logwatchのログ
logwatchのログを見てみると
こんな感じで同一のIPから執拗な攻撃を受けているのがわかる
--------------------- pam_unix Begin ------------------------ 省略 sshd: Authentication Failures: unknown (118.98.221.205): 2911 Time(s) root (118.98.221.205): 43 Time(s) mysql (118.98.221.205): 17 Time(s) list (118.98.221.205): 12 Time(s) uucp (118.98.221.205): 5 Time(s) backup (118.98.221.205): 4 Time(s) irc (118.98.221.205): 4 Time(s) postfix (118.98.221.205): 4 Time(s) nobody (118.98.221.205): 1 Time(s) sys (118.98.221.205): 1 Time(s) www-data (118.98.221.205): 1 Time(s) Invalid Users: Unknown Account: 2911 Time(s) ---------------------- pam_unix End -------------------------
この攻撃を受けている間のトラフィックもMRTGでみるとこんな感じ。
10時前から12時過ぎまで攻撃が続いているのがわかる。
この間、トラフィックは食われているし、ログも無駄にディスクを消費してくれている。もちろんのことCPUも食われる。これが多いときには複数のIPから来るわけだからたまらない。へたすれば半日以上攻撃を続けられてしまうこともある。 ちなみにlogwatchのSSHDのログは下のようになる。ぼっとちゃんはいっしょうけんめい攻撃をしてくれる。
--------------------- SSHD Begin ------------------------ Illegal users from: 118.98.221.205: 3003 times root: 43 times gy: 24 times hk: 24 times hm: 24 times hn: 24 times hr: 24 times ht: 24 times hu: 24 times id: 24 times ie: 24 times il: 24 times in: 24 times io: 24 times iq: 24 times ir: 24 times is: 24 times it: 24 times jm: 24 times jo: 24 times jp: 24 times lk: 24 times lt: 24 times lu: 24 times li: 22 times lv: 21 times gw: 19 times ke: 19 times lr: 18 times john: 17 times mysql: 17 times ls: 14 times cs: 13 times webmaster: 13 times adam: 12 times be: 12 times bf: 12 times bg: 12 times bh: 12 times bi: 12 times bj: 12 times bm: 12 times bn: 12 times bo: 12 times br: 12 times brad: 12 times bs: 12 times bt: 12 times bv: 12 times bw: 12 times by: 12 times bz: 12 times ca: 12 times cache: 12 times cc: 12 times cf: 12 times cg: 12 times ch: 12 times chris: 12 times ci: 12 times ck: 12 times cl: 12 times cm: 12 times cn: 12 times co: 12 times cr: 12 times cu: 12 times cv: 12 times cx: 12 times cy: 12 times cz: 12 times de: 12 times dj: 12 times dk: 12 times dm: 12 times do: 12 times dz: 12 times ec: 12 times ee: 12 times eg: 12 times eh: 12 times er: 12 times es: 12 times et: 12 times eu: 12 times fi: 12 times fj: 12 times fk: 12 times fm: 12 times fo: 12 times fr: 12 times fx: 12 times ga: 12 times gb: 12 times gd: 12 times ge: 12 times gf: 12 times gh: 12 times gi: 12 times gl: 12 times gm: 12 times gn: 12 times gp: 12 times gq: 12 times gr: 12 times gs: 12 times gt: 12 times gu: 12 times headers: 12 times jobs: 12 times joe: 12 times ken: 12 times kevin: 12 times kg: 12 times kh: 12 times ki: 12 times km: 12 times kn: 12 times kp: 12 times kr: 12 times kw: 12 times ky: 12 times kz: 12 times la: 12 times larry: 12 times laura: 12 times lb: 12 times lc: 12 times linkexchange: 12 times links: 12 times lisa: 12 times list: 12 times ly: 12 times ma: 12 times mc: 12 times md: 12 times mg: 12 times mh: 12 times mk: 12 times ml: 12 times mm: 12 times mn: 12 times ni: 12 times nl: 12 times no: 12 times np: 12 times nr: 12 times nt: 12 times nu: 12 times nz: 12 times om: 12 times pa: 12 times pe: 12 times pf: 12 times pg: 12 times ph: 12 times pk: 12 times pl: 12 times pm: 12 times pn: 12 times postgresql: 12 times pr: 12 times pt: 12 times pw: 12 times py: 12 times sendmail: 12 times siteinfo: 12 times subdomain: 12 times telnet: 12 times webalizer: 12 times apache: 11 times chuck: 11 times edea: 11 times html: 11 times lee: 11 times letters: 11 times linda: 11 times link: 11 times ng: 11 times seifer: 11 times webster: 11 times kelly: 10 times qa: 10 times user: 10 times bd: 9 times ftpuser: 9 times johnny: 9 times test: 9 times licensing: 8 times abc: 7 times art: 7 times informix: 7 times listproc: 7 times marketing: 7 times updates: 7 times cisco: 6 times design: 6 times info: 6 times install: 6 times jennifer: 6 times oracle: 6 times smbuser: 6 times test1: 6 times test2: 6 times test3: 6 times test4: 6 times test5: 6 times tomcat: 6 times vpn: 6 times admin: 5 times amanda: 5 times andrew: 5 times anthony: 5 times bill: 5 times charles: 5 times cindy: 5 times customer: 5 times cyrus: 5 times david: 5 times emma: 5 times enquiries: 5 times forum: 5 times helpdesk: 5 times logs: 5 times mark: 5 times michael: 5 times netdump: 5 times office: 5 times postgres: 5 times postmaster: 5 times ppp: 5 times pwrchute: 5 times sales: 5 times stats: 5 times testing: 5 times tmp: 5 times uucp: 5 times vpopmail: 5 times administrator: 4 times alex: 4 times amavis: 4 times backup: 4 times cvs: 4 times dennis: 4 times engineer: 4 times enquiry: 4 times guest: 4 times ipinfo: 4 times irc: 4 times jason: 4 times majordom: 4 times majordomo: 4 times manager: 4 times mo: 4 times operator: 4 times pgsql: 4 times postfix: 4 times pvm: 4 times rpm: 4 times sasha: 4 times support: 4 times temp: 4 times mod_perl: 3 times ntran: 2 times rich: 2 times rob: 2 times vhbackup: 2 times web: 2 times 12345: 1 time 123abc: 1 time 1q2w3e: 1 time a: 1 time aly: 1 time anne: 1 time billing: 1 time booking: 1 time confession: 1 time dasusr1: 1 time dave: 1 time drew: 1 time edu: 1 time esther: 1 time firewall: 1 time flip: 1 time fuser: 1 time gary: 1 time gerry: 1 time hayley: 1 time hector: 1 time httpd: 1 time inter: 1 time karim: 1 time kiki: 1 time letmein: 1 time luciana: 1 time mailer: 1 time mario: 1 time marty: 1 time menu: 1 time model: 1 time new: 1 time nobody: 1 time nobody4: 1 time norton: 1 time oleg: 1 time orange: 1 time password: 1 time penny: 1 time racvnc: 1 time share: 1 time shipping: 1 time squid: 1 time sys: 1 time sysadm: 1 time tommy: 1 time trinity: 1 time username: 1 time vivian: 1 time welcome: 1 time www-data: 1 time ---------------------- SSHD End -------------------------
キーワード:
参照:[本日のメニュー]