浙江成肉鸡窝了？

我昨天新开的一个服务器，只准备做个nginx的cache，还没上线。
收获这么多IP
REJECT all -- 103.41.124.40 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 103.41.124.33 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 103.41.124.56 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 61.174.49.106 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 103.41.124.45 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 50.63.185.226 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 103.41.124.61 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 103.41.124.16 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 182.100.67.115 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 103.41.124.50 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 103.41.124.111 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 62.210.113.184 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 58.218.213.249 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 103.41.124.18 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 220.191.204.238 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 103.41.124.32 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 103.41.124.104 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 103.41.124.26 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 218.65.30.107 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 103.41.124.25 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 103.41.124.21 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 103.41.124.58 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 103.41.124.30 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 103.41.124.102 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 103.41.124.39 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 103.41.124.31 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 103.41.124.103 0.0.0.0/0 reject-with icmp-port-unreachable

星光互联那家么。。。
我有个OAH尼玛被世界各地甚至非洲的IP光顾啊…

@xiaozhizhu1997 有做黄站的潜质

不稀奇，看看这个：
Illegal users from:
undef: 45 times
50.20.209.110: 1 time
66.186.252.60 (dslsubs15-60.eatel.net): 1 time
72.205.202.108 (wsip-72-205-202-108.no.no.cox.net): 1 time
87.106.242.123 (s15347945.onlinehome-server.info): 39 times
103.249.205.246: 1 time
107.4.7.193 (c-107-4-7-193.hsd1.nm.comcast.net): 1 time
112.78.3.196 (vps3d196-static.vdrs.net): 2 times
115.238.55.163: 7 times
124.158.215.84: 1 time
149.129.21.126: 1 time
149.129.28.76: 1 time
149.129.41.27: 1 time
184.75.119.243 (rrcs-184-75-119-243.nyc.biz.rr.com): 1 time
184.183.167.206 (wsip-184-183-167-206.sd.sd.cox.net): 1 time
195.238.181.159 (159.181.238.195.in-addr.arpa): 1 time
200.84.139.203 (200.84.139-203.dyn.dsl.cantv.net): 1 time
202.147.196.234 (ip-196-234.infokom.net): 1 time
204.45.127.10: 13 times
206.192.242.146 (dhcp242.146.minetfiber.net): 1 time

