【Linux】sshの接続ポートをデフォルト(22番)のままにしてインターネットにさらすとどうなるか
sshの接続ポートはデフォルトTCP22番。
これは常識ですね。あまりに常識すぎて、デフォルトでインターネットに接続すると攻撃対象になりやすく危険とよく言われますが、本当でしょうか?
実は昨年10月にsshの接続ポートをデフォルトのままにしてサーバをインターネットに接続したところ、 実際に攻撃(というほど大げさではないですが)を受けたことがありました。
主な経緯は次の通りです。
2010年10月21日(木) Linuxサーバのセットアップ開始
2010年10月22日(金) セットアップが終わらないので家で続きをやろうと、
サーバをインターネットからssh接続可能にして帰宅(ssh接続ポートは22番)
2010年10月23日(土) (夜中にブラジルから攻撃)
朝、ログを見て攻撃に気付く
→ ssh接続ポート変更(とりあえず)
→ 以後、攻撃は無し
btmpファイルを見ると攻撃の様子がわかります。
(見やすいように表示を調整してあります)
【bamtファイル】 root :0 Thu Oct 21 18:31 - 18:31 (00:00) root :0 Fri Oct 22 11:07 - 11:07 (00:00) root ssh:notty Fri Oct 22 15:45 - 15:45 (00:00) 192.168.1.30 root ssh:notty Fri Oct 22 15:45 - 15:45 (00:00) 192.168.1.30 test01 ssh:notty Fri Oct 22 16:12 - 16:12 (00:00) *************.co.jp root ssh:notty Fri Oct 22 16:15 - 16:15 (00:00) *************.co.jp root ssh:notty Fri Oct 22 16:15 - 16:15 (00:00) *************.co.jp test01 ssh:notty Fri Oct 22 17:29 - 17:29 (00:00) *************.co.jp test01 ssh:notty Fri Oct 22 20:13 - 20:13 (00:00) *************.co.jp ====[ ここから ] ==================================================================== root ssh:notty Sat Oct 23 02:50 - 02:50 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:50 - 02:50 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:50 - 02:50 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:50 - 02:50 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:50 - 02:50 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:50 - 02:50 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:50 - 02:50 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:50 - 02:50 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:50 - 02:50 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:50 - 02:50 (00:00) server.#########.com.br aussiecr ssh:notty Sat Oct 23 02:50 - 02:50 (00:00) server.#########.com.br aussiecr ssh:notty Sat Oct 23 02:50 - 02:50 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:50 - 02:50 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:50 - 02:50 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:50 - 02:50 (00:00) server.#########.com.br gorzow ssh:notty Sat Oct 23 02:50 - 02:50 (00:00) server.#########.com.br gorzow ssh:notty Sat Oct 23 02:50 - 02:50 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:50 - 02:50 (00:00) server.#########.com.br dev ssh:notty Sat Oct 23 02:50 - 02:50 (00:00) server.#########.com.br dev ssh:notty Sat Oct 23 02:51 - 02:51 (00:00) server.#########.com.br www ssh:notty Sat Oct 23 02:51 - 02:51 (00:00) server.#########.com.br www ssh:notty Sat Oct 23 02:51 - 02:51 (00:00) server.#########.com.br sec ssh:notty Sat Oct 23 02:51 - 02:51 (00:00) server.#########.com.br sec ssh:notty Sat Oct 23 02:51 - 02:51 (00:00) server.#########.com.br kylix ssh:notty Sat Oct 23 02:51 - 02:51 (00:00) server.#########.com.br kylix ssh:notty Sat Oct 23 02:51 - 02:51 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:51 - 02:51 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:51 - 02:51 (00:00) server.#########.com.br cisco ssh:notty Sat Oct 23 02:51 - 02:51 (00:00) server.#########.com.br cisco ssh:notty Sat Oct 23 02:51 - 02:51 (00:00) server.#########.com.br rita ssh:notty Sat Oct 23 02:51 - 02:51 (00:00) server.#########.com.br rita ssh:notty Sat Oct 23 02:51 - 02:51 (00:00) server.#########.com.br giovanna ssh:notty Sat Oct 23 02:51 - 02:51 (00:00) server.#########.com.br giovanna ssh:notty Sat Oct 23 02:51 - 02:51 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:51 - 02:51 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:51 - 02:51 (00:00) server.#########.com.br sec ssh:notty Sat Oct 23 02:51 - 02:51 (00:00) server.