [preauth]
Nov 9 18:27:47 OracleLinux sshd[1057]: Disconnected from authenticating user root fe80::e20e:e4ff:fe26:d5a6%enp0s8 port 45545 [preauth]
Nov 9 18:27:47 OracleLinux sshd[1579]: Invalid user admin from fe80::e20e:e4ff:fe26:d5a6%enp0s8 port 45547
Nov 9 18:27:47 OracleLinux sshd[1579]: pam_unix(sshd:auth): check pass; user unknown
Nov 9 18:27:47 OracleLinux sshd[1579]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=fe80::e20e:e4ff:fe26:d5a6%enp0s8
Nov 9 18:27:48 OracleLinux sshd[1261]: Received disconnect from 192.168.29.1 port 43718:11: SSH client disconnected [preauth]
Nov 9 18:27:48 OracleLinux sshd[1261]: Disconnected from authenticating user root 192.168.29.1 port 43718 [preauth]
Nov 9 18:27:48 OracleLinux sshd[1584]: Invalid user admin from 192.168.29.1 port 43720
Nov 9 18:27:48 OracleLinux sshd[1584]: pam_unix(sshd:auth): check pass; user unknown
Nov 9 18:27:48 OracleLinux sshd[1584]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.29.1
Nov 9 18:27:50 OracleLinux sshd[1579]: Failed password for invalid user admin from fe80::e20e:e4ff:fe26:d5a6%enp0s8 port 45547 ssh2
Nov 9 18:27:51 OracleLinux systemd[1590]: pam_unix(systemd-user:session): session opened for user devoracleuser(uid=1000) by devoracleuser(uid=0)
Nov 9 18:27:51 OracleLinux sshd[1584]: Failed password for invalid user admin from 192.168.29.1 port 43720 ssh2
Nov 9 18:27:51 OracleLinux login[836]: pam_unix(login:session): session opened for user devoracleuser(uid=1000) by devoracleuser(uid=0)
Nov 9 18:27:51 OracleLinux login[836]: LOGIN ON tty1 BY devoracleuser
Nov 9 18:27:51 OracleLinux sshd[1584]: Received disconnect from 192.168.29.1 port 43720:11: SSH client disconnected [preauth]
Nov 9 18:27:51 OracleLinux sshd[1584]: Disconnected from invalid user admin 192.168.29.1 port 43720 [preauth]
Nov 9 18:27:51 OracleLinux unix_chkpwd[1630]: password check failed for user (root)
Nov 9 18:27:51 OracleLinux sshd[1628]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.29.1 user=root
Nov 9 18:27:53 OracleLinux sshd[1579]: Received disconnect from fe80::e20e:e4ff:fe26:d5a6%enp0s8 port 45547:11: SSH client disconnected [preauth]
Nov 9 18:27:53 OracleLinux sshd[1579]: Disconnected from invalid user admin fe80::e20e:e4ff:fe26:d5a6%enp0s8 port 45547 [preauth]
Nov 9 18:27:53 OracleLinux unix_chkpwd[1633]: password check failed for user (root)
Nov 9 18:27:53 OracleLinux sshd[1631]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=fe80::e20e:e4ff:fe26:d5a6%enp0s8 user=root
Nov 9 18:27:54 OracleLinux sshd[1628]: Failed password for root from 192.168.29.1 port 43721 ssh2
Nov 9 18:27:55 OracleLinux sshd[1631]: Failed password for root from fe80::e20e:e4ff:fe26:d5a6%enp0s8 port 45550 ssh2
Nov 9 18:27:56 OracleLinux sshd[1628]: Received disconnect from 192.168.29.1 port 43721:11: SSH client disconnected [preauth]
Nov 9 18:27:56 OracleLinux sshd[1628]: Disconnected from authenticating user root 192.168.29.1 port 43721 [preauth]
Nov 9 18:27:57 OracleLinux sshd[1631]: Received disconnect from fe80::e20e:e4ff:fe26:d5a6%enp0s8 port 45550:11: SSH client disconnected [preauth]
Nov 9 18:27:57 OracleLinux sshd[1631]: Disconnected from authenticating user root fe80::e20e:e4ff:fe26:d5a6%enp0s8 port 45550 [preauth]
Nov 9 18:28:57 OracleLinux sshd[1639]: Invalid user 888888 from 192.168.29.1 port 43725
Nov 9 18:28:57 OracleLinux sshd[1639]: pam_unix(sshd:auth): check pass; user unknown
Nov 9 18:28:57 OracleLinux sshd[1639]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.29.1
Nov 9 18:28:58 OracleLinux sshd[1641]: Invalid user 888888 from fe80::e20e:e4ff:fe26:d5a6%enp0s8 port 45554
第二天同一 IP 的 Wireshark 条目:
我的系统有可能被入侵吗?
这很可能不是外部入侵,而是 VirtualBox 主机试图将其扩展安装到客户虚拟机中。请查看https://www.virtualbox.org/manual/ch04.html或您当地的 VirtualBox 文档。我已经很久没有使用 VirtualBox 了,所以我无法提供更详细的帮助。
即使在无头虚拟机上,尝试黑客常用的最简单的接管方法也很常见。大多数首次使用 SSH 的用户都会忘记通过 SSH 保护任何 Linux 版本的 root 权限。省略
PermitRootLogin配置文件并不意味着将其设置为no。默认值实际上是yes。最好将选项放入并进行设置。参见:sshd_config 手册页
禁用 root 登录可防止黑客进行渗透测试。通过查看日志,OP 似乎正在发生这种情况。通过禁用 root 访问权限,我们阻止了互联网范围内的攻击。要考虑进一步确保这一点,请查看
AllowUsers手册页。检查接下来几天的日志,攻击应该会减少。如果没有,其他类型的攻击将不再被 root 登录失败所掩盖。
额外信息
在回答并对下面 terdon 的评论进行一些额外的思考之后,我决定进行调查:
虽然由于发现了这些消息是什么,现在可以认为它们无害,但我觉得有必要进行更多的日志调查,因为请求发生的频率相当高。接下来我要检查的是: