O servidor estava a ser bombardeado com pedidos a tentar explorar uma falha existente no SSH. O log do SSH mostrava mensagens deste tipo:
Feb 28 21:53:55 ccems-web2 sshd[5488]: Bad protocol version identification 'GET http://cashinlink.com/6ydbw58 HTTP/1.1' from UNKNOWN Feb 28 21:54:20 ccems-web2 sshd[5491]: Bad protocol version identification 'GET http://50a574f0.linkbucks.com/ HTTP/1.1' from UNKNOWN Feb 28 21:54:27 ccems-web2 sshd[5494]: Connection closed by 127.0.0.1 Feb 28 21:54:29 ccems-web2 sshd[5496]: Bad protocol version identification 'GET http://e8de474e.linkbucks.com/ HTTP/1.1' from UNKNOWN Feb 28 21:54:41 ccems-web2 sshd[5497]: Bad protocol version identification 'POST http://proxy.traficer.net/test.php HTTP/1.1' from UNKNOWN
Como o SSHD não é capaz de determinar a fonte do ataque é necessário utilizar o Strace para descobrir qual o IP.
Strace – Tracks and displays system calls associated with a running process
strace -f -e getpeername -p sshd-pid
Os resultados mostraram isto:
--- SIGCHLD (Child exited) @ 0 (0) --- Process 5504 attached (waiting for parent) Process 5504 resumed (parent 16532 ready) [pid 5504] getpeername(3, {sa_family=AF_INET, sin_port=htons(3856), sin_addr=inet_addr("85.140.128.165")}, [1157143637847441424]) = 0 [pid 5504] getpeername(3, {sa_family=AF_INET, sin_port=htons(3856), sin_addr=inet_addr("85.140.128.165")}, [7217096605625745424]) = 0 [pid 5504] getpeername(3, {sa_family=AF_INET, sin_port=htons(3856), sin_addr=inet_addr("85.140.128.165")}, [16]) = 0 [pid 5504] getpeername(3, 0x7fff272839f0, [2821568938222026880]) = -1 EBADF (Bad file descriptor) Process 5504 detached --- SIGCHLD (Child exited) @ 0 (0) ---
--- SIGCHLD (Child exited) @ 0 (0) --- Process 5630 attached (waiting for parent) Process 5630 resumed (parent 16532 ready) [pid 5630] getpeername(3, {sa_family=AF_INET, sin_port=htons(35372), sin_addr=inet_addr("218.6.19.3")}, [3209377693044834320]) = 0 [pid 5630] getpeername(3, {sa_family=AF_INET, sin_port=htons(35372), sin_addr=inet_addr("218.6.19.3")}, [7217878495832047632]) = 0 [pid 5630] getpeername(3, {sa_family=AF_INET, sin_port=htons(35372), sin_addr=inet_addr("218.6.19.3")}, [16]) = 0 [pid 5630] getpeername(3, 0x7fff9f2b0110, [11469262112979681408]) = -1 ENOTCONN (Transport endpoint is not connected) Process 5630 detached --- SIGCHLD (Child exited) @ 0 (0) ---
Basta bloquear na firewall os IPs e o problema fica resolvido.
iptables -A INPUT -s 85.140.128.165 -j DROP iptables -A INPUT -s 218.6.19.3 -j DROP
Como eu utilizo o Fail2ban nos servidores para bloquear os vários tipos de ataques vou explicar as alterações na configuração que são necessários para se bloquear automaticamente este ataques.
Edita-se o ficheiro /etc/fail2ban/filter.d/sshd.conf e adiciona-se na directiva failregex estas linhas:
^%(__prefix_line)sBad protocol version identification '.*?' from <HOST> ^%(__prefix_line)sDid not receive identification string from <HOST>