Server langsam komische log´s

druckgott · Jul 18, 2007

Hallo, seit ca. 4 Std. ist der Server immer wieder langsam. Die Page ist extrem schlecht erreichbar. Hab schon mit top geschaut. Aber es läuft nix was irgendwie den CPU hochschraubt.

Allerdings hab ich jetzt das in meinen Mailloggs gefunden:

Code:

Jul 18 18:05:23 h1222138 named[17533]: zone localhost/IN: loaded serial 42
Jul 18 18:05:23 h1222138 named[17533]: running
Jul 18 18:08:11 h1222138 /usr/sbin/cron[17918]: (CRON) STARTUP (V5.0)
Jul 18 18:08:27 h1222138 wdcollect[17955]: Language de-DE is used for sending e-mail messages.
Jul 18 18:08:28 h1222138 wdcollect[17955]: Database server connection has been established.
Jul 18 18:08:28 h1222138 wdcollect[17955]: Server started.
Jul 18 18:10:01 h1222138 /usr/sbin/cron[18071]: (mailman) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Jul 18 18:10:24 h1222138 sshd[18096]: Accepted keyboard-interactive/pam for root from 77.4.58.239 port 2821 ssh2
Jul 18 18:10:25 h1222138 sshd[18096]: subsystem request for sftp
Jul 18 18:15:01 h1222138 /usr/sbin/cron[18333]: (mailman) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Jul 18 18:15:01 h1222138 /usr/sbin/cron[18337]: (root) CMD (/usr/local/psa/admin/sbin/backupmng >/dev/null 2>&1)
Jul 18 18:20:01 h1222138 /usr/sbin/cron[19753]: (mailman) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Jul 18 18:22:36 h1222138 sshd[19828]: Accepted keyboard-interactive/pam for root from 77.4.58.239 port 3390 ssh2
Jul 18 18:22:36 h1222138 sshd[19828]: subsystem request for sftp
Jul 18 18:24:56 h1222138 sshd[19953]: Invalid user bus from 212.227.80.72
Jul 18 18:24:57 h1222138 sshd[19956]: Invalid user buzzz from 212.227.80.72
Jul 18 18:24:58 h1222138 sshd[19960]: Invalid user buz from 212.227.80.72
Jul 18 18:24:58 h1222138 sshd[19962]: Invalid user buzz from 212.227.80.72
Jul 18 18:24:59 h1222138 sshd[19964]: Invalid user bird from 212.227.80.72
Jul 18 18:25:00 h1222138 sshd[19970]: Invalid user stat from 212.227.80.72
Jul 18 18:25:01 h1222138 sshd[19972]: Invalid user tara from 212.227.80.72
Jul 18 18:25:01 h1222138 /usr/sbin/cron[20004]: (mailman) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news)
Jul 18 18:25:01 h1222138 sshd[20000]: Invalid user europa from 212.227.80.72
Jul 18 18:25:02 h1222138 sshd[20005]: Invalid user rusia from 212.227.80.72
Jul 18 18:25:03 h1222138 sshd[20007]: Invalid user moscova from 212.227.80.72
Jul 18 18:25:04 h1222138 sshd[20009]: Invalid user alex from 212.227.80.72
Jul 18 18:25:04 h1222138 sshd[20011]: Invalid user susanu from 212.227.80.72
Jul 18 18:25:05 h1222138 sshd[20013]: Invalid user iubire from 212.227.80.72
Jul 18 18:25:06 h1222138 sshd[20015]: Invalid user iubi from 212.227.80.72
Jul 18 18:25:07 h1222138 sshd[20018]: Invalid user uby from 212.227.80.72
Jul 18 18:25:08 h1222138 sshd[20020]: Invalid user pustoaica from 212.227.80.72
Jul 18 18:25:08 h1222138 sshd[20022]: Invalid user nevasta from 212.227.80.72
