前一段没事写了一个脚本,统计了一下爆破小鸡ssh的用户名和来源IP,主要就图一乐,至于有啥用,或许可以根据真实的统计数据验证一下安全措施的有效性……?
脚本调用了lastb爆破失败日志,由于lastb的日志每月一刷新,就让它每月28号自动运行,基本能看到一个月的趋势。这不是拿到了这个月的数据嘛,贴出来给大家瞅瞅。
server1,北美,22端口
top_username:
USERNAME COUNTS
admin 2462
test 1261
user 972
oracle 865
postgres 782
hadoop 539
guest 522
git 458
testuser 382
web 320
mysql 296
ansible 288
minecraf 284
csgo 232
www 215
deploy 199
steam 191
ftpuser 185
es 182
teamspea 180
top_ip:
IP COUNTS COUNTRY
209.141.35.* 282 US
202.124.39.* 280 KH
209.141.57.* 246 US
111.91.84.* 234 IN
209.141.61.* 232 US
209.141.32.* 220 US
205.185.122.* 206 US
209.141.40.* 174 US
205.185.117.* 168 US
209.141.58.* 168 US
205.185.121.* 167 US
209.141.59.* 163 US
205.185.122.* 162 US
205.185.116.* 156 US
205.185.125.* 153 US
205.185.116.* 152 US
209.141.52.* 150 US
156.206.127.* 146 EG
107.189.2.* 143 LU
205.185.117.* 140 USserver2,北美,非22端口
top_username:
USERNAME COUNTS
admin 14
user 10
ftpuser 9
test 9
postgres 8
guest 6
demo 5
deploy 5
www 5
sshuser 4
teamspea 4
ts 4
carla 3
ec2-user 3
factorio 3
linda 3
minecraf 3
music 3
mysql 3
owncloud 3
top_ip:
IP COUNTS COUNTRY
190.145.192.* 3 CO
1.116.73.* 2 CN
118.123.96.* 2 CN
130.185.77.* 2 IR
177.135.93.* 2 BR
222.139.245.* 2 CN
101.132.130.* 1 CN
101.251.219.* 1 CN
101.32.202.* 1 HK
101.32.206.* 1 HK
101.32.213.* 1 HK
101.34.4.* 1 CN
101.36.109.* 1 HK
101.36.119.* 1 HK
102.164.248.* 1 GQ
102.164.61.* 1 ZA
103.113.104.* 1 IN
103.117.180.* 1 IN
103.136.42.* 1 NLserver3,俄罗斯,22端口
top_username:
USERNAME COUNTS
admin 10699
default 8990
MikroTik 8709
profile1 8389
user1 8223
user 8171
admin1 8132
ubnt 7910
web 7680
administ 7637
support 7274
tech 7106
demo 6904
telecoma 6841
test 779
oracle 680
postgres 538
guest 402
hadoop 383
testuser 271
top_ip:
IP COUNTS COUNTRY
102.222.235.* 280 UG
1.0.251.* 280 TH
103.113.0.* 280 IN
103.131.187.* 280 IN
103.134.223.* 280 ID
103.135.135.* 280 BD
103.135.216.* 280 MM
103.144.228.* 280 ID
103.156.42.* 280 VN
103.161.86.* 280 BD
103.197.112.* 280 IN
103.216.80.* 280 IN
103.221.208.* 280 IN
103.226.90.* 280 IN
103.36.101.* 280 BD
103.70.165.* 280 IN
103.78.208.* 280 ID
103.82.15.* 280 ID
103.86.19.* 280 IN
106.223.185.* 280 INserver4,东亚,22端口
top_username:
USERNAME COUNTS
admin 1766
test 790
oracle 589
user 587
postgres 394
guest 266
ftpuser 238
ubnt 236
pi 221
support 220
git 197
user1 187
vagrant 183
web 178
administ 175
demo 173
hadoop 165
admin1 153
deploy 153
teamspea 124
top_ip:
IP COUNTS COUNTRY
209.141.48.* 487 US
124.82.57.* 280 MY
125.160.113.* 280 ID
211.40.216.* 280 KR
31.171.71.* 280 AZ
171.97.9.* 279 TH
209.141.57.* 270 US
37.0.8.* 242 NL
171.227.8.* 208 VN
209.141.40.* 184 US
87.241.1.* 168 IT
124.79.244.* 123 CN
45.61.185.* 88 US
176.111.173.* 80 PL
176.111.173.* 74 EE
209.141.34.* 71 US
209.141.36.* 67 US
209.141.60.* 67 US
209.141.32.* 65 US
205.185.113.* 64 USserver5,东亚,22端口
top_username:
USERNAME COUNTS
admin 4809
user 2085
test 1602
ubnt 1112
administ 964
oracle 964
support 960
web 953
user1 913
default 884
demo 861
postgres 854
admin1 790
tech 777
profile1 762
MikroTik 761
telecoma 759
guest 679
hadoop 557
git 550
top_ip:
IP COUNTS COUNTRY
185.246.130.* 2170 SE
31.184.198.* 1736 RU
45.141.84.* 1302 RU
116.98.171.* 694 VN
157.230.246.* 584 SG
134.209.236.* 345 DE
103.14.249.* 280 KH
103.146.170.* 280 IN
103.148.79.* 280 ID
103.81.194.* 280 ID
109.104.162.* 280 UA
14.241.38.* 280 VN
154.117.111.* 280 NG
182.71.160.* 280 IN
190.166.82.* 280 DO
201.171.209.* 280 MX
202.147.193.* 280 ID
36.90.207.* 280 ID
43.252.248.* 280 IN
45.225.123.* 280 BR大致来说呢有如下一些发现:
- ssh爆破是很严重的,我之前也做过统计,差不多每个月都有上万次
- 常见的爆破用户名包括系统默认系列(admin,guest,user,default)、网站系列(www,web)、调试系列(demo,test)、数据库系列(oracle,postgres,mysql)等,比较有意思的是俄罗斯有好多人爆MicroTik的(一个路由器品牌,前几年爆过重大漏洞),还有一些逗逼的minecraf少一个t不知道啥情况,查了一下,早期UNIX系统都是使用8字符为预设的最长的帐号名称,好吧涨姿势了
- IP分布好像没啥规律,但是大量的280次我不知道什么情况,是某个爆破脚本的默认尝试次数?
- 非22的ssh端口确实能有效防止爆破
文章评论