Go to Qiita Advent Calendar 2024 Top
LoginSignup
1
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

@Fyphen1223(Fyphen)

サーバーがハッキングされた話

Posted at

概要

OCIでMinecraftサーバーを回してたら、DDoSかけられてSSHで不正ログインされました。
注意喚起と将来の自分への戒めです。

タイムライン

1: 昨日深夜(2024/3/02)にOCIのMinecraftサーバー(個人サーバー)に私のアカウントでログインがある(私は迂闊にもそのサーバーでRDPをして実験をしたりしていた時期がありまして、Minecraft Launcherにログインしてしまっていました…)

2: 焦った友人がサーバーを止め、私が起きるのを待つ

3: 私が起きる(3/3午前10時前後)、友人からのメッセージを確認する、めちゃ焦る

4: Microsoft アカウントのパスワードを変える

5: 何もわかっていない過去の私がぜんっぜん関係ないセキュリティをチェックして対応していく

6: SSHのログを見てみる(3/3 午後1時前後)

7: こんなことになる(もうIPアドレスは知らねぇ、攻撃する方が悪い!)

Mar  3 04:32:59 trial-test-server sudo: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=584788)
Mar  3 04:32:59 trial-test-server sudo: pam_unix(sudo:session): session closed for user root
Mar  3 04:33:00 trial-test-server sshd[1992]: Invalid user user from 180.149.242.18 port 62686
Mar  3 04:33:00 trial-test-server sshd[1992]: Connection closed by invalid user user 180.149.242.18 port 62686 [preauth]
Mar  3 04:33:02 trial-test-server sshd[1994]: Invalid user liwei from 43.134.174.176 port 42708
Mar  3 04:33:02 trial-test-server sshd[1994]: Received disconnect from 43.134.174.176 port 42708:11: Bye Bye [preauth]
Mar  3 04:33:02 trial-test-server sshd[1994]: Disconnected from invalid user liwei 43.134.174.176 port 42708 [preauth]
Mar  3 04:33:05 trial-test-server sshd[1998]: Invalid user user from 175.124.222.22 port 64375
Mar  3 04:33:05 trial-test-server sshd[1998]: Connection closed by invalid user user 175.124.222.22 port 64375 [preauth]
Mar  3 04:33:12 trial-test-server sshd[2000]: Received disconnect from 147.45.42.164 port 19346:11: Bye Bye [preauth]
Mar  3 04:33:12 trial-test-server sshd[2000]: Disconnected from authenticating user root 147.45.42.164 port 19346 [preauth]
Mar  3 04:33:22 trial-test-server sshd[2006]: Invalid user user from 180.149.242.18 port 63513
Mar  3 04:33:22 trial-test-server sshd[2004]: Invalid user rotary from 175.24.244.173 port 49648
Mar  3 04:33:22 trial-test-server sshd[2006]: Connection closed by invalid user user 180.149.242.18 port 63513 [preauth]
Mar  3 04:33:22 trial-test-server sshd[2004]: Received disconnect from 175.24.244.173 port 49648:11: Bye Bye [preauth]
Mar  3 04:33:22 trial-test-server sshd[2004]: Disconnected from invalid user rotary 175.24.244.173 port 49648 [preauth]
Mar  3 04:33:30 trial-test-server sshd[2008]: Invalid user hc from 159.65.151.241 port 46694
Mar  3 04:33:30 trial-test-server sshd[2008]: Received disconnect from 159.65.151.241 port 46694:11: Bye Bye [preauth]
Mar  3 04:33:30 trial-test-server sshd[2008]: Disconnected from invalid user hc 159.65.151.241 port 46694 [preauth]
Mar  3 04:33:31 trial-test-server sshd[2010]: Invalid user user from 175.124.222.22 port 62837
Mar  3 04:33:31 trial-test-server sshd[2010]: Connection closed by invalid user user 175.124.222.22 port 62837 [preauth]
Mar  3 04:33:44 trial-test-server sshd[2016]: Invalid user user from 180.149.242.18 port 64789
Mar  3 04:33:44 trial-test-server sshd[2016]: Connection closed by invalid user user 180.149.242.18 port 64789 [preauth]
Mar  3 04:33:54 trial-test-server sshd[2019]: Invalid user operator from 92.52.146.18 port 37410
Mar  3 04:33:54 trial-test-server sshd[2019]: Connection closed by invalid user operator 92.52.146.18 port 37410 [preauth]
Mar  3 04:33:57 trial-test-server sshd[2021]: Invalid user user from 175.124.222.22 port 62722
Mar  3 04:33:57 trial-test-server sshd[2021]: Connection closed by invalid user user 175.124.222.22 port 62722 [preauth]

8: ハ!?となり慌ててSSHのconfigを見る→何も設定されて無くて絶望する

9: viで/etc/hosts.denyと/etc/hosts.allowを開き設定する

10: 自分以外のIPからの通信をすべて止める

参考までに、ファイルの中身はこんな感じです

/etc/hosts.deny

# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
#                  See the manual pages hosts_access(5) and hosts_options(5).
#
# Example:    ALL: some.host.name, .some.domain
#             ALL EXCEPT in.fingerd: other.host.name, .other.domain
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#
# The PARANOID wildcard matches any host whose name does not match its
# address.
#
# You may wish to enable this to ensure any programs that don't
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# ALL: PARANOID
sshd: all

