• Willkommen im Linux Club - dem deutschsprachigen Supportforum für GNU/Linux. Registriere dich kostenlos, um alle Inhalte zu sehen und Fragen zu stellen.

SSH-Zugriffsversuch

W

waterloo

Newbie
Hallo,

ich verfolge seit einiger Zeit meine /var/log/login und bemerke dabei des öfteren solche Zeilen:

Code: 
Dec 20 00:28:18 Arktur sshd[12363]: Invalid user test from 216.153.128.159
Dec 20 00:28:18 Arktur sshd[12363]: reverse mapping checking getaddrinfo for mail1.nytas.com failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 20 00:28:18 Arktur sshd[12363]: input_userauth_request: invalid user test
Dec 20 00:28:18 Arktur sshd[12363]: Failed password for invalid user test from 216.153.128.159 port 33277 ssh2
Dec 20 00:28:18 Arktur sshd[12363]: Received disconnect from 216.153.128.159: 11: Bye Bye
Dec 20 00:28:20 Arktur sshd[12364]: User guest not allowed because shell /dev/null is not executable
Dec 20 00:28:20 Arktur sshd[12364]: input_userauth_request: invalid user guest
Dec 20 00:28:20 Arktur sshd[12364]: reverse mapping checking getaddrinfo for mail1.nytas.com failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 20 00:28:20 Arktur sshd[12364]: Failed password for invalid user guest from 216.153.128.159 port 33334 ssh2
Dec 20 00:28:20 Arktur sshd[12364]: Received disconnect from 216.153.128.159: 11: Bye Bye
Dec 20 00:28:21 Arktur sshd[12365]: Invalid user admin from 216.153.128.159
Dec 20 00:28:21 Arktur sshd[12365]: reverse mapping checking getaddrinfo for mail1.nytas.com failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 20 00:28:21 Arktur sshd[12365]: input_userauth_request: invalid user admin
Dec 20 00:28:21 Arktur sshd[12365]: Failed password for invalid user admin from 216.153.128.159 port 33387 ssh2
Dec 20 00:28:21 Arktur sshd[12365]: Received disconnect from 216.153.128.159: 11: Bye Bye
Dec 20 00:28:22 Arktur sshd[12372]: Invalid user admin from 216.153.128.159
Dec 20 00:28:22 Arktur sshd[12372]: reverse mapping checking getaddrinfo for mail1.nytas.com failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 20 00:28:22 Arktur sshd[12372]: input_userauth_request: invalid user admin
Dec 20 00:28:22 Arktur sshd[12372]: Failed password for invalid user admin from 216.153.128.159 port 33448 ssh2
Dec 20 00:28:23 Arktur sshd[12372]: Received disconnect from 216.153.128.159: 11: Bye Bye
Dec 20 00:28:24 Arktur sshd[12373]: Invalid user user from 216.153.128.159
Dec 20 00:28:24 Arktur sshd[12373]: reverse mapping checking getaddrinfo for mail1.nytas.com failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 20 00:28:24 Arktur sshd[12373]: input_userauth_request: invalid user user
Dec 20 00:28:24 Arktur sshd[12373]: Failed password for invalid user user from 216.153.128.159 port 33503 ssh2
Dec 20 00:28:24 Arktur sshd[12373]: Received disconnect from 216.153.128.159: 11: Bye Bye
Dec 20 00:28:25 Arktur sshd[12374]: reverse mapping checking getaddrinfo for mail1.nytas.com failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 20 00:28:25 Arktur sshd[12374]: Failed password for root from 216.153.128.159 port 33555 ssh2
Dec 20 00:28:25 Arktur sshd[12374]: Received disconnect from 216.153.128.159: 11: Bye Bye
Dec 20 00:28:26 Arktur sshd[12381]: reverse mapping checking getaddrinfo for mail1.nytas.com failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 20 00:28:26 Arktur sshd[12381]: Failed password for root from 216.153.128.159 port 33612 ssh2
Dec 20 00:28:27 Arktur sshd[12381]: Received disconnect from 216.153.128.159: 11: Bye Bye
Dec 20 00:28:28 Arktur sshd[12382]: reverse mapping checking getaddrinfo for mail1.nytas.com failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 20 00:28:28 Arktur sshd[12382]: Failed password for root from 216.153.128.159 port 33658 ssh2
Dec 20 00:28:28 Arktur sshd[12382]: Received disconnect from 216.153.128.159: 11: Bye Bye
Dec 20 00:28:29 Arktur sshd[12383]: Invalid user test from 216.153.128.159
Dec 20 00:28:29 Arktur sshd[12383]: reverse mapping checking getaddrinfo for mail1.nytas.com failed - POSSIBLE BREAK-IN ATTEMPT!
Dec 20 00:28:29 Arktur sshd[12383]: input_userauth_request: invalid user test
Dec 20 00:28:29 Arktur sshd[12383]: Failed password for invalid user test from 216.153.128.159 port 33706 ssh2
Dec 20 00:28:29 Arktur sshd[12383]: Received disconnect from 216.153.128.159: 11: Bye Bye

Warum ich hier poste:
Ich war der Meinung, dass wenn ich über meine Firewall den Port 22 für SSH blocke, der Dienst dann auch nicht erreichbar ist von außen. Aber wieso spricht der Dienst z.B. auf Port 33706 an?

Und ist der Eindringling in mein System gekommen?

THX, für euere Hilfe.

Gruß
 
framp

framp

Moderator
Teammitglied
Diese HighPorts sind die Ports, die der remote ssh client benutzt. Offensichtlich hast Du Deinen Port 22 nicht richtig zugemacht. Sieh mal hier nach. Da findest Du Tips wie Du Deinen ssh Server absicherst ;-)
 
Martin Breidenbach

Martin Breidenbach

Ultimate Guru
Der ssh SERVERDIENST (daemon) benutzt Port 22.

Der ssh CLIENT kriegt irgendeinen freien Port >1024 zufällig zugewiesen.

Das funktioniert auch mit anderen Protokollen so.
 
Du musst dich einloggen oder registrieren, um hier zu antworten.
Oben