@lonelygo
@xiaozhizhu1997
@bellchu
刚写个脚本，1分钟超过10次的，统统 reject，扔计划任务里去了

@Havee 我是一分钟超过一次非法直接reject 24H

@Havee @bellchu 你们好狠，你们考虑过肉鸡的感受么？

哪里有肉鸡卖。

如果开SSH的22端口，也是有若干的温州IP一直在尝试登陆

真想做一个honeypot看看到底是哪种攻击……

昨天拉了一下lastb，我靠

root ssh:notty 222.186.21.100 Tue Feb 3 01:12 - 01:12 (00:00)
root ssh:notty 222.186.21.100 Tue Feb 3 01:12 - 01:12 (00:00)
root ssh:notty 222.186.21.100 Tue Feb 3 01:12 - 01:12 (00:00)
root ssh:notty 222.186.21.100 Tue Feb 3 01:12 - 01:12 (00:00)
root ssh:notty 222.186.21.100 Tue Feb 3 01:12 - 01:12 (00:00)
root ssh:notty 222.186.21.100 Tue Feb 3 01:12 - 01:12 (00:00)
root ssh:notty 222.186.21.100 Tue Feb 3 01:12 - 01:12 (00:00)
root ssh:notty 222.186.21.100 Tue Feb 3 01:11 - 01:11 (00:00)
root ssh:notty 222.186.21.100 Tue Feb 3 01:11 - 01:11 (00:00)
root ssh:notty 222.186.21.100 Tue Feb 3 01:11 - 01:11 (00:00)
root ssh:notty 222.186.21.100 Tue Feb 3 01:11 - 01:11 (00:00)
root ssh:notty 222.186.21.100 Tue Feb 3 01:11 - 01:11 (00:00)
root ssh:notty 222.186.21.100 Tue Feb 3 01:11 - 01:11 (00:00)
root ssh:notty 222.186.21.100 Tue Feb 3 01:11 - 01:11 (00:00)
root ssh:notty 222.186.21.100 Tue Feb 3 01:11 - 01:11 (00:00)
root ssh:notty 222.186.21.100 Tue Feb 3 01:11 - 01:11 (00:00)
root ssh:notty 222.186.21.100 Tue Feb 3 01:11 - 01:11 (00:00)
root ssh:notty 222.186.21.100 Tue Feb 3 01:11 - 01:11 (00:00)
root ssh:notty 222.186.21.100 Tue Feb 3 01:11 - 01:11 (00:00)
root ssh:notty 222.186.21.100 Tue Feb 3 01:11 - 01:11 (00:00)
root ssh:notty 222.186.21.100 Tue Feb 3 01:11 - 01:11 (00:00)
root ssh:notty 222.186.21.100 Tue Feb 3 01:11 - 01:11 (00:00)
root ssh:notty 222.186.21.100 Tue Feb 3 01:11 - 01:11 (00:00)
root ssh:notty 222.186.21.100 Tue Feb 3 01:11 - 01:11 (00:00)
root ssh:notty 222.186.21.100 Tue Feb 3 01:11 - 01:11 (00:00)
...
root ssh:notty 222.186.21.100 Tue Feb 3 01:01 - 01:01 (00:00)
root ssh:notty 222.186.21.100 Tue Feb 3 01:01 - 01:01 (00:00)
root ssh:notty 222.186.21.100 Tue Feb 3 01:01 - 01:01 (00:00)
root ssh:notty 222.186.21.100 Tue Feb 3 01:01 - 01:01 (00:00)
prueba ssh:notty 71-82-151-208.dh Mon Feb 2 23:57 - 23:57 (00:00)
prueba ssh:notty 71-82-151-208.dh Mon Feb 2 23:57 - 23:57 (00:00)
postgres ssh:notty 71-82-151-208.dh Mon Feb 2 20:46 - 20:46 (00:00)
postgres ssh:notty 71-82-151-208.dh Mon Feb 2 20:46 - 20:46 (00:00)
support ssh:notty 187.111.5.130 Mon Feb 2 20:14 - 20:14 (00:00)
support ssh:notty 187.111.5.130 Mon Feb 2 20:14 - 20:14 (00:00)
postfix ssh:notty 71-82-151-208.dh Mon Feb 2 17:34 - 17:34 (00:00)
student ssh:notty 187.111.5.130 Mon Feb 2 17:01 - 17:01 (00:00)
student ssh:notty 187.111.5.130 Mon Feb 2 17:01 - 17:01 (00:00)
office ssh:notty 71-82-151-208.dh Mon Feb 2 11:32 - 11:32 (00:00)
office ssh:notty 71-82-151-208.dh Mon Feb 2 11:32 - 11:32 (00:00)
natalia ssh:notty 71-82-151-208.dh Mon Feb 2 08:21 - 08:21 (00:00)
natalia ssh:notty 71-82-151-208.dh Mon Feb 2 08:21 - 08:21 (00:00)
......

感觉全是江苏镇江的用脚本在跑。。。而且我的几个服务器发现这种批量的不良登陆的行为就发生从1月到现在。。。还有这帮尝试用Natalia啊什么student啊还有用dick尝试登陆的。。。

