无意间发现好的登陆失败记录,猜测撞库SSH攻击。到目前攻击了15349。使用命令lastb查看有ip为164.92.69.50的撞库攻击,为什么使用 journalctl -xe查看日志显示 from127.0.0.1 ?
root@aml-s812:/var/log# grep -o "Failed password for invalid user" /var/log/auth.log|uniq -c
15349 Failed password for invalid user
May 06 00:59:12 aml-s812 sshd[10132]: Failed password for invalid user ctr from 127.0.0.1 port 46360 ssh2
May 06 00:59:14 aml-s812 sshd[10132]: Connection closed by invalid user ctr 127.0.0.1 port 46360 [preauth]
May 06 00:59:18 aml-s812 sshd[10240]: Invalid user ctr from 127.0.0.1 port 46364
May 06 00:59:18 aml-s812 sshd[10240]: pam_unix(sshd:auth): check pass; user unknown
May 06 00:59:18 aml-s812 sshd[10240]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1
