Log do servidor de correios zimbra apresenta sucessivas tentativas de conexões ssh [RESOLVIDO]

1. Log do servidor de correios zimbra apresenta sucessivas tentativas de conexões ssh [RESOLVIDO]

GLAUCO SALINO ARAUJO
glaucoaraujo

(usa Debian)

Enviado em 12/06/2017 - 16:54h

Olá pessoal.

Gostaria de obter alguma ajuda com relação ao log do zimbra.

Observei no log do servidor de correios zimbra sucessivas tentativas de conexão ssh em portas altas aleatórias

Gostaria de saber como tratar tal situação.

As tentativas de conexão estão partindo da interface local do meu servidor firewall.

Achei que pudesse se tratar de um port scan? Seria o caso?

Jun 12 16:50:04 webmail sshd[24877]: Failed password for root from 10.X.XXX.XXX port 39185 ssh2
Jun 12 16:50:04 webmail sshd[24879]: Failed password for root from 10.X.XXX.XXX port 41313 ssh2
Jun 12 16:50:04 webmail sshd[24881]: Failed password for root from 10.X.XXX.XXX port 41657 ssh2
Jun 12 16:50:04 webmail sshd[24883]: Failed password for root from 10.X.XXX.XXX port 44857 ssh2
Jun 12 16:50:04 webmail sshd[24885]: Failed password for root from 10.X.XXX.XXX port 45309 ssh2
Jun 12 16:50:05 webmail sshd[24887]: Failed password for root from 10.X.XXX.XXX port 50331 ssh2
Jun 12 16:50:06 webmail sshd[24877]: Failed password for root from 10.X.XXX.XXX port 39185 ssh2
Jun 12 16:50:06 webmail sshd[24879]: Failed password for root from 10.X.XXX.XXX port 41313 ssh2
Jun 12 16:50:06 webmail sshd[24881]: Failed password for root from 10.X.XXX.XXX port 41657 ssh2
Jun 12 16:50:06 webmail sshd[24877]: Received disconnect from 10.X.XXX.XXX port 39185:11: [preauth]
Jun 12 16:50:06 webmail sshd[24877]: Disconnected from 10.X.XXX.XXX port 39185 [preauth]
Jun 12 16:50:06 webmail sshd[24879]: Received disconnect from 10.X.XXX.XXX port 41313:11: [preauth]
Jun 12 16:50:06 webmail sshd[24879]: Disconnected from 10.X.XXX.XXX port 41313 [preauth]
Jun 12 16:50:06 webmail sshd[24883]: Failed password for root from 10.X.XXX.XXX port 44857 ssh2
Jun 12 16:50:06 webmail sshd[24881]: Received disconnect from 10.X.XXX.XXX port 41657:11: [preauth]
Jun 12 16:50:06 webmail sshd[24881]: Disconnected from 10.X.XXX.XXX port 41657 [preauth]
Jun 12 16:50:06 webmail sshd[24883]: Received disconnect from 10.X.XXX.XXX port 44857:11: [preauth]
Jun 12 16:50:06 webmail sshd[24883]: Disconnected from 10.X.XXX.XXX port 44857 [preauth]
Jun 12 16:50:07 webmail sshd[24885]: Failed password for root from 10.X.XXX.XXX port 45309 ssh2
Jun 12 16:50:07 webmail sshd[24885]: Received disconnect from 10.X.XXX.XXX port 45309:11: [preauth]
Jun 12 16:50:07 webmail sshd[24885]: Disconnected from 10.X.XXX.XXX port 45309 [preauth]
Jun 12 16:50:07 webmail sshd[24887]: Failed password for root from 10.X.XXX.XXX port 50331 ssh2
Jun 12 16:50:07 webmail sshd[24887]: Received disconnect from 10.X.XXX.XXX port 50331:11: [preauth]
Jun 12 16:50:07 webmail sshd[24887]: Disconnected from 10.X.XXX.XXX port 50331 [preauth]



  


2. Tentativa de acesso ssh2 por força-bruta

GLAUCO SALINO ARAUJO
glaucoaraujo

(usa Debian)

Enviado em 15/06/2017 - 21:32h

Descobri do que se tratava
Após uma pesquisa no log do firewall da minha rede, descobri que trata-se de uma tentativa de acesso ssh2 com a conta root por força bruta do endereço IP SRC=116.31.116.34
Fica o alerta!






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts