感谢 mjj 手下留情, 早上 6:53 登录我的 vps 就测个速45.11.185.25

=== 前情提要
用了 3 年的老鸡被入侵了!  黑客 IP 45.11.185.25 141.98.10.*
https://hostloc.com/thread-1020040-1-1.html
(出处: 全球主机交流论坛)

=== 破案
May 20 06:53:58 office sshd[135074]: Accepted publickey for root from 45.11.185.25 port 58066 ssh2: RSA SHA256pyYXpUxjCuxiKog/r28IVRz4+YJSmGZUgNnu5MTE4A
这个SHA256: 是我几年前用的 ssh key, authorized_keys里面一直没有删, 被 MJJ 顺便登录了.

~/.ssh » ssh-keygen -lf id_rsa_old                                                                                                                                                                                                                                    
2048 SHA256pyYXpUxjCuxiKog/r28IVRz4+YJSmGZUgNnu5MTE4A no comment (RSA)
似乎 mjj 手下留情, 早上 6:53 登录我的 vps 就测个速走了
疑似泄露原因: 卖网盘给 mjj, 网络里面有个人ssh key, 被 mjj 登录测速了

=== 完整 log
May 20 06:36:10 office sshd[134963]: Connection closed by authenticating user root 141.98.10.59 port 32962 [preauth]
May 20 06:37:58 office sshd[134966]: Connection closed by authenticating user root 141.98.10.97 port 52766 [preauth]
May 20 06:39:58 office sshd[134968]: Invalid user admin from 141.98.10.97 port 52208
May 20 06:39:58 office sshd[134968]: Connection closed by invalid user admin 141.98.10.97 port 52208 [preauth]
May 20 06:41:56 office sshd[134970]: Invalid user admin from 141.98.10.97 port 51670
May 20 06:41:56 office sshd[134970]: Connection closed by invalid user admin 141.98.10.97 port 51670 [preauth]
May 20 06:42:52 office sshd[134972]: Connection closed by authenticating user root 141.98.10.59 port 35848 [preauth]
May 20 06:43:54 office sshd[134975]: Invalid user admin from 141.98.10.97 port 51132
May 20 06:43:54 office sshd[134975]: Connection closed by invalid user admin 141.98.10.97 port 51132 [preauth]
May 20 06:45:54 office sshd[134977]: Connection closed by authenticating user root 141.98.10.97 port 50592 [preauth]
May 20 06:47:52 office sshd[134979]: Invalid user admin from 141.98.10.97 port 50054
May 20 06:47:52 office sshd[134979]: Connection closed by invalid user admin 141.98.10.97 port 50054 [preauth]
May 20 06:49:31 office sshd[135066]: Connection closed by authenticating user root 141.98.10.59 port 38730 [preauth]
May 20 06:49:49 office sshd[135068]: Connection closed by authenticating user root 141.98.10.97 port 44610 [preauth]
May 20 06:51:47 office sshd[135070]: Invalid user admin from 141.98.10.97 port 44068
May 20 06:51:47 office sshd[135070]: Connection closed by invalid user admin 141.98.10.97 port 44068 [preauth]
May 20 06:53:46 office sshd[135072]: Invalid user admin from 141.98.10.97 port 43528
May 20 06:53:46 office sshd[135072]: Connection closed by invalid user admin 141.98.10.97 port 43528 [preauth]
May 20 06:53:58 office sshd[135074]: Accepted publickey for root from 45.11.185.25 port 58066 ssh2: RSA SHA256pyYXpUxjCuxiKog/r28IVRz4+YJSmGZUgNnu5MTE4A
May 20 06:53:58 office sshd[135074]: pam_unix(sshd:session): session opened for user root by (uid=0)
May 20 06:53:58 office systemd-logind[371]: New session 1535 of user root.
May 20 06:55:43 office sshd[135406]: Invalid user mhamad from 141.98.10.97 port 42988
May 20 06:55:43 office sshd[135406]: Connection closed by invalid user mhamad 141.98.10.97 port 42988 [preauth]
May 20 06:56:06 office sshd[135613]: Invalid user temp from 141.98.10.59 port 41626
May 20 06:56:07 office sshd[135613]: Connection closed by invalid user temp 141.98.10.59 port 41626 [preauth]
May 20 06:57:16 office sshd[135074]: pam_unix(sshd:session): session closed for user root
May 20 06:57:16 office systemd-logind[371]: Session 1535 logged out. Waiting for processes to exit.
May 20 06:57:16 office systemd-logind[371]: Removed session 1535.
May 20 06:57:41 office sshd[135650]: Invalid user admin from 141.98.10.97 port 42448
May 20 06:57:41 office sshd[135650]: Connection closed by invalid user admin 141.98.10.97 port 42448 [preauth]
May 20 06:59:39 office sshd[135652]: Invalid user PrismaHL from 141.98.10.97 port 41908
May 20 06:59:39 office sshd[135652]: Connection closed by invalid user PrismaHL 141.98.10.97 port 41908 [preauth]
May 20 07:01:36 office sshd[135668]: Connection closed by authenticating user sshd 141.98.10.97 port 41366 [preauth]
May 20 07:02:46 office sshd[135670]: Invalid user nelson from 141.98.10.59 port 44516

你想一下哈，ssh 登录提醒。是先登录后再提醒，那么只要在登录的时候想办法让机器执行提醒功能不就可以了吗？比如你在  .bashrc 里面执行个 sh  功能为提醒…

原帖回复过了，
搜 rc文件配置