Jul 26 07:08:12 Azure-jay1an SSHd[130241]: Failed password for root from 119.202.128.28 port 33216 SSH2 Jul 26 07:09:01 Azure-jay1an SSHd[130247]: Failed password for invalid user testuser from 119.202.128.28 port 50334 SSH2 Jul 26 07:10:07 Azure-jay1an SSHd[130255]: Accepted password for user from 192.168.1.2 port 52326 SSH2 Jul 26 07:11:30 Azure-jay1an SSHd[130274]: Accepted publickey for admin from 203.0.113.42 port 51422 SSH2: RSA SHA256:... Jul 26 07:12:22 Azure-jay1an SSHd[130284]: Failed publickey for root from 203.0.113.57 port 58231 SSH2: RSA SHA256:... Jul 26 07:13:45 Azure-jay1an SSHd[130297]: Connection closed by 192.168.1.3 port 51130 [preauth] Jul 26 07:14:11 Azure-jay1an SSHd[130308]: pam_unix(SSHd:session): session opened for user root by (uid=0) Jul 26 07:15:09 Azure-jay1an SSHd[130318]: pam_unix(SSHd:session): session closed for user root Jul 26 07:16:47 Azure-jay1an SSHd[130330]: Received disconnect from 198.51.100.14 port 53332:11: disconnected by user Jul 26 07:17:33 Azure-jay1an SSHd[130338]: Received signal 15; terminating. Jul 26 07:18:05 Azure-jay1an sudo: pam_unix(sudo:session): session opened for user root by someuser(uid=1000) Jul 26 07:18:32 Azure-jay1an sudo: someuser : TTY=pts/1 ; PWD=/home/someuser ; USER=root ; COMMAND=/bin/ls Jul 26 07:19:07 Azure-jay1an sudo: pam_unix(sudo:session): session closed for user root Jul 26 07:20:01 Azure-jay1an CRON[130350]: pam_unix(cron:session): session opened for user root by (uid=0) Jul 26 07:21:05 Azure-jay1an CRON[130350]: pam_unix(cron:session): session closed for user root Jul 26 07:21:45 Azure-jay1an SSHd[130360]: Invalid user guest from 198.51.100.7 port 60934 Jul 26 07:22:23 Azure-jay1an SSHd[130362]: Failed keyboard-interactive/pam for invalid user guest from 198.51.100.7 port 60934 SSH2 Jul 26 07:23:11 Azure-jay1an su[130374]: pam_unix(su:session): session opened for user root by someuser(uid=1000) Jul 26 07:24:09 Azure-jay1an su[130374]: pam_unix(su:session): session closed for user root Jul 26 07:25:10 Azure-jay1an gnome-keyring-daemon[130390]: The SSH agent was already initialized
每一条记录通常都包含以下几个部分:
日期和时间:日志条目生成的日期和时间。
主机名:日志生成的计算机名称。
服务名和进程ID:产生日志的服务名称和进程ID。
消息内容:描述事件的详细信息。
示例:
1
Jul 26 07:08:12 Azure-jay1an SSHd[130241]: Failed password for root from 119.202.128.28 port 33216 SSH2
Jul 26 07:08:12:日期和时间
Azure-jay1an:主机名
SSHd[130247] :服务名 SSHd 和进程ID 130241
Failed password for root from 119.202.128.28 port 33216 SSH2:消息内容,表示119.202.128.28主机使用root账号登陆失败。
使用grep命令筛选SSH失败连接
可以使用grep命令筛选出通过SSH所有失败的连接尝试记录。
1
grep 'SSHd.*Failed password' /var/log/auth.log
运行该命令后,终端打印出很多的信息,表明有很多主机都在尝试暴力破解我的SSH服务。
一部分记录如下:
1 2 3 4 5 6 7 8 9 10
Jul 26 07:13:07 Azure-jay1an SSHd[130272]: Failed password for invalid user devops from 187.251.123.99 port 35058 SSH2 Jul 26 07:14:02 Azure-jay1an SSHd[130274]: Failed password for root from 187.251.123.99 port 54888 SSH2 Jul 26 07:21:20 Azure-jay1an SSHd[130286]: Failed password for invalid user admin from 111.70.9.148 port 60815 SSH2 Jul 26 07:23:37 Azure-jay1an SSHd[130293]: Failed password for invalid user admin from 208.48.253.178 port 58872 SSH2 Jul 26 07:23:43 Azure-jay1an SSHd[130297]: Failed password for invalid user admin from 60.167.19.30 port 59719 SSH2 Jul 26 07:30:10 Azure-jay1an SSHd[131231]: Failed password for invalid user config from 116.235.180.116 port 48617 SSH2 Jul 26 07:37:17 Azure-jay1an SSHd[131251]: Failed password for invalid user user from 118.218.209.149 port 52664 SSH2 Jul 26 07:37:21 Azure-jay1an SSHd[131253]: Failed password for root from 104.248.129.160 port 44810 SSH2 Jul 26 07:37:52 Azure-jay1an SSHd[131259]: Failed password for invalid user admin from 223.197.199.52 port 44007 SSH2 Jul 27 09:58:27 Azure-jay1an SSHd[136025]: Failed password for root from 110.191.181.36 port 53809 SSH2
# 正则表达式模式 user_pattern = re.compile(r'Failed password for (invalid user )?(\w+)') ip_pattern = re.compile(r'from ([\d\.]+)')
# 读取auth.log文件 withopen('/var/log/auth.log', 'r') as file: for line in file: # 查找用户名 user_match = user_pattern.search(line) if user_match: user = user_match.group(2) user_attempts[user] += 1 # 查找IP地址 ip_match = ip_pattern.search(line) if ip_match: ip = ip_match.group(1) ip_attempts[ip] += 1
# 从文件加载缓存的IP位置信息 defload_ip_cache(filename='ip_cache.json'): global ip_cache try: withopen(filename, 'r') as f: ip_cache = json.load(f) except FileNotFoundError: ip_cache = {}
# 将IP位置信息缓存到文件 defsave_ip_cache(filename='ip_cache.json'): withopen(filename, 'w') as f: json.dump(ip_cache, f)
# 查询IP地址的地理位置信息 defget_ip_location(ip): if ip in ip_cache: return ip_cache[ip] response = requests.get(f"https://ipinfo.io/{ip}/json") time.sleep(random.uniform(0.3, 1)) # 添加随机请求间隔,避免频繁访问API if response.status_code == 200: ip_cache[ip] = response.json() return ip_cache[ip] return {}
The configuration for Cowrie is stored in cowrie.cfg.dist and cowrie.cfg (Located in cowrie/etc). Both files are read on startup, where entries from cowrie.cfg take precedence. The .dist file can be overwritten by upgrades, cowrie.cfg will not be touched. To run with a standard configuration, there is no need to change anything.
~/cowrie$ sudo docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 039b3420c979 cowrie_cowrie "/cowrie/cowrie-env/…" 7 hours ago Up 46 minutes 0.0.0.0:2222->2222/tcp, :::2222->2222/tcp, 2223/tcp cowrie_cowrie_1
~/MySQL$ sudo docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES dfb2032ec83c MySQL:8.0 "docker-entrypoint.s…" About an hour ago Up About an hour 0.0.0.0:3306->3306/tcp, :::3306->3306/tcp, 33060/tcp MySQL_container 039b3420c979 cowrie_cowrie "/cowrie/cowrie-env/…" 7 hours ago Up 59 minutes 0.0.0.0:2222->2222/tcp, :::2222->2222/tcp, 2223/tcp cowrie_cowrie_1