那个不是肉鸡吧，是阿里云服务器的IP。

xbmc ssh:notty Wed Feb 4 06:56 - 06:56 (00:00) ip-50-63-185-226.ip.secureserver.net
xbian ssh:notty Wed Feb 4 06:54 - 06:54 (00:00) ip-50-63-185-226.ip.secureserver.net
vyatta ssh:notty Wed Feb 4 06:52 - 06:52 (00:00) ip-50-63-185-226.ip.secureserver.net
ubnt ssh:notty Wed Feb 4 06:50 - 06:50 (00:00) ip-50-63-185-226.ip.secureserver.net
ts3srv ssh:notty Wed Feb 4 06:48 - 06:48 (00:00) ip-50-63-185-226.ip.secureserver.net
ts3 ssh:notty Wed Feb 4 06:46 - 06:46 (00:00) ip-50-63-185-226.ip.secureserver.net
ts ssh:notty Wed Feb 4 06:44 - 06:44 (00:00) ip-50-63-185-226.ip.secureserver.net
test ssh:notty Wed Feb 4 06:42 - 06:42 (00:00) ip-50-63-185-226.ip.secureserver.net
teamspea ssh:notty Wed Feb 4 06:40 - 06:40 (00:00) ip-50-63-185-226.ip.secureserver.net
support ssh:notty Wed Feb 4 06:38 - 06:38 (00:00) ip-50-63-185-226.ip.secureserver.net
smtp ssh:notty Wed Feb 4 06:34 - 06:34 (00:00) ip-50-63-185-226.ip.secureserver.net
send ssh:notty Wed Feb 4 06:32 - 06:32 (00:00) ip-50-63-185-226.ip.secureserver.net
sebastia ssh:notty Wed Feb 4 06:29 - 06:29 (00:00) ip-50-63-185-226.ip.secureserver.net
sales ssh:notty Wed Feb 4 06:27 - 06:27 (00:00) ip-50-63-185-226.ip.secureserver.net
postgres ssh:notty Wed Feb 4 05:57 - 05:57 (00:00) ip-50-63-185-226.ip.secureserver.net
pi ssh:notty Wed Feb 4 05:55 - 05:55 (00:00) ip-50-63-185-226.ip.secureserver.net
oracle ssh:notty Wed Feb 4 05:53 - 05:53 (00:00) ip-50-63-185-226.ip.secureserver.net
nagios ssh:notty Wed Feb 4 05:51 - 05:51 (00:00) ip-50-63-185-226.ip.secureserver.net
log ssh:notty Wed Feb 4 05:47 - 05:47 (00:00) ip-50-63-185-226.ip.secureserver.net
karaf ssh:notty Wed Feb 4 05:45 - 05:45 (00:00) ip-50-63-185-226.ip.secureserver.net
jack ssh:notty Wed Feb 4 05:43 - 05:43 (00:00) ip-50-63-185-226.ip.secureserver.net
info ssh:notty Wed Feb 4 05:41 - 05:41 (00:00) ip-50-63-185-226.ip.secureserver.net
guest ssh:notty Wed Feb 4 05:39 - 05:39 (00:00) ip-50-63-185-226.ip.secureserver.net
ftp ssh:notty Wed Feb 4 05:34 - 05:34 (00:00) ip-50-63-185-226.ip.secureserver.net
dreamer ssh:notty Wed Feb 4 05:32 - 05:32 (00:00) ip-50-63-185-226.ip.secureserver.net
default ssh:notty Wed Feb 4 05:30 - 05:30 (00:00) ip-50-63-185-226.ip.secureserver.net
debug ssh:notty Wed Feb 4 05:28 - 05:28 (00:00) ip-50-63-185-226.ip.secureserver.net
david ssh:notty Wed Feb 4 05:26 - 05:26 (00:00) ip-50-63-185-226.ip.secureserver.net
cisco ssh:notty Wed Feb 4 05:24 - 05:24 (00:00) ip-50-63-185-226.ip.secureserver.net
christia ssh:notty Wed Feb 4 05:21 - 05:21 (00:00) ip-50-63-185-226.ip.secureserver.net
bob ssh:notty Wed Feb 4 05:19 - 05:19 (00:00) ip-50-63-185-226.ip.secureserver.net
arbab ssh:notty Wed Feb 4 05:15 - 05:15 (00:00) ip-50-63-185-226.ip.secureserver.net
alex ssh:notty Wed Feb 4 05:13 - 05:13 (00:00) ip-50-63-185-226.ip.secureserver.net
administ ssh:notty Wed Feb 4 05:11 - 05:11 (00:00) ip-50-63-185-226.ip.secureserver.net
admin ssh:notty Wed Feb 4 05:09 - 05:09 (00:00) ip-50-63-185-226.ip.secureserver.net
admin ssh:notty Wed Feb 4 05:07 - 05:07 (00:00) ip-50-63-185-226.ip.secureserver.net
admin ssh:notty Wed Feb 4 05:04 - 05:04 (00:00) ip-50-63-185-226.ip.secureserver.net
aaron ssh:notty Wed Feb 4 05:01 - 05:01 (00:00) ip-50-63-185-226.ip.secureserver.net
PlcmSpIp ssh:notty Wed Feb 4 04:58 - 04:58 (00:00) ip-50-63-185-226.ip.secureserver.net
xbmc ssh:notty Wed Feb 4 02:34 - 02:34 (00:00) 220.191.204.238
xbian ssh:notty Wed Feb 4 02:30 - 02:30 (00:00) 220.191.204.238
vyatta ssh:notty Wed Feb 4 02:26 - 02:26 (00:00) 220.191.204.238
ubnt ssh:notty Wed Feb 4 02:22 - 02:22 (00:00) 220.191.204.238
ts3srv ssh:notty Wed Feb 4 02:18 - 02:18 (00:00) 220.191.204.238
ts3 ssh:notty Wed Feb 4 02:14 - 02:14 (00:00) 220.191.204.238
ts ssh:notty Wed Feb 4 02:10 - 02:10 (00:00) 220.191.204.238
test ssh:notty Wed Feb 4 02:06 - 02:06 (00:00) 220.191.204.238
support ssh:notty Wed Feb 4 01:59 - 01:59 (00:00) 220.191.204.238
postgres ssh:notty Wed Feb 4 01:01 - 01:01 (00:00) 220.191.204.238
pi ssh:notty Wed Feb 4 00:58 - 00:58 (00:00) 220.191.204.238
oracle ssh:notty Wed Feb 4 00:54 - 00:54 (00:00) 220.191.204.238
log ssh:notty Wed Feb 4 00:42 - 00:42 (00:00) 220.191.204.238
