Добрый день, подскажите начинающему как защититься. Были открыты SSH их закрыл, раньше в логах авторизации были SSH соединения, сейчас не разбираюсь и не могу понять откуда заходят, подозрения, что через саму SAMBA как то могут заходить через инет???
Вот в день атаки вируса CHECKMATE какие подозрительные действия в логах SAMBA
Aug 2 17:15:04 sysadmin smbd_audit: nobody|192.168.100.250|open|ok|r|.
Aug 2 17:15:04 sysadmin smbd_audit: message repeated 52 times: [ nobody|192.168.100.250|open|ok|r|.]
Aug 2 17:15:12 sysadmin systemd[1]: Started CUPS Scheduler.
Aug 2 17:17:01 sysadmin CRON[25540]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Aug 2 17:28:12 sysadmin systemd[1]: Started CUPS Scheduler.
Aug 2 17:54:13 sysadmin systemd[1]: message repeated 2 times: [ Started CUPS Scheduler.]
Aug 2 18:00:03 sysadmin systemd[1]: Starting Daily apt activities...
Aug 2 18:00:04 sysadmin systemd[1]: Started Daily apt activities.
Aug 2 18:00:04 sysadmin systemd[1]: apt-daily.timer: Adding 41min 40.832059s random time.
Aug 2 18:00:04 sysadmin systemd[1]: apt-daily.timer: Adding 10h 45min 933.345ms random time.
Aug 2 18:07:14 sysadmin systemd[1]: Started CUPS Scheduler.
Aug 2 18:17:01 sysadmin CRON[26260]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Aug 2 18:19:25 sysadmin smbd[26272]: [2022/08/02 18:19:25.408679, 0] ../source3/smbd/sesssetup.c:855(reply_sesssetup_and_X)
Aug 2 18:19:25 sysadmin smbd[26272]: reply_sesssetup_and_X: Rejecting attempt at 'normal' session setup after negotiating spnego.
Aug 2 18:20:14 sysadmin systemd[1]: Started CUPS Scheduler.
Aug 2 18:21:24 sysadmin smbd[26290]: [2022/08/02 18:21:24.795910, 0] ../source3/smbd/sesssetup.c:855(reply_sesssetup_and_X)
Aug 2 18:21:24 sysadmin smbd[26290]: reply_sesssetup_and_X: Rejecting attempt at 'normal' session setup after negotiating spnego.
Aug 2 18:33:15 sysadmin systemd[1]: Started CUPS Scheduler.
Aug 2 18:59:16 sysadmin systemd[1]: message repeated 2 times: [ Started CUPS Scheduler.]
Aug 2 19:03:34 sysadmin smbd_audit: nobody|5.44.41.13|open|ok|w|!CHECKMATE_DECRYPTION_README
Aug 2 19:03:34 sysadmin smbd_audit: message repeated 7 times: [ nobody|5.44.41.13|open|ok|w|!CHECKMATE_DECRYPTION_README]
Aug 2 19:03:34 sysadmin smbd_audit: nobody|5.44.41.13|pwrite|ok|Архитектор/скачка/Исполнительная Региональ/Парк.23А/!CHECKMATE_DECRYPTION_README
Aug 2 19:03:34 sysadmin smbd_audit: nobody|5.44.41.13|pwrite|ok|Архитектор/скачка/!CHECKMATE_DECRYPTION_README
Aug 2 19:03:34 sysadmin smbd_audit: nobody|5.44.41.13|pwrite|ok|Архитектор/скачка/Исполнительная Региональ/Парк.3/!CHECKMATE_DECRYPTION_README
Aug 2 19:03:34 sysadmin smbd_audit: nobody|5.44.41.13|pwrite|ok|Архитектор/СметаТорос/!CHECKMATE_DECRYPTION_README
Aug 2 19:03:34 sysadmin smbd_audit: nobody|5.44.41.13|open|ok|w|акт на скрытые работы .xls
Aug 2 19:03:34 sysadmin smbd_audit: nobody|5.44.41.13|open|ok|w|торг.центр1.dwg
Aug 2 19:03:34 sysadmin smbd_audit: nobody|5.44.41.13|pwrite|ok|Архитектор/скачка/Исполнительная Региональ/Лен.62А/!CHECKMATE_DECRYPTION_README
Вот в логах авторизации в этот же период времени
Aug 2 17:17:01 sysadmin CRON[25539]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 2 17:17:01 sysadmin CRON[25539]: pam_unix(cron:session): session closed for user root
Aug 2 18:17:01 sysadmin CRON[26259]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 2 18:17:01 sysadmin CRON[26259]: pam_unix(cron:session): session closed for user root
Aug 2 19:17:02 sysadmin CRON[26971]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 2 19:17:02 sysadmin CRON[26971]: pam_unix(cron:session): session closed for user root
Aug 2 20:17:01 sysadmin CRON[27676]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 2 20:17:01 sysadmin CRON[27676]: pam_unix(cron:session): session closed for user root
Aug 2 21:17:01 sysadmin CRON[28384]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 2 21:17:01 sysadmin CRON[28384]: pam_unix(cron:session): session closed for user root
Aug 2 22:17:01 sysadmin CRON[29063]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 2 22:17:01 sysadmin CRON[29063]: pam_unix(cron:session): session closed for user root
Aug 2 23:17:01 sysadmin CRON[30074]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 2 23:17:01 sysadmin CRON[30074]: pam_unix(cron:session): session closed for user root
Aug 2 23:21:01 sysadmin CRON[30135]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 2 23:21:01 sysadmin CRON[30135]: pam_unix(cron:session): session closed for user root
Aug 3 00:17:01 sysadmin CRON[30809]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 3 00:17:01 sysadmin CRON[30809]: pam_unix(cron:session): session closed for user root
Aug 3 01:17:01 sysadmin CRON[31524]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 3 01:17:01 sysadmin CRON[31524]: pam_unix(cron:session): session closed for user root
Aug 3 02:17:01 sysadmin CRON[32210]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 3 02:17:01 sysadmin CRON[32210]: pam_unix(cron:session): session closed for user root
Aug 3 03:17:01 sysadmin CRON[453]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 3 03:17:01 sysadmin CRON[453]: pam_unix(cron:session): session closed for user root