Jul 18 18:25:09 h1222138 sshd[20024]: Invalid user boala from 212.227.80.72
Jul 18 18:25:10 h1222138 sshd[20026]: Invalid user dave from 212.227.80.72
Jul 18 18:25:11 h1222138 sshd[20028]: Invalid user ventas from 212.227.80.72
Jul 18 18:25:11 h1222138 sshd[20030]: Invalid user venus from 212.227.80.72
Jul 18 18:25:12 h1222138 sshd[20032]: Invalid user amanta from 212.227.80.72
Jul 18 18:25:13 h1222138 sshd[20034]: Invalid user amant from 212.227.80.72
Jul 18 18:25:14 h1222138 sshd[20036]: Invalid user geta from 212.227.80.72
Jul 18 18:25:14 h1222138 sshd[20039]: Invalid user otilia from 212.227.80.72
Jul 18 18:25:15 h1222138 sshd[20041]: Invalid user neamt from 212.227.80.72
Jul 18 18:25:16 h1222138 sshd[20043]: Invalid user germania from 212.227.80.72
Jul 18 18:25:17 h1222138 sshd[20045]: Invalid user german from 212.227.80.72
Jul 18 18:25:18 h1222138 sshd[20047]: Invalid user mine from 212.227.80.72
Jul 18 18:25:18 h1222138 sshd[20049]: Invalid user mina from 212.227.80.72
Jul 18 18:25:19 h1222138 sshd[20051]: Invalid user resita from 212.227.80.72
Jul 18 18:25:20 h1222138 sshd[20053]: Invalid user galati from 212.227.80.72
Jul 18 18:25:21 h1222138 sshd[20055]: Invalid user sibiu from 212.227.80.72
Jul 18 18:25:22 h1222138 sshd[20058]: Invalid user buc from 212.227.80.72
Jul 18 18:25:24 h1222138 sshd[20060]: Invalid user bucuresti from 212.227.80.72
Jul 18 18:25:27 h1222138 sshd[20062]: Invalid user filipesti from 212.227.80.72
Jul 18 18:25:28 h1222138 sshd[20064]: Invalid user cafe from 212.227.80.72
Jul 18 18:25:29 h1222138 sshd[20066]: Invalid user su from 212.227.80.72
Jul 18 18:25:30 h1222138 sshd[20068]: Invalid user harward from 212.227.80.72
Jul 18 18:25:31 h1222138 sshd[20070]: Invalid user scoala from 212.227.80.72
Jul 18 18:25:32 h1222138 sshd[20072]: Invalid user boy from 212.227.80.72
Jul 18 18:25:32 h1222138 sshd[20074]: Invalid user girl from 212.227.80.72
Jul 18 18:25:35 h1222138 sshd[20076]: Invalid user status from 212.227.80.72
Jul 18 18:25:45 h1222138 sshd[20078]: Invalid user staudacher from 212.227.80.72
Jul 18 18:25:46 h1222138 sshd[20086]: Invalid user staudinger from 212.227.80.72
Jul 18 18:25:46 h1222138 sshd[20088]: Invalid user staudt from 212.227.80.72
Jul 18 18:25:47 h1222138 sshd[20090]: Invalid user staudte from 212.227.80.72
Jul 18 18:25:48 h1222138 sshd[20092]: Invalid user stauf from 212.227.80.72
Jul 18 18:25:48 h1222138 sshd[20094]: Invalid user staufenberg from 212.227.80.72
Jul 18 18:25:49 h1222138 sshd[20096]: Invalid user staufenbiel from 212.227.80.72
Jul 18 18:25:50 h1222138 sshd[20098]: Invalid user staufer from 212.227.80.72
Jul 18 18:25:51 h1222138 sshd[20100]: Invalid user stauffer from 212.227.80.72
Jul 18 18:25:51 h1222138 sshd[20102]: Invalid user staurnes from 212.227.80.72
Jul 18 18:25:52 h1222138 sshd[20104]: Invalid user stauss from 212.227.80.72
Jul 18 18:25:53 h1222138 sshd[20106]: Invalid user stautland from 212.227.80.72
