恐ろしい中国からのSSHアクセス

先日からNASの運用を始めたわけですが、ふとZabbixとsyslogのあたりを設定して勉強していたので、Synologyのログを見てみたら・・・。

見覚えのないsshログイン失敗のログが。

2018/2/26 21:38 SYSTEM User [postgres] from [202.101.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/26 21:09 SYSTEM User [admin] from [114.27.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/26 21:09 SYSTEM User [admin] from [114.27.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/26 21:09 SYSTEM User [admin] from [114.27.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/26 21:09 SYSTEM User [admin] from [114.27.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/26 21:09 SYSTEM User [admin] from [114.27.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/26 21:09 SYSTEM User [admin] from [114.27.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/26 20:14 SYSTEM User [admin] from [202.101.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/26 18:59 SYSTEM User [admin] from [202.101.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/26 17:45 SYSTEM User [test] from [202.101.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/26 16:29 SYSTEM User [test] from [202.101.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/26 15:05 SYSTEM User [guest] from [202.101.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/26 13:49 SYSTEM User [guest] from [202.101.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/26 12:38 SYSTEM User [oracle] from [202.101.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/26 11:25 SYSTEM User [oracle] from [202.101.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/26 10:11 SYSTEM User [oracle] from [202.101.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/26 2:43 SYSTEM User [root] from [42.235.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/26 2:43 SYSTEM User [root] from [42.235.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/26 2:43 SYSTEM User [root] from [42.235.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/26 2:43 SYSTEM User [root] from [42.235.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/26 2:43 SYSTEM User [root] from [42.235.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/26 2:43 SYSTEM User [root] from [42.235.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/25 14:11 SYSTEM User [support] from [151.64.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/25 14:11 SYSTEM User [support] from [151.64.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/25 14:11 SYSTEM User [support] from [151.64.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/25 14:11 SYSTEM User [support] from [151.64.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/25 14:11 SYSTEM User [support] from [151.64.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/25 14:10 SYSTEM User [support] from [151.64.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/25 13:40 SYSTEM User [admin] from [125.47.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/25 13:40 SYSTEM User [admin] from [125.47.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/25 13:40 SYSTEM User [admin] from [125.47.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/25 13:40 SYSTEM User [admin] from [125.47.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/25 13:40 SYSTEM User [admin] from [125.47.*.*] failed to log in via [SSH] due to authorization failure.
2018/2/25 13:40 SYSTEM User [admin] from [125.47.*.*] failed to log in via [SSH] due to authorization failure.

一応、IPは隠してありますけども、whoisの情報を確認したところ、中国、台湾、イタリアからのアクセスでした。
なんと恐ろしい…。まだ、1週間そこらしか使ってないんですけどねぇ・・・ほんとお耳に入るのが早いこと早いことorz

過去に、ブラスター?が大流行したときに再セットアップしたてのPCがものの数十分で感染したこともあるので、こういったのには慣れ?いや経験があるので、まぁ分かるっちゃわかるんですけどね。

外部からscpとかを使ってみたかったのもあって、ルーター→NAS間のSSHポートを転送していましたが、ブルートフォースアタック的(試行回数的にデフォルトのパスワードに設定されがちなワードを試しているのでしょう)なことをされると、いずれ破られることは目に見えていますので、ログインの失敗回数によるアクセスブロックの回数を10回/5分から5回/5分へと下げ、念のためルーター→NAS間のSSHポート転送もOFFにしておきました。

このログから見て分かるように、私自身設定していないユーザー名(support,admin,oracle,test,postgres)による接続が行われており、これらは一般的に個人ユースだったり勉強目的でいろんなサイトに例示として掲載されているIDです。
私も例外ではなく、しばしばこういったIDを設定します。

とりあえずsuperuser化の権限を与えていないとはいえ、こういったアカウントには、それなりの強度のパスワードの設定は重要なのでしょうね。

あ~こわ。

zabbixは入れたけどもsyslogの動かし方もちゃんとわからないことですし、そろそろ本でも買って勉強しましょうかねぇ。

返信を残す

メールアドレスが公開されることはありません。