Como eu tenho deixado meu desktop boa parte do tempo desligado, eu abri uma porta ssh pro raspberrypi. Por quê? Por nenhum motivo.
Eu nunca realmente usei esse acesso ssh, que externamente estava numa porta alta 22XY, sendo X e Y meio que aleatórios.
E claro que esqueci disso. E hoje fui dar uma olhada. E vários ataques. Ou tentativas desses.
pi@raspberrypi3 ~> journalctl -u ssh | grep rhost | sed 's/.*ruser= //' | sort -n | uniq -c
4 rhost=101.182.50.204
2 rhost=101.182.50.204 user=root
294 rhost=103.187.164.70
1 rhost=103.187.164.70 user=backup
1 rhost=103.187.164.70 user=daemon
21 rhost=103.187.164.70 user=root
12031 rhost=106.12.118.63
1 rhost=106.12.118.63 user=avahi
13 rhost=106.12.118.63 user=backup
9 rhost=106.12.118.63 user=bin
1 rhost=106.12.118.63 user=dnsmasq
3 rhost=106.12.118.63 user=games
1 rhost=106.12.118.63 user=irc
1 rhost=106.12.118.63 user=list
1 rhost=106.12.118.63 user=mail
1 rhost=106.12.118.63 user=messagebus
2 rhost=106.12.118.63 user=pi
1379 rhost=106.12.118.63 user=root
2 rhost=106.12.118.63 user=rtkit
1 rhost=106.12.118.63 user=saned
1 rhost=106.12.118.63 user=sshd
1 rhost=106.12.118.63 user=sys
15 rhost=106.12.118.63 user=www-data
104 rhost=106.244.154.170
37 rhost=106.244.154.170 user=root
6 rhost=110.83.205.126
9 rhost=110.83.205.126 user=root
414 rhost=112.54.121.23
2 rhost=112.54.121.23 user=backup
1 rhost=112.54.121.23 user=bin
1 rhost=112.54.121.23 user=daemon
200 rhost=112.54.121.23 user=root
3 rhost=112.96.138.97
1 rhost=112.96.138.97 user=root
1 rhost=112.97.211.56 user=root
1 rhost=112.97.219.144
1 rhost=112.97.219.144 user=root
1 rhost=112.97.241.205 user=root
1 rhost=112.97.63.81 user=root
147 rhost=113.116.156.72
1 rhost=113.116.156.72 user=bin
1 rhost=113.116.156.72 user=games
2 rhost=113.116.156.72 user=man
1 rhost=113.116.156.72 user=pi
1 rhost=113.116.156.72 user=root
1 rhost=113.116.156.72 user=sshd
1 rhost=113.116.156.72 user=sync
2 rhost=113.116.156.72 user=sys
645 rhost=113.161.59.72
45 rhost=113.161.59.72 user=root
3 rhost=113.194.225.182
1 rhost=113.194.225.182 user=root
10679 rhost=115.68.114.145
5 rhost=115.68.114.145 user=backup
2 rhost=115.68.114.145 user=bin
2 rhost=115.68.114.145 user=daemon
2 rhost=115.68.114.145 user=dnsmasq
1 rhost=115.68.114.145 user=geoclue
1 rhost=115.68.114.145 user=gnats
1 rhost=115.68.114.145 user=list
1 rhost=115.68.114.145 user=lp
2 rhost=115.68.114.145 user=mail
2 rhost=115.68.114.145 user=pi
2181 rhost=115.68.114.145 user=root
3 rhost=115.68.114.145 user=sshd
1 rhost=115.68.114.145 user=sys
1 rhost=115.68.114.145 user=systemd-coredump
2 rhost=115.68.114.145 user=tss
24 rhost=115.68.114.145 user=uucp
9 rhost=115.68.114.145 user=www-data
1994 rhost=115.68.193.229
4 rhost=115.68.193.229 user=backup
4 rhost=115.68.193.229 user=bin
3 rhost=115.68.193.229 user=daemon
2 rhost=115.68.193.229 user=pi
863 rhost=115.68.193.229 user=root
3 rhost=115.68.193.229 user=www-data
171 rhost=115.73.212.140
70 rhost=115.73.212.140 user=root
1 rhost=115.73.212.140 user=www-data
240 rhost=115.73.222.121
27 rhost=115.73.222.121 user=root
117 rhost=115.79.138.57
28 rhost=115.79.138.57 user=root
1 rhost=115.79.138.57 user=uucp
41 rhost=117.132.195.92
13 rhost=117.132.195.92 user=root
1 rhost=117.132.195.92 user=uucp
597 rhost=119.204.234.220
1 rhost=119.204.234.220 user=lp
1 rhost=119.204.234.220 user=news
176 rhost=119.204.234.220 user=root
2 rhost=119.204.234.220 user=sshd
7 rhost=121.170.243.115
2 rhost=121.170.243.115 user=root