Jul 18 18:25:54 h1222138 sshd[20108]: Invalid user stav from 212.227.80.72
Jul 18 18:25:55 h1222138 sshd[20110]: Invalid user stavang from 212.227.80.72
Jul 18 18:25:56 h1222138 sshd[20112]: Invalid user stavdahl from 212.227.80.72
Jul 18 18:25:57 h1222138 sshd[20114]: Invalid user stave from 212.227.80.72
Jul 18 18:25:57 h1222138 sshd[20116]: Invalid user stavek from 212.227.80.72
Jul 18 18:25:58 h1222138 sshd[20118]: Invalid user staveland from 212.227.80.72
Jul 18 18:25:59 h1222138 sshd[20120]: Invalid user staveli from 212.227.80.72
Jul 18 18:26:00 h1222138 sshd[20122]: Invalid user stavely from 212.227.80.72
Jul 18 18:26:00 h1222138 sshd[20124]: Invalid user stavig from 212.227.80.72
Jul 18 18:26:01 h1222138 sshd[20126]: Invalid user stavis from 212.227.80.72
Jul 18 18:26:02 h1222138 sshd[20128]: Invalid user stavish from 212.227.80.72
Jul 18 18:26:03 h1222138 sshd[20131]: Invalid user stavro from 212.227.80.72
Jul 18 18:26:03 h1222138 sshd[20133]: Invalid user stavros from 212.227.80.72
Jul 18 18:26:04 h1222138 sshd[20135]: Invalid user stavrum from 212.227.80.72
Jul 18 18:26:05 h1222138 sshd[20139]: Invalid user stavseth from 212.227.80.72
Jul 18 18:26:05 h1222138 sshd[20143]: Invalid user stawarz from 212.227.80.72
Jul 18 18:26:06 h1222138 sshd[20145]: Invalid user stawicki from 212.227.80.72
Jul 18 18:26:07 h1222138 sshd[20147]: Invalid user stawitcke from 212.227.80.72
Jul 18 18:26:08 h1222138 sshd[20149]: Invalid user stawski from 212.227.80.72
Jul 18 18:26:08 h1222138 sshd[20151]: Invalid user stayer from 212.227.80.72
Jul 18 18:26:09 h1222138 sshd[20153]: Invalid user stayton from 212.227.80.72
Jul 18 18:26:10 h1222138 sshd[20155]: Invalid user stazo from 212.227.80.72
Jul 18 18:26:11 h1222138 sshd[20157]: Invalid user stby from 212.227.80.72
Jul 18 18:26:11 h1222138 sshd[20159]: Invalid user stbye from 212.227.80.72
Jul 18 18:26:12 h1222138 sshd[20161]: Invalid user stclair from 212.227.80.72
Jul 18 18:26:13 h1222138 sshd[20163]: Invalid user stctest from 212.227.80.72
Jul 18 18:26:14 h1222138 sshd[20165]: Invalid user stds from 212.227.80.72
Jul 18 18:26:14 h1222138 sshd[20167]: Invalid user ste from 212.227.80.72
Jul 18 18:26:15 h1222138 sshd[20169]: Invalid user teacher from 212.227.80.72
Jul 18 18:26:16 h1222138 sshd[20171]: Invalid user director from 212.227.80.72
Jul 18 18:26:17 h1222138 sshd[20173]: Invalid user femeie from 212.227.80.72
Jul 18 18:26:18 h1222138 sshd[20175]: Invalid user domn from 212.227.80.72
Jul 18 18:26:18 h1222138 sshd[20177]: Invalid user zeu from 212.227.80.72
Jul 18 18:26:19 h1222138 sshd[20180]: Invalid user elev from 212.227.80.72
Jul 18 18:26:20 h1222138 sshd[20182]: Invalid user eleva from 212.227.80.72
Jul 18 18:26:20 h1222138 sshd[20184]: Invalid user profesoara from 212.227.80.72
Jul 18 18:26:21 h1222138 sshd[20186]: Invalid user liviu from 212.227.80.72
Jul 18 18:26:22 h1222138 sshd[20188]: Invalid user vlad from 212.227.80.72
