[kex_exchange_identification:接続がリモートホストによって閉じられました]のリモートIPを検索します
/var/log/auth.logにこのようなログの壁が表示されています。 2分ごとに同じメッセージの10行が表示されます。これらのメッセージを生成したリモートIPについて教えてください。
私はUbuntu 19.10で実行しています(これは私のリモートワークステーションで、定期的なセキュリティ診断を行っています)
61094 Jan 25 22:44:01 localhost sshd[10390]: error: kex_exchange_identification: Connection closed by remote Host
61095 Jan 25 22:44:02 localhost sshd[10408]: error: kex_exchange_identification: Connection closed by remote Host
61096 Jan 25 22:44:02 localhost sshd[10433]: error: kex_exchange_identification: Connection closed by remote Host
61097 Jan 25 22:44:02 localhost sshd[10437]: error: kex_exchange_identification: Connection closed by remote Host
61098 Jan 25 22:44:02 localhost sshd[10441]: error: kex_exchange_identification: Connection closed by remote Host
61099 Jan 25 22:44:02 localhost sshd[10446]: error: kex_exchange_identification: Connection closed by remote Host
61100 Jan 25 22:44:02 localhost sshd[10450]: error: kex_exchange_identification: Connection closed by remote Host
61101 Jan 25 22:44:02 localhost sshd[10454]: error: kex_exchange_identification: Connection closed by remote Host
61102 Jan 25 22:44:02 localhost sshd[10462]: error: kex_exchange_identification: Connection closed by remote Host
61103 Jan 25 22:44:02 localhost sshd[10466]: error: kex_exchange_identification: Connection closed by remote Host
61104 Jan 25 22:46:01 localhost sshd[12501]: error: kex_exchange_identification: Connection closed by remote Host
61105 Jan 25 22:46:01 localhost sshd[12528]: error: kex_exchange_identification: Connection closed by remote Host
61106 Jan 25 22:46:01 localhost sshd[12538]: error: kex_exchange_identification: Connection closed by remote Host
61107 Jan 25 22:46:01 localhost sshd[12542]: error: kex_exchange_identification: Connection closed by remote Host
61108 Jan 25 22:46:01 localhost sshd[12546]: error: kex_exchange_identification: Connection closed by remote Host
61109 Jan 25 22:46:01 localhost sshd[12551]: error: kex_exchange_identification: Connection closed by remote Host
61110 Jan 25 22:46:01 localhost sshd[12555]: error: kex_exchange_identification: Connection closed by remote Host
61111 Jan 25 22:46:01 localhost sshd[12560]: error: kex_exchange_identification: Connection closed by remote Host
61112 Jan 25 22:46:01 localhost sshd[12564]: error: kex_exchange_identification: Connection closed by remote Host
61113 Jan 25 22:46:01 localhost sshd[12568]: error: kex_exchange_identification: Connection closed by remote Host
61114 Jan 25 22:48:01 localhost sshd[14371]: error: kex_exchange_identification: Connection closed by remote Host
61115 Jan 25 22:48:01 localhost sshd[14390]: error: kex_exchange_identification: Connection closed by remote Host
61116 Jan 25 22:48:01 localhost sshd[14414]: error: kex_exchange_identification: Connection closed by remote Host
61117 Jan 25 22:48:01 localhost sshd[14418]: error: kex_exchange_identification: Connection closed by remote Host
61118 Jan 25 22:48:01 localhost sshd[14422]: error: kex_exchange_identification: Connection closed by remote Host
61119 Jan 25 22:48:01 localhost sshd[14427]: error: kex_exchange_identification: Connection closed by remote Host
61120 Jan 25 22:48:01 localhost sshd[14431]: error: kex_exchange_identification: Connection closed by remote Host
61121 Jan 25 22:48:01 localhost sshd[14435]: error: kex_exchange_identification: Connection closed by remote Host
61122 Jan 25 22:48:01 localhost sshd[14439]: error: kex_exchange_identification: Connection closed by remote Host
61123 Jan 25 22:48:01 localhost sshd[14443]: error: kex_exchange_identification: Connection closed by remote Host
61124 Jan 25 22:50:01 localhost sshd[16489]: error: kex_exchange_identification: Connection closed by remote Host
61125 Jan 25 22:50:01 localhost sshd[16512]: error: kex_exchange_identification: Connection closed by remote Host
61126 Jan 25 22:50:01 localhost sshd[16530]: error: kex_exchange_identification: Connection closed by remote Host
61127 Jan 25 22:50:01 localhost sshd[16535]: error: kex_exchange_identification: Connection closed by remote Host
61128 Jan 25 22:50:01 localhost sshd[16539]: error: kex_exchange_identification: Connection closed by remote Host
61129 Jan 25 22:50:01 localhost sshd[16544]: error: kex_exchange_identification: Connection closed by remote Host
61130 Jan 25 22:50:01 localhost sshd[16548]: error: kex_exchange_identification: Connection closed by remote Host
61131 Jan 25 22:50:01 localhost sshd[16552]: error: kex_exchange_identification: Connection closed by remote Host
61132 Jan 25 22:50:01 localhost sshd[16556]: error: kex_exchange_identification: Connection closed by remote Host
61133 Jan 25 22:50:01 localhost sshd[16561]: error: kex_exchange_identification: Connection closed by remote Host
61134 Jan 25 22:52:01 localhost sshd[18480]: error: kex_exchange_identification: Connection closed by remote Host
61135 Jan 25 22:52:01 localhost sshd[18491]: error: kex_exchange_identification: Connection closed by remote Host
61136 Jan 25 22:52:01 localhost sshd[18518]: error: kex_exchange_identification: Connection closed by remote Host
61137 Jan 25 22:52:01 localhost sshd[18523]: error: kex_exchange_identification: Connection closed by remote Host
61138 Jan 25 22:52:01 localhost sshd[18527]: error: kex_exchange_identification: Connection closed by remote Host
61139 Jan 25 22:52:01 localhost sshd[18532]: error: kex_exchange_identification: Connection closed by remote Host
61140 Jan 25 22:52:01 localhost sshd[18536]: error: kex_exchange_identification: Connection closed by remote Host
auth.log-20200126-1579968001 61140,1 99%
tcpdumpポートでsshを実行してみてください。
tcpdump -nn -s0 port 22
sshを介してすでにログインしている場合は、送信元IPアドレス(例:203.202.1.1)を除外して、端末が独自のトラフィックであふれないようにします。
tcpdump -nn -s0 port 22 and not src 203.202.1.1 and not dst 203.202.1.1
Netfilterを使用してsyslogへの接続をログに記録することもできますが、接続のフラッドによってサーバーに十分な負荷がかかり、サーバーが応答しなくなるため、なんらかのログ制限を設定せずに実行したくない場合があります(図を参照)。 :
iptables -I INPUT -p tcp --dport 22 -m limit --limit 4/min --limit-burst 4 -j LOG --log-prefix "SSH_NOTIFY: "
これにより、接続しているホストに関するメッセージがsyslogにドロップされます