O servidor estava a ser bombardeado com pedidos a tentar explorar uma falha existente no SSH. O log do SSH mostrava mensagens deste tipo:

Feb 28 21:53:55 ccems-web2 sshd[5488]: Bad protocol version identification 'GET http://cashinlink.com/6ydbw58 HTTP/1.1' from UNKNOWN
Feb 28 21:54:20 ccems-web2 sshd[5491]: Bad protocol version identification 'GET http://50a574f0.linkbucks.com/ HTTP/1.1' from UNKNOWN
Feb 28 21:54:27 ccems-web2 sshd[5494]: Connection closed by 127.0.0.1
Feb 28 21:54:29 ccems-web2 sshd[5496]: Bad protocol version identification 'GET http://e8de474e.linkbucks.com/ HTTP/1.1' from UNKNOWN
Feb 28 21:54:41 ccems-web2 sshd[5497]: Bad protocol version identification 'POST http://proxy.traficer.net/test.php HTTP/1.1' from UNKNOWN

Como o SSHD não é capaz de determinar a fonte do ataque é necessário utilizar o Strace para descobrir qual o IP.

Strace – Tracks and displays system calls associated with a running process

strace -f -e getpeername -p sshd-pid

Os resultados mostraram isto:

--- SIGCHLD (Child exited) @ 0 (0) ---
Process 5504 attached (waiting for parent)
Process 5504 resumed (parent 16532 ready)
[pid  5504] getpeername(3, {sa_family=AF_INET, sin_port=htons(3856), sin_addr=inet_addr("85.140.128.165")}, [1157143637847441424]) = 0
[pid  5504] getpeername(3, {sa_family=AF_INET, sin_port=htons(3856), sin_addr=inet_addr("85.140.128.165")}, [7217096605625745424]) = 0
[pid  5504] getpeername(3, {sa_family=AF_INET, sin_port=htons(3856), sin_addr=inet_addr("85.140.128.165")}, [16]) = 0
[pid  5504] getpeername(3, 0x7fff272839f0, [2821568938222026880]) = -1 EBADF (Bad file descriptor)
Process 5504 detached
--- SIGCHLD (Child exited) @ 0 (0) ---
--- SIGCHLD (Child exited) @ 0 (0) ---
Process 5630 attached (waiting for parent)
Process 5630 resumed (parent 16532 ready)
[pid  5630] getpeername(3, {sa_family=AF_INET, sin_port=htons(35372), sin_addr=inet_addr("218.6.19.3")}, [3209377693044834320]) = 0
[pid  5630] getpeername(3, {sa_family=AF_INET, sin_port=htons(35372), sin_addr=inet_addr("218.6.19.3")}, [7217878495832047632]) = 0
[pid  5630] getpeername(3, {sa_family=AF_INET, sin_port=htons(35372), sin_addr=inet_addr("218.6.19.3")}, [16]) = 0
[pid  5630] getpeername(3, 0x7fff9f2b0110, [11469262112979681408]) = -1 ENOTCONN (Transport endpoint is not connected)
Process 5630 detached
--- SIGCHLD (Child exited) @ 0 (0) ---

Basta bloquear na firewall os IPs e o problema fica resolvido.

iptables -A INPUT -s 85.140.128.165 -j DROP
iptables -A INPUT -s 218.6.19.3 -j DROP

 

Como eu utilizo o Fail2ban nos servidores para bloquear os vários tipos de ataques vou explicar as alterações na configuração que são necessários para se bloquear automaticamente este ataques.

Edita-se o ficheiro /etc/fail2ban/filter.d/sshd.conf e adiciona-se na directiva failregex estas linhas:

^%(__prefix_line)sBad protocol version identification '.*?' from <HOST>
^%(__prefix_line)sDid not receive identification string from <HOST>