Jul 18 18:26:23 h1222138 sshd[20190]: Invalid user vlad from 212.227.80.72
Jul 18 18:26:24 h1222138 sshd[20192]: Invalid user tom from 212.227.80.72
Jul 18 18:26:25 h1222138 sshd[20194]: Invalid user max from 212.227.80.72
Jul 18 18:26:25 h1222138 sshd[20196]: Invalid user max from 212.227.80.72
Jul 18 18:26:26 h1222138 sshd[20198]: Invalid user tarzan from 212.227.80.72
Jul 18 18:26:27 h1222138 sshd[20201]: Invalid user strut from 212.227.80.72
Jul 18 18:26:28 h1222138 sshd[20203]: Invalid user gaina from 212.227.80.72
Jul 18 18:26:28 h1222138 sshd[20205]: Invalid user ospatar from 212.227.80.72
Jul 18 18:26:29 h1222138 sshd[20207]: Invalid user spart from 212.227.80.72
Jul 18 18:26:30 h1222138 sshd[20209]: Invalid user hacked from 212.227.80.72
Jul 18 18:26:31 h1222138 sshd[20211]: Invalid user gl from 212.227.80.72
Jul 18 18:26:31 h1222138 sshd[20214]: Invalid user sb from 212.227.80.72
Jul 18 18:26:32 h1222138 sshd[20216]: Invalid user slb from 212.227.80.72
Jul 18 18:26:33 h1222138 sshd[20218]: Invalid user porto from 212.227.80.72
Jul 18 18:26:34 h1222138 sshd[20220]: Invalid user lisabona from 212.227.80.72
Jul 18 18:26:34 h1222138 sshd[20222]: Invalid user alges from 212.227.80.72
Jul 18 18:26:35 h1222138 sshd[20224]: Invalid user amadora from 212.227.80.72
Jul 18 18:26:36 h1222138 sshd[20226]: Invalid user sete from 212.227.80.72
Jul 18 18:26:37 h1222138 sshd[20228]: Invalid user um from 212.227.80.72
Jul 18 18:26:38 h1222138 sshd[20230]: Invalid user dois from 212.227.80.72
Jul 18 18:26:38 h1222138 sshd[20232]: Invalid user treis from 212.227.80.72
Jul 18 18:26:39 h1222138 sshd[20234]: Invalid user nove from 212.227.80.72
Jul 18 18:26:40 h1222138 sshd[20236]: Invalid user alo from 212.227.80.72
Jul 18 18:26:41 h1222138 sshd[20239]: Invalid user buna from 212.227.80.72
Jul 18 18:26:42 h1222138 sshd[20241]: Invalid user xau from 212.227.80.72
Jul 18 18:26:42 h1222138 sshd[20243]: Invalid user adeus from 212.227.80.72
Jul 18 18:26:43 h1222138 sshd[20245]: Invalid user cristina from 212.227.80.72
Jul 18 18:26:44 h1222138 sshd[20247]: Invalid user jumbo from 212.227.80.72
Jul 18 18:26:45 h1222138 sshd[20249]: Invalid user colombo from 212.227.80.72
Jul 18 18:26:45 h1222138 sshd[20252]: Invalid user tupac from 212.227.80.72
Jul 18 18:26:46 h1222138 sshd[20255]: Invalid user blue from 212.227.80.72
Jul 18 18:26:47 h1222138 sshd[20257]: Invalid user decatlohn from 212.227.80.72
Jul 18 18:26:48 h1222138 sshd[20259]: Invalid user suzuki from 212.227.80.72
Jul 18 18:26:49 h1222138 sshd[20265]: Invalid user honda from 212.227.80.72
Jul 18 18:26:49 h1222138 sshd[20267]: Invalid user opel from 212.227.80.72
Jul 18 18:26:50 h1222138 sshd[20269]: Invalid user mertan from 212.227.80.72
Jul 18 18:26:51 h1222138 sshd[20273]: Invalid user tigan from 212.227.80.72
Jul 18 18:26:52 h1222138 sshd[20276]: Invalid user tiganca from 212.227.80.72
