I have this in the logs of a postgres instance:
Connection matched pg_hba.conf line 100: "host all all all scram-sha-256"
2021年11月20日 06:20:02.277 UTC [78602] FATAL: password authentication failed for user "postgres"
2021年11月20日 06:20:02.277 UTC [78602] DETAIL: Role "postgres" does not exist.
Connection matched pg_hba.conf line 100: "host all all all scram-sha-256"
2021年11月20日 06:41:05.211 UTC [79412] FATAL: password authentication failed for user "postgres"
2021年11月20日 06:41:05.211 UTC [79412] DETAIL: Role "postgres" does not exist.
Connection matched pg_hba.conf line 100: "host all all all scram-sha-256"
2021年11月20日 06:41:45.448 UTC [79517] FATAL: password authentication failed for user "pgsql"
2021年11月20日 06:41:45.448 UTC [79517] DETAIL: Role "pgsql" does not exist.
Connection matched pg_hba.conf line 100: "host all all all scram-sha-256"
2021年11月20日 07:01:53.432 UTC [80321] FATAL: password authentication failed for user "postgres"
2021年11月20日 07:01:53.432 UTC [80321] DETAIL: Role "postgres" does not exist.
Connection matched pg_hba.conf line 100: "host all all all scram-sha-256"
2021年11月20日 07:22:44.231 UTC [81197] FATAL: password authentication failed for user "postgres"
2021年11月20日 07:22:44.231 UTC [81197] DETAIL: Role "postgres" does not exist.
Connection matched pg_hba.conf line 100: "host all all all scram-sha-256"
2021年11月20日 07:25:30.380 UTC [81317] FATAL: password authentication failed for user "pgsql"
2021年11月20日 07:25:30.380 UTC [81317] DETAIL: Role "pgsql" does not exist.
Connection matched pg_hba.conf line 100: "host all all all scram-sha-256"
2021年11月20日 07:43:48.611 UTC [82115] FATAL: password authentication failed for user "postgres"
2021年11月20日 07:43:48.611 UTC [82115] DETAIL: Role "postgres" does not exist.
Connection matched pg_hba.conf line 100: "host all all all scram-sha-256"
2021年11月20日 07:47:12.673 UTC [82233] FATAL: password authentication failed for user "pgsql"
2021年11月20日 07:47:12.673 UTC [82233] DETAIL: Role "pgsql" does not exist.
Connection matched pg_hba.conf line 100: "host all all all scram-sha-256"
2021年11月20日 08:04:33.369 UTC [82925] FATAL: password authentication failed for user "postgres"
2021年11月20日 08:04:33.369 UTC [82925] DETAIL: Role "postgres" does not exist.
Connection matched pg_hba.conf line 100: "host all all all scram-sha-256"
2021年11月20日 08:09:09.023 UTC [83149] FATAL: password authentication failed for user "pgsql"
2021年11月20日 08:09:09.023 UTC [83149] DETAIL: Role "pgsql" does not exist.
Connection matched pg_hba.conf line 100: "host all all all scram-sha-256"
2021年11月20日 08:25:46.146 UTC [83736] FATAL: password authentication failed for user "postgres"
2021年11月20日 08:25:46.146 UTC [83736] DETAIL: Role "postgres" does not exist.
Connection matched pg_hba.conf line 100: "host all all all scram-sha-256"
2021年11月20日 08:30:54.629 UTC [83963] FATAL: password authentication failed for user "pgadmin"
2021年11月20日 08:30:54.629 UTC [83963] DETAIL: Role "pgadmin" does not exist.
Connection matched pg_hba.conf line 100: "host all all all scram-sha-256"
This instance is used for tests and contains data of no value, so it is not secured and has a public open port for ease of testing.
What I find odd, if this is an attack, is that the timestamps are spaced a lot: 6:20, 6:41, 7:01, 7:22, 7:25, 7:43, etc I would expect tons of requests in a short period of time, but there is a lot of gap between the connections
What does the "connection matched" message mean?
-
If I have two lists, one of open ports and one of common passwords, why would I hammer one port with every password, rather than every port with one password? The first one seem more likely to get me detected/reported, and offers no advantage.jjanes– jjanes2021年11月20日 21:12:24 +00:00Commented Nov 20, 2021 at 21:12
1 Answer 1
I cannot tell you who tries to log in, but you could add %h to log_line_prefix to see the client address.
"Connection matched pg_hba.conf line 100" means that the incoming connection matched that pg_hba.conf line (which is no surprise, since it contains all wildcards), and as a consequence, scram-sha-256 password authentication was attempted (and failed).
I recommend using less generic pg_hba.conf entries, so that attackers have less chance to intrude with a guessed password.