使用 almalinux 設定新的 VPS。
我已經使用以下設定設定了firewalld
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client http https
ports: 80/tcp 443/tcp 7822/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
當連接的連接埠關閉時,為什麼在 /var/log/secure 中仍然有失敗的登入嘗試?
Apr 15 14:11:57 server sshd[46737]: Failed password for root from 148.113.133.177 port 43582 ssh2
Apr 15 14:11:57 server sshd[46737]: Received disconnect from 148.113.133.177 port 43582:11: Bye Bye [preauth]
Apr 15 14:12:15 server sshd[46743]: Invalid user chenyoumin from 27.254.149.199 port 60384
Apr 15 14:12:15 server sshd[46743]: pam_unix(sshd:auth): check pass; user unknown
Apr 15 14:12:15 server sshd[46743]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=27.254.149.199
當我嘗試使用隨機連接埠 ssh 登入伺服器時:
ssh -p 50645 [email protected]
它返回:
ssh: connect to host server.com port 50645: No route to host
/var/log/secure 中沒有記錄任何內容。
更新
我已經停用了firewalld並啟用了nftables。我已經載入了以下規則集
table inet firewall {
chain inbound_ipv4 {
}
chain inbound_ipv6 {
icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
}
chain inbound {
type filter hook input priority filter; policy drop;
ct state vmap { invalid : drop, established : accept, related : accept }
iifname "lo" accept
meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
tcp dport { 80, 443, 7822 } accept
}
chain forward {
type filter hook forward priority filter; policy drop;
}
}
table inet f2b-table {
set addr-set-sshd {
type ipv4_addr
elements = { 45.89.110.110 }
}
chain f2b-chain {
type filter hook input priority filter - 1; policy accept;
meta l4proto { tcp } ip saddr @addr-set-sshd reject
}
}
現在這似乎運作得很好。任何 ssh 到 7822 以外的連接埠的嘗試都會掛起,日誌中沒有任何條目。
但我仍然在日誌中看到機器人的暴力嘗試。他們是如何做到這一點的?在應用規則之前,他們是否以某種方式打開了這些連接?如何在不重新啟動 VPS 的情況下斷開這些連線?
Apr 16 14:30:39 server sshd[61577]: pam_unix(sshd:auth): check pass; user unknown
Apr 16 14:30:39 server sshd[61577]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.39.133.250
Apr 16 14:30:41 server sshd[61577]: Failed password for invalid user user from 103.39.133.250 port 48096 ssh2
Apr 16 14:30:46 server sshd[61580]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.156.239.10 user=root
Apr 16 14:30:49 server sshd[61580]: Failed password for root from 43.156.239.10 port 40702 ssh2
Apr 16 14:30:58 server sshd[61583]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=165.22.96.129 user=root
Apr 16 14:31:00 server sshd[61583]: Failed password for root from 165.22.96.129 port 49100 ssh2
Apr 16 14:31:14 server sshd[61586]: Invalid user user from 43.156.82.82 port 36394
Apr 16 14:31:14 server sshd[61586]: pam_unix(sshd:auth): check pass; user unknown
Apr 16 14:31:14 server sshd[61586]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=43.156.82.82
Apr 16 14:31:16 server sshd[61586]: Failed password for invalid user user from 43.156.82.82 port 36394 ssh2
Apr 16 14:31:18 server sshd[61589]: Invalid user ubuntu from 213.190.4.134 port 36238
Apr 16 14:31:18 server sshd[61589]: pam_unix(sshd:auth): check pass; user unknown
Apr 16 14:31:18 server sshd[61589]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=213.190.4.134
Apr 16 14:31:20 server sshd[61589]: Failed password for invalid user ubuntu from 213.190.4.134 port 36238 ssh2
答案1
我沒有在 iptables-save 輸出中看到您應用的防火牆策略。
您的輸入變更具有接受的預設策略。它只會跳到 f2b-SSH 鏈,我懷疑該鍊是由 failed2ban 管理的,並禁止許多來源主機(我懷疑它們正在攻擊您的 sshd 伺服器)。
如果該位址未被fail2ban 禁止,它將最終被接受,這就是您在日誌中看到訊息的原因。
你啟動firewalld了嗎?是否正常啟動?
順便說一句,AlmaLinux 是什麼? 8 仍在 iptables 上,9 仍在 nftables AFAIR 上。如果這是 AlmaLinux 9,請提供nft list ruleset輸出。