Jul 18 18:26:53 h1222138 sshd[20278]: Invalid user vila from 212.227.80.72
Jul 18 18:26:53 h1222138 sshd[20280]: Invalid user casa from 212.227.80.72
Jul 18 18:26:54 h1222138 sshd[20283]: Invalid user masa from 212.227.80.72
Jul 18 18:26:55 h1222138 sshd[20285]: Invalid user birou from 212.227.80.72
Jul 18 18:26:55 h1222138 sshd[20287]: Invalid user bureau from 212.227.80.72
Jul 18 18:26:56 h1222138 sshd[20289]: Invalid user firm from 212.227.80.72
Jul 18 18:26:57 h1222138 sshd[20291]: Invalid user firma from 212.227.80.72
Jul 18 18:26:58 h1222138 sshd[20293]: Invalid user tovaras from 212.227.80.72
Jul 18 18:26:58 h1222138 sshd[20295]: Invalid user toyota from 212.227.80.72
Jul 18 18:26:59 h1222138 sshd[20297]: Invalid user trivia from 212.227.80.72
Jul 18 18:27:00 h1222138 sshd[20299]: Invalid user france from 212.227.80.72
Jul 18 18:27:01 h1222138 sshd[20303]: Invalid user spania from 212.227.80.72
Jul 18 18:27:01 h1222138 sshd[20305]: Invalid user austria from 212.227.80.72
Jul 18 18:27:02 h1222138 sshd[20307]: Invalid user viena from 212.227.80.72
Jul 18 18:27:03 h1222138 sshd[20309]: Invalid user zagreb from 212.227.80.72
Jul 18 18:27:04 h1222138 sshd[20312]: Invalid user smen from 212.227.80.72
Jul 18 18:27:04 h1222138 sshd[20314]: Invalid user golf from 212.227.80.72
Jul 18 18:27:05 h1222138 sshd[20316]: Invalid user adidas from 212.227.80.72
Jul 18 18:27:06 h1222138 sshd[20318]: Invalid user nike from 212.227.80.72
Jul 18 18:27:07 h1222138 sshd[20321]: Invalid user reebok from 212.227.80.72
Jul 18 18:27:08 h1222138 sshd[20324]: Invalid user bunny from 212.227.80.72
Jul 18 18:27:08 h1222138 sshd[20326]: Invalid user rabit from 212.227.80.72
Jul 18 18:27:09 h1222138 sshd[20328]: Invalid user iepure from 212.227.80.72
Jul 18 18:27:10 h1222138 sshd[20330]: Invalid user barman from 212.227.80.72
Jul 18 18:27:11 h1222138 sshd[20332]: Invalid user cafea from 212.227.80.72
Jul 18 18:27:11 h1222138 sshd[20334]: Invalid user swets from 212.227.80.72
Jul 18 18:27:12 h1222138 sshd[20336]: Invalid user swett from 212.227.80.72
Jul 18 18:27:13 h1222138 sshd[20338]: Invalid user swr from 212.227.80.72
Jul 18 18:27:14 h1222138 sshd[20340]: Invalid user swyer from 212.227.80.72
Jul 18 18:27:14 h1222138 sshd[20342]: Invalid user sx from 212.227.80.72
Jul 18 18:27:15 h1222138 sshd[20344]: Invalid user sy from 212.227.80.72
Jul 18 18:27:16 h1222138 sshd[20351]: Invalid user syal from 212.227.80.72
Jul 18 18:27:17 h1222138 sshd[20353]: Invalid user syam from 212.227.80.72
Jul 18 18:27:17 h1222138 sshd[20355]: Invalid user syamala from 212.227.80.72
Jul 18 18:27:18 h1222138 sshd[20357]: Invalid user sybal from 212.227.80.72
Jul 18 18:27:19 h1222138 sshd[20359]: Invalid user sybase from 212.227.80.72
Jul 18 18:27:20 h1222138 sshd[20364]: Invalid user sybil from 212.227.80.72
Jul 18 18:27:20 h1222138 sshd[20366]: Invalid user sybila from 212.227.80.72
Jul 18 18:27:21 h1222138 sshd[20368]: Invalid user sybilla from 212.227.80.72

