frp服务端遭扫描
原创大约 3 分钟
背景
上一篇教程中,我们成功将局域网内的机器服务暴露到公网IP,近期查看服务器日志显示,有尝试访问frp服务端,尝试建立连接,更有甚者尝试登录我的内网服务。
基于上述情况,本教程主要记录一些发现的信息,以供以后快速查找和完善
服务端日志
2024-04-25 02:41:10.408 [I] [proxy/proxy.go:204] [017c9d05e4a78111] [tcp-80] get a user connection [XX.100.202.66:33416]
2024-04-25 03:04:46.769 [I] [proxy/proxy.go:204] [017c9d05e4a78111] [tcp-ssh] get a user connection [XX.203.211.9:64760]
2024-04-25 03:04:47.189 [I] [proxy/proxy.go:204] [017c9d05e4a78111] [tcp-ssh] get a user connection [XX.203.211.9:64774]
2024-04-25 03:26:32.634 [I] [proxy/proxy.go:204] [017c9d05e4a78111] [tcp-80] get a user connection [XX.7.96.150:14386]
2024-04-25 03:26:32.962 [I] [proxy/proxy.go:204] [017c9d05e4a78111] [tcp-80] get a user connection [XX.7.96.150:14574]
2024-04-25 04:00:29.346 [I] [proxy/proxy.go:204] [017c9d05e4a78111] [tcp-80] get a user connection [XX.37.151.2:28575]
2024-04-25 04:29:37.416 [I] [proxy/proxy.go:204] [017c9d05e4a78111] [tcp-80] get a user connection [XX.232.60.180:60638]
2024-04-25 05:17:06.693 [I] [proxy/proxy.go:204] [017c9d05e4a78111] [tcp-ssh] get a user connection [XX.211.104.193:40617]
2024-04-25 05:17:07.199 [I] [proxy/proxy.go:204] [017c9d05e4a78111] [tcp-ssh] get a user connection [XX.184.192.70:41840]
2024-04-25 05:17:07.660 [I] [proxy/proxy.go:204] [017c9d05e4a78111] [tcp-ssh] get a user connection [XX.184.192.70:41846]
2024-04-25 05:17:08.121 [I] [proxy/proxy.go:204] [017c9d05e4a78111] [tcp-ssh] get a user connection [XX.184.192.70:41860]
2024-04-25 05:17:08.588 [I] [proxy/proxy.go:204] [017c9d05e4a78111] [tcp-ssh] get a user connection [XX.184.192.70:41874]
2024-04-25 08:49:31.978 [I] [server/service.go:575] [c6eab8806062f59b] client login info: ip [XX.75.173.226:39636] version [0.48.0] hostname [] os [windows] arch [amd64]
2024-04-25 08:49:31.981 [W] [server/service.go:445] register control error: token in login doesn't match token from configuration
2024-04-25 08:49:37.971 [I] [server/service.go:575] [9118cc62643704eb] client login info: ip [XX.75.173.226:42534] version [0.48.0] hostname [] os [windows] arch [amd64]
2024-04-25 08:49:37.971 [W] [server/service.go:445] register control error: token in login doesn't match token from configuration基于上述日志信息发现,有IP地址
机房的在尝试用我的frp服务端登录,但是没有成功
同时,我暴漏的公网端口也被一些IP进行了扫描和尝试连接
内网关键ssh服务日志
journalctl _COMM=sshd -n 30获取最近sshd的日志记录
Apr 25 03:04:46 mac-pro sshd[1023124]: error: kex_exchange_identification: banner line contains invalid characters
Apr 25 03:04:46 mac-pro sshd[1023124]: banner exchange: Connection from xxx.xxx.xxx.xxx port 43326: invalid format
Apr 25 03:04:47 mac-pro sshd[1023125]: Connection from xxx.xxx.xxx.xxx port 43330 on xxx.xxx.xxx.xxx port 22 rdomain ""
Apr 25 03:04:47 mac-pro sshd[1023125]: error: kex_exchange_identification: banner line contains invalid characters
Apr 25 03:04:47 mac-pro sshd[1023125]: banner exchange: Connection from xxx.xxx.xxx.xxx port 43330: invalid format
Apr 25 05:17:06 mac-pro sshd[1043197]: Connection from xxx.xxx.xxx.xxx port 59332 on xxx.xxx.xxx.xxx port 22 rdomain ""
Apr 25 05:17:06 mac-pro sshd[1043197]: error: kex_exchange_identification: Connection closed by remote host
Apr 25 05:17:06 mac-pro sshd[1043197]: Connection closed by xxx.xxx.xxx.xxx port 59332
Apr 25 05:17:07 mac-pro sshd[1043199]: Connection from xxx.xxx.xxx.xxx port 59338 on xxx.xxx.xxx.xxx port 22 rdomain ""
Apr 25 05:17:07 mac-pro sshd[1043199]: error: kex_exchange_identification: banner line contains invalid characters
Apr 25 05:17:07 mac-pro sshd[1043199]: banner exchange: Connection from xxx.xxx.xxx.xxx port 59338: invalid format
Apr 25 05:17:07 mac-pro sshd[1043200]: Connection from xxx.xxx.xxx.xxx port 59344 on xxx.xxx.xxx.xxx port 22 rdomain ""
Apr 25 05:17:07 mac-pro sshd[1043200]: error: kex_exchange_identification: client sent invalid protocol identifier "GET /metrics HTTP/1.1"
Apr 25 05:17:07 mac-pro sshd[1043200]: banner exchange: Connection from xxx.xxx.xxx.xxx port 59344: invalid format
Apr 25 05:17:08 mac-pro sshd[1043201]: Connection from xxx.xxx.xxx.xxx port 59352 on xxx.xxx.xxx.xxx port 22 rdomain ""
Apr 25 05:17:08 mac-pro sshd[1043201]: error: kex_exchange_identification: client sent invalid protocol identifier "GET /metrics HTTP/1.1"
Apr 25 05:17:08 mac-pro sshd[1043201]: banner exchange: Connection from xxx.xxx.xxx.xxx port 59352: invalid format
Apr 25 05:17:08 mac-pro sshd[1043202]: Connection from xxx.xxx.xxx.xxx port 59368 on xxx.xxx.xxx.xxx port 22 rdomain ""
Apr 25 05:17:08 mac-pro sshd[1043202]: error: kex_exchange_identification: client sent invalid protocol identifier "GET /metrics HTTP/1.1"
Apr 25 05:17:08 mac-pro sshd[1043202]: banner exchange: Connection from xxx.xxx.xxx.xxx port 59368: invalid format
Apr 25 08:58:12 mac-pro sshd[1075754]: Connection from xxx.xxx.xxx.xxx port 59564 on xxx.xxx.xxx.xxx port 22 rdomain ""上面日志可以看出,有客户端尝试登录,但是没有成功;并且还发送了
GET /metrics HTTP/1.1获取信息.
ssh开启更详细的日志
vim /etc/ssh/sshd_config
# Logging
#SyslogFacility AUTH
LogLevel VERBOSE
systemctl restart sshd
SyslogFacility功能我发现我的PVE无法开启,缺少了某些服务。由于ssh的日志已经满足了我的要求,我没有继续尝试开启。