/etc/hosts.allow

# /etc/hosts.allow: list of hosts that are allowed to access the system.
#                   See the manual pages hosts_access(5) and hosts_options(5).
#
# Example:    ALL: LOCAL @some_netgroup
#             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#
sshd: 許可するIPアドレス、半角スペース区切りで

11: ログを見て一安心する

ログ 
Mar  3 05:14:31 trial-test-server sshd[3112]: refused connect from 159.65.151.241 (159.65.151.241)
Mar  3 05:14:32 trial-test-server sshd[3113]: refused connect from 43.134.174.176 (43.134.174.176)
Mar  3 05:14:33 trial-test-server sshd[3114]: refused connect from 175.24.244.173 (175.24.244.173)
Mar  3 05:14:40 trial-test-server sshd[3115]: refused connect from 43.131.228.97 (43.131.228.97)
Mar  3 05:14:45 trial-test-server sshd[3116]: refused connect from 180.149.242.18 (180.149.242.18)
Mar  3 05:14:49 trial-test-server sshd[3118]: refused connect from 104.248.8.224 (104.248.8.224)
Mar  3 05:14:50 trial-test-server sshd[3119]: refused connect from 175.124.222.22 (175.124.222.22)
Mar  3 05:15:06 trial-test-server sshd[3120]: refused connect from 124.221.143.204 (124.221.143.204)
Mar  3 05:15:07 trial-test-server sshd[3121]: refused connect from 180.149.242.18 (180.149.242.18)
Mar  3 05:15:10 trial-test-server sshd[3122]: refused connect from 43.131.26.94 (43.131.26.94)
Mar  3 05:15:16 trial-test-server sshd[3123]: refused connect from 175.124.222.22 (175.124.222.22)
Mar  3 05:15:19 trial-test-server sshd[3124]: refused connect from 103.14.33.106 (103.14.33.106)
Mar  3 05:15:29 trial-test-server sshd[3125]: refused connect from 180.149.242.18 (180.149.242.18)
Mar  3 05:15:41 trial-test-server sshd[3126]: refused connect from 175.24.244.173 (175.24.244.173)
Mar  3 05:15:42 trial-test-server sshd[3127]: refused connect from 175.124.222.22 (175.124.222.22)
Mar  3 05:15:51 trial-test-server sshd[3129]: refused connect from 180.149.242.18 (180.149.242.18)
Mar  3 05:16:00 trial-test-server sshd[3130]: refused connect from 124.221.143.204 (124.221.143.204)
Mar  3 05:16:02 trial-test-server sshd[3131]: refused connect from 159.65.151.241 (159.65.151.241)
Mar  3 05:16:09 trial-test-server sshd[3132]: refused connect from 175.124.222.22 (175.124.222.22)
Mar  3 05:16:09 trial-test-server sshd[3133]: refused connect from 43.131.228.97 (43.131.228.97)
Mar  3 05:16:18 trial-test-server sshd[3134]: refused connect from 180.149.242.18 (180.149.242.18)
Mar  3 05:16:35 trial-test-server sshd[3135]: refused connect from 175.124.222.22 (175.124.222.22)
Mar  3 05:16:36 trial-test-server sshd[3136]: refused connect from 167.71.85.57 (167.71.85.57)
Mar  3 05:16:36 trial-test-server sshd[3137]: refused connect from 43.134.174.176 (43.134.174.176)
Mar  3 05:16:40 trial-test-server sshd[3138]: refused connect from 180.149.242.18 (180.149.242.18)
Mar  3 05:16:45 trial-test-server sshd[3139]: refused connect from 103.14.33.106 (103.14.33.106)
Mar  3 05:16:48 trial-test-server sshd[3141]: refused connect from 175.24.244.173 (175.24.244.173)
Mar  3 05:16:57 trial-test-server sshd[3142]: refused connect from 124.221.143.204 (124.221.143.204)
Mar  3 05:16:59 trial-test-server sshd[3143]: refused connect from 124.41.240.56 (124.41.240.56)
Mar  3 05:17:00 trial-test-server sshd[3144]: refused connect from 43.131.26.94 (43.131.26.94)
Mar  3 05:17:01 trial-test-server sshd[3145]: refused connect from 175.124.222.22 (175.124.222.22)
Mar  3 05:17:01 trial-test-server CRON[3146]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Mar  3 05:17:01 trial-test-server CRON[3146]: pam_unix(cron:session): session closed for user root
Mar  3 05:17:02 trial-test-server sshd[3149]: refused connect from 180.149.242.18 (180.149.242.18)
Mar  3 05:17:23 trial-test-server sshd[3151]: refused connect from 180.149.242.18 (180.149.242.18)
Mar  3 05:17:27 trial-test-server sshd[3152]: refused connect from 175.124.222.22 (175.124.222.22)

12: あ、Qiitaに書こう!って思いつく←今ここ

考察など

IPはメインが中国やらインドやらアメリカやらなので、DDoSもしくはProxyを使ってのDoSなのかなー、と。それをうちにやる必要があるかというお話でもあるんですが。

image.png

一気にガタ落ちしてますね…攻撃が推し量れます。

結論

まじでSSHはIP限定にしましょう。こういうことになります。幸い料金とかは変わらなかったのでOKですが。
有識者さん、こういうときに取るべき法的行動とかご存知であれば教えてください。

では、お読みいただきありがとうございました!参考になれば幸いです。
コメント、ご指摘等お待ちしております!

1
1
2

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
1
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?