#########.com.br sec ssh:notty Sat Oct 23 02:51 - 02:51 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:51 - 02:51 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:51 - 02:51 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:51 - 02:51 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:51 - 02:51 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:51 - 02:51 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:52 - 02:52 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:52 - 02:52 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:52 - 02:52 (00:00) server.#########.com.br artem ssh:notty Sat Oct 23 02:52 - 02:52 (00:00) server.#########.com.br artem ssh:notty Sat Oct 23 02:52 - 02:52 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:52 - 02:52 (00:00) server.#########.com.br postgres ssh:notty Sat Oct 23 02:52 - 02:52 (00:00) server.#########.com.br postgres ssh:notty Sat Oct 23 02:52 - 02:52 (00:00) server.#########.com.br postgres ssh:notty Sat Oct 23 02:52 - 02:52 (00:00) server.#########.com.br postgres ssh:notty Sat Oct 23 02:52 - 02:52 (00:00) server.#########.com.br dev ssh:notty Sat Oct 23 02:52 - 02:52 (00:00) server.#########.com.br dev ssh:notty Sat Oct 23 02:52 - 02:52 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:52 - 02:52 (00:00) server.#########.com.br induacu ssh:notty Sat Oct 23 02:52 - 02:52 (00:00) server.#########.com.br induacu ssh:notty Sat Oct 23 02:52 - 02:52 (00:00) server.#########.com.br tollini ssh:notty Sat Oct 23 02:52 - 02:52 (00:00) server.#########.com.br tollini ssh:notty Sat Oct 23 02:52 - 02:52 (00:00) server.#########.com.br www ssh:notty Sat Oct 23 02:52 - 02:52 (00:00) server.#########.com.br www ssh:notty Sat Oct 23 02:52 - 02:52 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:52 - 02:52 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:52 - 02:52 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:52 - 02:52 (00:00) server.#########.com.br PlcmSpIp ssh:notty Sat Oct 23 02:52 - 02:52 (00:00) server.#########.com.br PlcmSpIp ssh:notty Sat Oct 23 02:52 - 02:52 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:52 - 02:52 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:53 - 02:53 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:53 - 02:53 (00:00) server.#########.com.br work ssh:notty Sat Oct 23 02:53 - 02:53 (00:00) server.#########.com.br work ssh:notty Sat Oct 23 02:53 - 02:53 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:53 - 02:53 (00:00) server.#########.com.br sysadmin ssh:notty Sat Oct 23 02:53 - 02:53 (00:00) server.#########.com.br sysadmin ssh:notty Sat Oct 23 02:53 - 02:53 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:53 - 02:53 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:53 - 02:53 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:53 - 02:53 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:53 - 02:53 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:53 - 02:53 (00:00) server.#########.com.br jason ssh:notty Sat Oct 23 02:53 - 02:53 (00:00) server.#########.com.br jason ssh:notty Sat Oct 23 02:53 - 02:53 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:53 - 02:53 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:53 - 02:53 (00:00) server.#########.com.br iony ssh:notty Sat Oct 23 02:53 - 02:53 (00:00) server.#########.com.br iony ssh:notty Sat Oct 23 02:53 - 02:53 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:53 - 02:53 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:53 - 02:53 (00:00) server.#########.com.br sauticom ssh:notty Sat Oct 23 02:53 - 02:53 (00:00) server.#########.com.br sauticom ssh:notty Sat Oct 23 02:53 - 02:53 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:53 - 02:53 (00:00) server.#########.com.br eak ssh:notty Sat Oct 23 02:53 - 02:53 (00:00) server.#########.com.br eak ssh:notty Sat Oct 23 02:54 - 02:54 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:54 - 02:54 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:54 - 02:54 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:54 - 02:54 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:54 - 02:54 (00:00) server.