karaf ssh:notty Wed Feb 4 00:38 - 00:38 (00:00) 220.191.204.238
jack ssh:notty Wed Feb 4 00:34 - 00:34 (00:00) 220.191.204.238
info ssh:notty Wed Feb 4 00:30 - 00:30 (00:00) 220.191.204.238
guest ssh:notty Wed Feb 4 00:26 - 00:26 (00:00) 220.191.204.238
ftp ssh:notty Wed Feb 4 00:18 - 00:18 (00:00) 220.191.204.238
dreamer ssh:notty Wed Feb 4 00:14 - 00:14 (00:00) 220.191.204.238
default ssh:notty Wed Feb 4 00:10 - 00:10 (00:00) 220.191.204.238
debug ssh:notty Wed Feb 4 00:06 - 00:06 (00:00) 220.191.204.238
david ssh:notty Wed Feb 4 00:03 - 00:03 (00:00) 220.191.204.238
cisco ssh:notty Tue Feb 3 23:59 - 23:59 (00:00) 220.191.204.238
christia ssh:notty Tue Feb 3 23:55 - 23:55 (00:00) 220.191.204.238
bob ssh:notty Tue Feb 3 23:51 - 23:51 (00:00) 220.191.204.238
arbab ssh:notty Tue Feb 3 23:43 - 23:43 (00:00) 220.191.204.238
alex ssh:notty Tue Feb 3 23:39 - 23:39 (00:00) 220.191.204.238
administ ssh:notty Tue Feb 3 23:35 - 23:35 (00:00) 220.191.204.238
admin ssh:notty Tue Feb 3 23:31 - 23:31 (00:00) 220.191.204.238
admin ssh:notty Tue Feb 3 23:27 - 23:27 (00:00) 220.191.204.238
admin ssh:notty Tue Feb 3 23:23 - 23:23 (00:00) 220.191.204.238
aaron ssh:notty Tue Feb 3 23:19 - 23:19 (00:00) 220.191.204.238
PlcmSpIp ssh:notty Tue Feb 3 23:15 - 23:15 (00:00) 220.191.204.238
shoutcas ssh:notty Tue Feb 3 22:18 - 22:18 (00:00) 114.80.101.44
shoutcas ssh:notty Tue Feb 3 22:18 - 22:18 (00:00) 114.80.101.44
www ssh:notty Tue Feb 3 22:18 - 22:18 (00:00) 114.80.101.44
www ssh:notty Tue Feb 3 22:18 - 22:18 (00:00) 114.80.101.44
www ssh:notty Tue Feb 3 22:18 - 22:18 (00:00) 114.80.101.44
jedi ssh:notty Tue Feb 3 22:18 - 22:18 (00:00) 114.80.101.44
jedi ssh:notty Tue Feb 3 22:18 - 22:18 (00:00) 114.80.101.44
albert ssh:notty Tue Feb 3 22:18 - 22:18 (00:00) 114.80.101.44
albert ssh:notty Tue Feb 3 22:18 - 22:18 (00:00) 114.80.101.44
melissa ssh:notty Tue Feb 3 22:18 - 22:18 (00:00) 114.80.101.44
melissa ssh:notty Tue Feb 3 22:18 - 22:18 (00:00) 114.80.101.44
matrix ssh:notty Tue Feb 3 22:18 - 22:18 (00:00) 114.80.101.44
matrix ssh:notty Tue Feb 3 22:18 - 22:18 (00:00) 114.80.101.44
matrix ssh:notty Tue Feb 3 22:18 - 22:18 (00:00) 114.80.101.44
matrix ssh:notty Tue Feb 3 22:18 - 22:18 (00:00) 114.80.101.44
matrix ssh:notty Tue Feb 3 22:18 - 22:18 (00:00) 114.80.101.44
sybase ssh:notty Tue Feb 3 22:18 - 22:18 (00:00) 114.80.101.44
sybase ssh:notty Tue Feb 3 22:18 - 22:18 (00:00) 114.80.101.44
demo ssh:notty Tue Feb 3 22:18 - 22:18 (00:00) 114.80.101.44
demo ssh:notty Tue Feb 3 22:18 - 22:18 (00:00) 114.80.101.44
demo ssh:notty Tue Feb 3 22:18 - 22:18 (00:00) 114.80.101.44
demo ssh:notty Tue Feb 3 22:18 - 22:18 (00:00) 114.80.101.44
demo ssh:notty Tue Feb 3 22:18 - 22:18 (00:00) 114.80.101.44
hadoop ssh:notty Tue Feb 3 22:18 - 22:18 (00:00) 114.80.101.44
hadoop ssh:notty Tue Feb 3 22:18 - 22:18 (00:00) 114.80.101.44
hadoop ssh:notty Tue Feb 3 22:18 - 22:18 (00:00) 114.80.101.44
hadoop ssh:notty Tue Feb 3 22:18 - 22:18 (00:00) 114.80.101.44
hadoop ssh:notty Tue Feb 3 22:18 - 22:18 (00:00) 114.80.101.44
oracle ssh:notty Tue Feb 3 22:17 - 22:17 (00:00) 114.80.101.44
user3 ssh:notty Tue Feb 3 22:17 - 22:17 (00:00) 114.80.101.44
user2 ssh:notty Tue Feb 3 22:17 - 22:17 (00:00) 114.80.101.44
user1 ssh:notty Tue Feb 3 22:17 - 22:17 (00:00) 114.80.101.44
user03 ssh:notty Tue Feb 3 22:17 - 22:17 (00:00) 114.80.101.44
user02 ssh:notty Tue Feb 3 22:16 - 22:16 (00:00) 114.80.101.44
user3 ssh:notty Tue Feb 3 22:16 - 22:16 (00:00) 114.80.101.44
user2 ssh:notty Tue Feb 3 22:16 - 22:16 (00:00) 114.80.101.44
user01 ssh:notty Tue Feb 3 22:16 - 22:16 (00:00) 114.80.101.44
user1 ssh:notty Tue Feb 3 22:16 - 22:16 (00:00) 114.80.101.44
ubuntu ssh:notty Tue Feb 3 22:16 - 22:16 (00:00) 114.80.101.44
postgres ssh:notty Tue Feb 3 22:16 - 22:16 (00:00) 114.80.101.44
suporte ssh:notty Tue Feb 3 22:16 - 22:16 (00:00) 114.80.101.44
student ssh:notty Tue Feb 3 22:16 - 22:16 (00:00) 114.80.101.44
student ssh:notty Tue Feb 3 22:16 - 22:16 (00:00) 114.80.101.44
suporte ssh:notty Tue Feb 3 22:16 - 22:16 (00:00) 114.80.101.44
postgres ssh:notty Tue Feb 3 22:16 - 22:16 (00:00) 114.80.101.44
nagios ssh:notty Tue Feb 3 22:16 - 22:16 (00:00) 114.80.101.44

