Ecco l'offerta:
Nelle ultime settimane ho notato un gran numero di errori di autenticazione sia per il servizio sshd
che per il servizio screensharingd
sul mio server Mac OS X Mavericks (in esecuzione 10.9.2 (Build 13C64), Server v3.1.1 (Build 13S4140), Apache v2.2.26 e OpenSSL v1.0.1g (senza Heartbleed per me, haha)). Un rapido esempio di alcuni registri del server:
Apr 21 08:08:45 [myhost] sshd[6558]: Invalid user fls from 83.222.230.90
Apr 21 08:08:45 [myhost] sshd[6558]: input_userauth_request: invalid user fls [preauth]
Apr 21 08:08:45 [myhost] sshd[6558]: Received disconnect from 83.222.230.90: 11: Bye Bye [preauth]
Apr 21 08:08:47 [myhost] sshd[6560]: Received disconnect from 83.222.230.90: 11: Bye Bye [preauth]
Apr 21 08:08:48 [myhost] sshd[6568]: Received disconnect from 83.222.230.90: 11: Bye Bye [preauth]
Apr 21 08:08:49 [myhost] sshd[6571]: Invalid user x from 83.222.230.90
Apr 21 08:08:49 [myhost] sshd[6571]: input_userauth_request: invalid user x [preauth]
Apr 21 08:08:50 [myhost] sshd[6571]: Received disconnect from 83.222.230.90: 11: Bye Bye [preauth]
Apr 21 08:08:51 [myhost] sshd[6573]: Invalid user http from 83.222.230.90
Apr 21 08:08:51 [myhost] sshd[6573]: input_userauth_request: invalid user http [preauth]
Apr 21 08:08:51 [myhost] sshd[6573]: Received disconnect from 83.222.230.90: 11: Bye Bye [preauth]
Apr 21 08:08:52 [myhost] sshd[6578]: Invalid user mp3 from 83.222.230.90
Apr 21 08:08:52 [myhost] sshd[6578]: input_userauth_request: invalid user mp3 [preauth]
Apr 21 08:08:53 [myhost] sshd[6578]: Received disconnect from 83.222.230.90: 11: Bye Bye [preauth]
Apr 21 08:08:54 [myhost] sshd[6581]: Invalid user oracle from 83.222.230.90
Apr 21 08:08:54 [myhost] sshd[6581]: input_userauth_request: invalid user oracle [preauth]
Apr 21 08:08:54 [myhost] sshd[6581]: Received disconnect from 83.222.230.90: 11: Bye Bye [preauth]
Apr 21 08:08:55 [myhost] sshd[6584]: Received disconnect from 83.222.230.90: 11: Bye Bye [preauth]
Apr 21 08:08:57 [myhost] sshd[6589]: Invalid user r00t from 83.222.230.90
Apr 21 08:08:57 [myhost] sshd[6589]: input_userauth_request: invalid user r00t [preauth]
Apr 21 08:08:57 [myhost] sshd[6589]: Received disconnect from 83.222.230.90: 11: Bye Bye [preauth]
Apr 21 08:08:58 [myhost] sshd[6595]: Invalid user bin from 83.222.230.90
Apr 21 08:08:58 [myhost] sshd[6595]: input_userauth_request: invalid user bin [preauth]
Apr 21 08:08:59 [myhost] sshd[6595]: Received disconnect from 83.222.230.90: 11: Bye Bye [preauth]
Apr 21 08:09:00 [myhost] sshd[6597]: Received disconnect from 83.222.230.90: 11: Bye Bye [preauth]
Apr 21 08:09:01 [myhost] sshd[6600]: Invalid user sm0k3y from 83.222.230.90
Apr 21 08:09:01 [myhost] sshd[6600]: input_userauth_request: invalid user sm0k3y [preauth]
Apr 21 08:09:02 [myhost] sshd[6600]: Received disconnect from 83.222.230.90: 11: Bye Bye [preauth]
Apr 21 08:09:03 [myhost] sshd[6604]: Invalid user cgi from 83.222.230.90
Apr 21 08:09:03 [myhost] sshd[6604]: input_userauth_request: invalid user cgi [preauth]
Apr 21 08:09:03 [myhost] sshd[6604]: Received disconnect from 83.222.230.90: 11: Bye Bye [preauth]
I registri screensharingd
sono i seguenti:
Apr 21 08:02:38 [myhost] screensharingd[5553]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 174.47.177.235 :: Type: VNC DES
Apr 21 08:02:57 --- last message repeated 7 times ---
Apr 21 08:28:42 [myhost] screensharingd[8520]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 208.71.217.153 :: Type: VNC DES
Apr 21 08:36:14 [myhost] screensharingd[9232]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 173.165.178.100 :: Type: VNC DES
Apr 21 08:43:34 [myhost] screensharingd[9928]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 5.135.101.206 :: Type: VNC DES
Apr 21 08:56:13 [myhost] screensharingd[11240]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 24.197.239.70 :: Type: VNC DES
Apr 21 08:56:34 [myhost] screensharingd[11273]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 24.197.239.70 :: Type: VNC DES
Apr 21 08:56:51 [myhost] screensharingd[11300]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 24.197.239.70 :: Type: VNC DES
Apr 21 08:56:58 --- last message repeated 1 time ---
Apr 21 09:29:15 [myhost] screensharingd[14752]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 75.150.95.108 :: Type: VNC DES
Apr 21 09:29:23 --- last message repeated 2 times ---
Apr 21 09:29:27 [myhost] screensharingd[14752]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 75.150.95.108 :: Type: VNC DES
Apr 21 09:29:33 --- last message repeated 1 time ---
Apr 21 09:29:59 [myhost] screensharingd[14819]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 75.150.95.108 :: Type: VNC DES
Apr 21 09:30:03 [myhost] screensharingd[14819]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 75.150.95.108 :: Type: VNC DES
Apr 21 09:30:13 --- last message repeated 2 times ---
Apr 21 09:30:14 [myhost] screensharingd[14819]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 75.150.95.108 :: Type: VNC DES
Apr 21 09:30:23 --- last message repeated 2 times ---
Apr 21 09:32:48 [myhost] screensharingd[15094]: Authentication: FAILED :: User Name: N/A :: Viewer Address: 61.160.201.25 :: Type: VNC DES
Ovviamente, potrei aggiungere manualmente le regole del firewall usando /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -a [ip-address]
, ma è un processo che richiede molto tempo e molto stupido. Ho provato a utilizzare alcuni degli strumenti offerti dal mio albero MacPorts, ma non sembrano funzionare, e sono preoccupato che qualsiasi cosa che ho installato potrebbe essere in conflitto con il firewall integrato.
Esiste un software per OS X che automatizza le modifiche del firewall in risposta a ripetuti tentativi falliti o forse in qualche altro modo per ridurre il rischio di log di brute force nei tentativi successivi?