我的系統日誌檔案(/var/log/auth.log)顯示數百個不同的 IP 試圖登入我的系統。我怎樣才能防止所有這些攻擊?看起來所有 IP 位址都是假的(“pin”或“traceroute”)總是在 auth.log 檔案中顯示數百個不同的 IP 位址?
我真的需要幫助!謝謝!
我正在閱讀其他人的建議
- StrictModes 是(這是做什麼的?)
- Hosts.allow ALL :(如果 IP 位址來自咖啡館且其為“me me”,這是否允許我進行連接?)
這是我的防火牆「iptables」的樣子。
asher@starparty:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
我正在閱讀其他人的推薦...
- iptables -I 輸入 -s -p tcp -m tcp --dport 22 -j 接受
SSH 遠端登入輸出範例:“tail /var/log/auth.log”
Dec 3 21:24:31 StarParty sshd[66702]: Failed password for root from 51.210.122.207 port 45722 ssh2
Dec 3 21:24:32 StarParty sshd[66702]: Received disconnect from 51.210.122.207 port 45722:11: Bye Bye [preauth]
Dec 3 21:24:32 StarParty sshd[66702]: Disconnected from authenticating user root 51.210.122.207 port 45722 [preauth]
Dec 3 21:24:38 StarParty sshd[66712]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=150.158.171.64 user=root
Dec 3 21:24:40 StarParty sshd[66712]: Failed password for root from 150.158.171.64 port 55444 ssh2
Dec 3 21:24:41 StarParty sshd[66721]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=142.93.34.237 user=root
Dec 3 21:24:41 StarParty sshd[66712]: Received disconnect from 150.158.171.64 port 55444:11: Bye Bye [preauth]
Dec 3 21:24:41 StarParty sshd[66712]: Disconnected from authenticating user root 150.158.171.64 port 55444 [preauth]
Dec 3 21:24:44 StarParty sshd[66721]: Failed password for root from 142.93.34.237 port 58226 ssh2
Dec 3 21:24:44 StarParty sshd[66721]: Received disconnect from 142.93.34.237 port 58226:11: Bye Bye [preauth]
Dec 3 21:24:44 StarParty sshd[66721]: Disconnected from authenticating user root 142.93.34.237 port 58226 [preauth]
Dec 3 21:25:00 StarParty sshd[66728]: Unable to negotiate with 218.92.0.212 port 45440: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 [preauth]
Dec 3 21:25:01 StarParty CRON[66730]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 3 21:25:01 StarParty CRON[66730]: pam_unix(cron:session): session closed for user root
Dec 3 21:25:26 StarParty sshd[66776]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=150.158.171.64 user=root
Dec 3 21:25:27 StarParty sshd[66776]: Failed password for root from 150.158.171.64 port 33534 ssh2
Dec 3 21:25:30 StarParty sshd[66776]: Received disconnect from 150.158.171.64 port 33534:11: Bye Bye [preauth]
Dec 3 21:25:30 StarParty sshd[66776]: Disconnected from authenticating user root 150.158.171.64 port 33534 [preauth]
“tcpdump -A”
curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256...Arsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,[email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]@openssh.com,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1....none,[email protected],[email protected].......................
21:27:59.780431 IP 46.101.194.220.40238 > starparty.ssh: Flags [.], ack 1098, win 501, options [nop,nop,TS val 431378467 ecr 1031716663], length 0
21:27:59.781114 IP 46.101.194.220.40238 > starparty.ssh: Flags [P.], seq 22:462, ack 1098, win 501, options [nop,nop,TS val 431378471 ecr 1031716663], length 440
[email protected],ecdh-sha2-nistp256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1...#ecdsa-sha2-nistp256,ssh-rsa,ssh-dss...daes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,blowfish-cbc,3des-cbc,des-cbc-ssh1...daes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,blowfish-cbc,3des-cbc,des-cbc-ssh1... hmac-sha1... hmac-sha1....none....none......
21:27:59.781131 IP starparty.ssh > 46.101.194.220.40238: Flags [.], ack 462, win 507, options [nop,nop,TS val 1031716853 ecr 431378471], length 0
21:27:59.983564 STP 802.1d, Config, Flags [none], bridge-id 8000.14:cc:20:b5:54:68.8003, length 35
我發現的其他幫助是... https://help.ubuntu.com/community/IptablesHowTo
答案1
您可以嘗試使用 Fail2Ban 程序https://www.fail2ban.org/wiki/index.php/Main_Page
這將自動阻止來源 IP 阻止登入嘗試失敗。
它運行得很好,您也有很多選項來配置它。例如被禁止之前有多少次嘗試或將被禁止多久。
但你應該考慮一下你是否真的想讓 SSH 對全世界開放。因此,如果您的電腦直接連接到互聯網,我建議使用防火牆,預設會阻止所有內容。並僅從您需要開啟的 IP 開放 ssh。
答案2
有一些事情可以消除向全世界開放 SSH 的安全風險。
Fail2ban(已經提過)很好。它支援在防火牆中永久封鎖或僅封鎖一段時間。
在一個奇怪的高級連接埠(高於 8000)上執行 SSH。
確保 sshd_config 中的 PermitRootLogin 未運作且值為 Yes。您不需要透過 ssh 進行 root 登入。您可以以普通用戶身份 ssh 登錄,然後 su。這樣,需要兩個密碼才能獲得管理員存取權限(除非這是 Ubuntu 或類似的系統,其中普通使用者俱有 sudo 權限)。
考慮雙重認證。這可以透過 Duo 等商業產品或使用 Google 身份驗證器等工具來完成。該設定的步驟將來自供應商。
成功登入後發送電子郵件。這使您可以在駭客有機會破壞您設置的任何安全防護措施之前立即知道是否有存取權限。為此,您需要將會話行新增至 /etc/pam.d/sshd 中,如下所示:
需要會話 pam_exec.so /root/scripts/send-ssh-notice.sh
有一個可以提供變數詳細資訊的腳本範例,可以在 github 上找到:Github 託管 sshlogin_alert.sh
(是的,我在我的答案中提供了一個鏈接,為什麼不呢?Github 代碼得到維護,支持分叉,並且有良好的反饋。我發布的答案在未來幾個月或幾年內不會被我重新訪問。
答案3
悲傷..如此悲傷?
我可能只需要「停止我的 sshd 伺服器」?
:(
也許有一些“簡單”的方法而無需安裝額外的軟體?
這還沒有解決問題..但我認為它走在正確的道路上?
sudo gedit /etc/ssh/ssh_config
sudo systemctl restart ssh.service
這是「ssh_config」的樣子......
Include /etc/ssh/ssh_config.d/*.conf
Host *
# PermitRootLogin no
# ForwardAgent no
# ForwardX11 no
# ForwardX11Trusted yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
Port 22
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,[email protected]
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
還可以對「iptable」做一些修改嗎?