5 rhost=121.207.184.52
1 rhost=121.207.184.52 user=root
320 rhost=121.237.47.72
16 rhost=121.237.47.72 user=root
1 rhost=123.226.234.157 user=root
3 rhost=138.68.65.85
6 rhost=138.68.65.85 user=root
822 rhost=153.99.251.110
2 rhost=153.99.251.110 user=backup
2 rhost=153.99.251.110 user=bin
1 rhost=153.99.251.110 user=daemon
2 rhost=153.99.251.110 user=pi
366 rhost=153.99.251.110 user=root
1 rhost=153.99.251.110 user=www-data
52 rhost=171.125.189.103
2 rhost=171.125.189.103 user=root
4349 rhost=175.126.146.151
1 rhost=175.126.146.151 user=avahi
1 rhost=175.126.146.151 user=backup
1 rhost=175.126.146.151 user=bin
1 rhost=175.126.146.151 user=daemon
1 rhost=175.126.146.151 user=dnsmasq
1 rhost=175.126.146.151 user=games
1 rhost=175.126.146.151 user=gnats
1 rhost=175.126.146.151 user=irc
1 rhost=175.126.146.151 user=list
1 rhost=175.126.146.151 user=messagebus
1 rhost=175.126.146.151 user=nobody
1 rhost=175.126.146.151 user=pi
511 rhost=175.126.146.151 user=root
1 rhost=175.126.146.151 user=sshd
1 rhost=175.126.146.151 user=sync
1 rhost=175.126.146.151 user=sys
1 rhost=175.126.146.151 user=systemd-coredump
1 rhost=175.126.146.151 user=uucp
1 rhost=175.126.146.151 user=www-data
2376 rhost=175.126.146.170
2 rhost=175.126.146.170 user=backup
8 rhost=175.126.146.170 user=bin
2 rhost=175.126.146.170 user=daemon
3 rhost=175.126.146.170 user=lp
1 rhost=175.126.146.170 user=news
4 rhost=175.126.146.170 user=nobody
1601 rhost=175.126.146.170 user=root
1 rhost=175.126.146.170 user=saned
3 rhost=175.126.146.170 user=sshd
100 rhost=176.232.199.34
9 rhost=176.232.199.34 user=root
2 rhost=180.102.215.191
2 rhost=180.102.215.191 user=root
50 rhost=180.214.179.130
1 rhost=180.214.179.130 user=nobody
12 rhost=180.214.179.130 user=root
104 rhost=182.161.158.243
1 rhost=182.161.158.243 user=bin
36 rhost=182.161.158.243 user=root
64 rhost=182.92.205.87 user=root
168 rhost=183.239.61.5
36 rhost=183.239.61.5 user=root
1 rhost=183.239.61.5 user=uucp
802 rhost=183.6.114.32
9 rhost=183.6.114.32 user=bin
5 rhost=183.6.114.32 user=daemon
2 rhost=183.6.114.32 user=nobody
370 rhost=183.6.114.32 user=root
31 rhost=185.11.61.234
2 rhost=185.11.61.234 user=backup
6 rhost=185.11.61.234 user=root
127 rhost=185.11.61.88
18 rhost=185.11.61.88 user=root
1 rhost=185.11.61.88 user=uucp
1 rhost=185.11.61.88 user=www-data
640 rhost=188.92.243.94
5 rhost=188.92.243.94 user=backup
2 rhost=188.92.243.94 user=bin
1 rhost=188.92.243.94 user=daemon
1 rhost=188.92.243.94 user=news
1 rhost=188.92.243.94 user=proxy
381 rhost=188.92.243.94 user=root
1 rhost=188.92.243.94 user=sync
1 rhost=188.92.243.94 user=www-data
10 rhost=190.108.93.158
18 rhost=190.108.93.158 user=root
1217 rhost=190.2.143.54
13 rhost=190.2.143.54 user=bin
7 rhost=190.2.143.54 user=daemon
4 rhost=190.2.143.54 user=nobody
561 rhost=190.2.143.54 user=root
15 rhost=190.238.35.29
1 rhost=190.238.35.29 user=pi
1 rhost=190.238.35.29 user=root
12006 rhost=190.89.76.29
7 rhost=190.89.76.29 user=pi
389 rhost=190.89.76.29 user=root
19 rhost=195.122.229.82
1 rhost=195.122.229.82 user=root
1 rhost=2.53.171.103 user=root
803 rhost=212.186.185.171
10 rhost=212.186.185.171 user=bin
5 rhost=212.186.185.171 user=daemon
2 rhost=212.186.185.171 user=nobody
370 rhost=212.186.185.171 user=root
234 rhost=213.63.233.87
1 rhost=213.63.233.87 user=backup
1 rhost=213.63.233.87 user=bin
2 rhost=213.63.233.87 user=lp
181 rhost=213.63.233.87 user=root
1 rhost=213.63.233.87 user=sys
1 rhost=213.63.233.87 user=usbmux