还有福建也是鸡窝

一看吓一跳
国外有泰国、韩国
国内有成都、绍兴、镇江

一天5w次，要吃不消了

@bellchu 我的跟你的差不多，103.41.124.*这个范围的特别多。。。

fail2ban不好用？

@lingo 同意。。我的也是~

ssh简直爆炸

@lingo 貌似是香港的IP。以前没这么多SSH尝试的，就去年开始，只要是在亚太的服务器，我基本每天都能收获很多。 北美的服务器都是OpenVPN的尝试。

@vex911 头像。。。。。

我这边比你们好一点只有一个兰州ip比较多来了624次

江的服器一月才200多，不你？

3 173-164-76-202-o
7 218.65.30.73
7 62-210-211-45.re
10 194.58.88.86
12 222.161.4.148
24 74.118.195.210
25 117.21.225.137
30 46.227.188.23
32 195-154-169-120.
90 ms012.moonshot.f
120 222.92.213.131

@kiritoalex 看什么端口开放，22，21，80居多

我换了端口

@fvladlpa OK，看来主要还是FTP，SSH和HTTP端口。。。
话说如果加了操作系统指纹分析就可以更有效地指定攻击类型了。。。

看了下我的，ssh端口改掉了还有尝试的。最蛋疼的是last发现有外省ip，改密码去了....

@wulin ，ssh 禁掉密码登录，切记

我看了下我也有一堆。。。
设了只有证书登录怎么还能尝试，什么回事？