#########.com.br sysadmin ssh:notty Sat Oct 23 02:54 - 02:54 (00:00) server.#########.com.br sysadmin ssh:notty Sat Oct 23 02:54 - 02:54 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:54 - 02:54 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:54 - 02:54 (00:00) server.#########.com.br provis ssh:notty Sat Oct 23 02:54 - 02:54 (00:00) server.#########.com.br provis ssh:notty Sat Oct 23 02:54 - 02:54 (00:00) server.#########.com.br halley ssh:notty Sat Oct 23 02:54 - 02:54 (00:00) server.#########.com.br halley ssh:notty Sat Oct 23 02:54 - 02:54 (00:00) server.#########.com.br prasoot ssh:notty Sat Oct 23 02:54 - 02:54 (00:00) server.#########.com.br prasoot ssh:notty Sat Oct 23 02:54 - 02:54 (00:00) server.#########.com.br thairepo ssh:notty Sat Oct 23 02:54 - 02:54 (00:00) server.#########.com.br thairepo ssh:notty Sat Oct 23 02:54 - 02:54 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:54 - 02:54 (00:00) server.#########.com.br georgeli ssh:notty Sat Oct 23 02:54 - 02:54 (00:00) server.#########.com.br georgeli ssh:notty Sat Oct 23 02:54 - 02:54 (00:00) server.#########.com.br edwardli ssh:notty Sat Oct 23 02:54 - 02:54 (00:00) server.#########.com.br edwardli ssh:notty Sat Oct 23 02:54 - 02:54 (00:00) server.#########.com.br dinochan ssh:notty Sat Oct 23 02:54 - 02:54 (00:00) server.#########.com.br dinochan ssh:notty Sat Oct 23 02:54 - 02:54 (00:00) server.#########.com.br sigcomm ssh:notty Sat Oct 23 02:54 - 02:54 (00:00) server.#########.com.br sigcomm ssh:notty Sat Oct 23 02:54 - 02:54 (00:00) server.#########.com.br test ssh:notty Sat Oct 23 02:54 - 02:54 (00:00) server.#########.com.br test ssh:notty Sat Oct 23 02:54 - 02:54 (00:00) server.#########.com.br test ssh:notty Sat Oct 23 02:55 - 02:55 (00:00) server.#########.com.br test ssh:notty Sat Oct 23 02:55 - 02:55 (00:00) server.#########.com.br sigcomm ssh:notty Sat Oct 23 02:55 - 02:55 (00:00) server.#########.com.br sigcomm ssh:notty Sat Oct 23 02:55 - 02:55 (00:00) server.#########.com.br tklc ssh:notty Sat Oct 23 02:55 - 02:55 (00:00) server.#########.com.br tklc ssh:notty Sat Oct 23 02:55 - 02:55 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:55 - 02:55 (00:00) server.#########.com.br kylix ssh:notty Sat Oct 23 02:55 - 02:55 (00:00) server.#########.com.br kylix ssh:notty Sat Oct 23 02:55 - 02:55 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:55 - 02:55 (00:00) server.#########.com.br tedbaker ssh:notty Sat Oct 23 02:55 - 02:55 (00:00) server.#########.com.br tedbaker ssh:notty Sat Oct 23 02:55 - 02:55 (00:00) server.#########.com.br root ssh:notty Sat Oct 23 02:55 - 02:55 (00:00) server.#########.com.br cyrus ssh:notty Sat Oct 23 02:55 - 02:55 (00:00) server.#########.com.br cyrus ssh:notty Sat Oct 23 02:55 - 02:55 (00:00) server.#########.com.br bin ssh:notty Sat Oct 23 02:55 - 02:55 (00:00) server.#########.com.br sercon ssh:notty Sat Oct 23 02:55 - 02:55 (00:00) server.#########.com.br sercon ssh:notty Sat Oct 23 02:55 - 02:55 (00:00) server.#########.com.br sec ssh:notty Sat Oct 23 02:55 - 02:55 (00:00) server.#########.com.br sec ssh:notty Sat Oct 23 02:55 - 02:55 (00:00) server.#########.com.br nfsnobod ssh:notty Sat Oct 23 02:55 - 02:55 (00:00) server.#########.com.br nfsnobod ssh:notty Sat Oct 23 02:55 - 02:55 (00:00) server.#########.com.br ====[ ここまで ] ==================================================================== test01 ssh:notty Mon Oct 25 08:43 - 08:43 (00:00) *************.*****.ne.jp test01 ssh:notty Mon Oct 25 08:43 - 08:43 (00:00) *************.*****.ne.jp test01 ssh:notty Mon Oct 25 08:43 - 08:43 (00:00) *************.*****.ne.jp
5分間に284回もトライするなんて、ブラジル人やり過ぎだよ・・・
幸いrootログインは禁止してあり、パスワードもランダムな文字列にしていたので実害はありませんでしたが、本当に攻撃を受けるんだなと身をもって感じました。
皆さんも気をつけてください。