28 rhost=218.101.201.179
1 rhost=218.101.201.179 user=root
7 rhost=218.81.76.84
10 rhost=218.81.76.84 user=root
822 rhost=220.249.111.98
2 rhost=220.249.111.98 user=backup
2 rhost=220.249.111.98 user=bin
1 rhost=220.249.111.98 user=daemon
2 rhost=220.249.111.98 user=pi
366 rhost=220.249.111.98 user=root
1 rhost=220.249.111.98 user=www-data
289 rhost=222.107.116.47
92 rhost=222.107.116.47 user=root
159 rhost=222.208.47.30
1 rhost=222.208.47.30 user=pulse
50 rhost=222.208.47.30 user=root
23 rhost=39.118.171.84
24 rhost=39.118.171.84 user=root
4 rhost=39.144.46.7
2 rhost=39.144.46.7 user=root
63 rhost=39.144.46.82
2 rhost=39.144.46.82 user=root
996 rhost=39.162.8.99
1 rhost=39.162.8.99 user=list
1 rhost=39.162.8.99 user=proxy
77 rhost=39.162.8.99 user=root
1 rhost=39.162.8.99 user=sys
1 rhost=39.162.8.99 user=www-data
6 rhost=42.49.109.197
3 rhost=42.49.109.197 user=root
758 rhost=46.7.73.67
1 rhost=46.7.73.67 user=bin
1 rhost=46.7.73.67 user=nobody
240 rhost=46.7.73.67 user=root
1672 rhost=51.81.245.139
2 rhost=51.81.245.139 user=backup
8 rhost=51.81.245.139 user=root
27 rhost=51.81.245.139 user=uucp
5 rhost=51.81.245.139 user=www-data
254 rhost=58.218.252.82
1 rhost=58.218.252.82 user=proxy
47 rhost=58.218.252.82 user=root
316 rhost=59.58.102.162
1 rhost=59.58.102.162 user=backup
97 rhost=59.58.102.162 user=root
1 rhost=59.58.102.162 user=sync
12 rhost=61.149.209.194
4 rhost=61.149.209.194 user=root
134 rhost=62.122.184.252
10 rhost=62.122.184.252 user=root
2 rhost=62.122.184.252 user=sshd
2 rhost=67.205.142.48
3 rhost=75.119.144.68 user=root
55 rhost=81.14.168.152
25 rhost=81.14.168.152 user=root
1 rhost=81.14.168.152 user=saned
29 rhost=85.209.11.226
1 rhost=85.209.11.226 user=pi
5 rhost=85.209.11.226 user=root
1 rhost=85.209.11.226 user=sshd
1809 rhost=85.24.245.46
8 rhost=85.24.245.46 user=backup
1 rhost=85.24.245.46 user=bin
1 rhost=85.24.245.46 user=lp
1 rhost=85.24.245.46 user=mail
2 rhost=85.24.245.46 user=news
4 rhost=85.24.245.46 user=nobody
1 rhost=85.24.245.46 user=proxy
1229 rhost=85.24.245.46 user=root
1 rhost=85.24.245.46 user=uucp
413 rhost=85.246.237.232
1 rhost=85.246.237.232 user=games
1 rhost=85.246.237.232 user=nobody
293 rhost=85.246.237.232 user=root
1 rhost=85.246.237.232 user=saned
1 rhost=85.246.237.232 user=sshd
1 rhost=85.246.237.232 user=uucp
1 rhost=86.227.110.209
37 rhost=86.236.26.148
12 rhost=86.236.26.148 user=root
1 rhost=90.134.40.219 user=root
306 rhost=90.40.72.74
1 rhost=90.40.72.74 user=root
7 rhost=90.40.72.74 user=uucp
1 rhost=90.40.72.74 user=www-data
129 rhost=94.208.120.232
1 rhost=94.208.120.232 user=daemon
13 rhost=94.208.120.232 user=root
Desativei a porta.
O raspberrypi precisa de senha pra sudo, coisa que aprendi depois do ataque bem sucedido do Maycon que ficou eternizado dentro do código do stallmanbot.py:
def Hacked(obj, cmd):
try:
obj.reply_to(cmd, u"This is the gallery of metions from those who dared to hack, and just made it true.")
obj.reply_to(cmd, u"Helio is my master but Maycon is my hacker <3 (Hack N' Roll)")
gif = "https://media.giphy.com/media/26ufcVAp3AiJJsrIs/giphy.gif"
obj.send_document(cmd.chat.id, gif)
except Exception as e:
obj.reply_to(cmd, f"Deu merda: {e}")
Então acredito que mesmo um ataque bem sucedido de ssh não tenha causado grandes danos. Mas nunca é certeza :)
Outro ponto interessante é que todos os ataques vieram por IPv4. Nenhum, absolutamente nenhum, por IPv6. Até nesse ponto IPv6 é mais seguro.