das wundert mich schon etwas.

Wie kann ich das unterbinden?

mfg
druckgott

Ldi91 · Jul 18, 2007

wenn du das in den Maillogs gefunden hast, wundert es mich schon ein wenig...

In der Log steht drin das viele (erfolglose) Loginversuche auf dein System gestartet worden sind.

druckgott · Jul 18, 2007

das ist unter /var/log/massages

Ldi91 · Jul 18, 2007

das ist aber nicht das maillog...

marneus · Jul 18, 2007

Hm, ein System das Massagen (ver)schreibt brauch' ich auch noch. Du hast das in /var/log/messages gefunden.

Wie Ldi91 richtig erkannt hast, sind dies mitnichten Einträge aus dem Maillog (zu finden unter /var/log/mail.info, /var/log/mail.warn und /var/log/mail.error (je nach System)), sondern Einträge Deines SSH-Daemons. Erkennt man übrigens recht prickelnd im ersten Drittel jeder Zeile, da steht nämlich was von sshd.

Verhindern kannst Du das mit Fail2Ban, DenyHosts, Portverlegung des SSH-Dienstes, Portknocking etc.etc.etc. Dazu gibt es hier im Forum 2 Dutzend Anleitungen, HowTos, Erfahrungsberichte, Lob, Kritik und andere Dinge, die das Forenleben so bereichern.

Zu guter Letzt habe ich dieses nochmal nach Security verschoben. Hier wirst Du auch schnell das ein oder andere HowTo finden.

pfleidi85 · Jul 19, 2007

Das schaut doch ganz danach aus als ob dein sshd nen paar Kumpels hat, die mal alle Klingeln durchprobieren um zu kucken ob sie auch auf die Party kommen

Ne mal im Ernst: Das ist eine Bruteforce-Attacke auf deinen sshd.

Verhindern kannst Du das mit Fail2Ban, DenyHosts, Portverlegung des SSH-Dienstes, Portknocking etc.etc.etc. Dazu gibt es hier im Forum 2 Dutzend Anleitungen, HowTos, Erfahrungsberichte, Lob, Kritik und andere Dinge, die das Forenleben so bereichern.

druckgott · Jul 19, 2007

pfleidi85 said:
Ne mal im Ernst: Das ist eine Bruteforce-Attacke auf deinen sshd.

das hab ich mir auch schon gedacht, da ja immer wieder andere Namen getestet werden.

Danke erstmal für die Hilfe.

Ich werde dann einfach mal schauen, was ich so finde. (in den Howto)

Die Angriffe sind weg aber wie man im Bild unten sieht, läuft die ganze Zeit die Fehlermeldung druch, weiß nicht ob das jetzt auch damit zu tun hat wollte aber jetzt keinen neuen Thread aufmachen.

gruß druckgott

Server langsam komische log´s

druckgott

New Member

Ldi91

New Member

druckgott

New Member

Ldi91

New Member

marneus

Registered User

pfleidi85

Registered User

druckgott

New Member

Attachments

We value your privacy