我正在将系统设置为通过电子邮件向我发送报告。我正在发布一份日志报告(见下文)。此日志显示有数千次尝试闯入。
问题:
- 我已经
denyhosts
安装fail2ban
了,为什么他们不屏蔽IP? - 有没有办法禁止/黑名单显示在日志中的 IP,如下所示?
我可以采取哪些措施来应对此类攻击?
笔记:
sshd
在日志中,请注意有一些 IP 地址进行了数千次登录尝试。- 为什么它说:“忽略最大重试次数”,我可以设置它,这样它就不会忽略“最大重试次数”吗?
笔记:我的系统是Fedora 20
日志样本
################### Logwatch 7.4.0 (03/01/11) ####################
Processing Initiated: Tue Sep 16 03:35:07 2014
Date Range Processed: yesterday
( 2014-Sep-15 )
Period is day.
Detail Level of Output: 0
Type of Output/Format: mail / text
Logfiles for Host: Hostname
##################################################################
--------------------- Kernel Begin ------------------------
WARNING: Segmentation Faults in these executables
polkitd : 2 Time(s)
WARNING: General Protection Faults in these executables
traps: polkitd : 6 Time(s)
WARNING: Kernel Errors Present
INFO: recovery required on readonly filesyste ...: 1 Time(s)
ata2.00: failed to IDENTIFY (I/O error, err_mask=0x100) ...: 14 Time(s)
ata2.00: failed to IDENTIFY (I/O error, err_mask=0x4) ...: 8 Time(s)
ata2.00: irq_stat 0x08000000, interface fatal error ...: 10 Time(s)
ata2: SError: { CommWake DevE ...: 52 Time(s)
ata2: SError: { LinkSeq } ...: 8 Time(s)
ata2: SError: { UnrecovData L ...: 2 Time(s)
res 50/00:03:00:08:00/00:00:00:00:00/a0 Emask 0x10 (ATA bus error) ...: 5 Time(s)
---------------------- Kernel End -------------------------
--------------------- pam_unix Begin ------------------------
sshd:
Authentication Failures:
root (219.138.135.64): 3850 Time(s)
root (122.225.103.125): 1016 Time(s)
root (122.225.109.106): 256 Time(s)
root (122.225.109.205): 194 Time(s)
root (122.225.109.208): 183 Time(s)
root (122.225.109.216): 178 Time(s)
unknown (122.225.109.208): 63 Time(s)
unknown (122.225.109.106): 57 Time(s)
unknown (122.225.109.216): 54 Time(s)
unknown (122.225.109.205): 22 Time(s)
unknown (113.106.88.235): 14 Time(s)
bin (113.106.88.235): 1 Time(s)
nagios (113.106.88.235): 1 Time(s)
tomcat (113.106.88.235): 1 Time(s)
Invalid Users:
Unknown Account: 210 Time(s)
Unknown Entries:
service(sshd) ignoring max retries; 6 > 3: 945 Time(s)
service(sshd) ignoring max retries; 5 > 3: 29 Time(s)
service(sshd) ignoring max retries; 4 > 3: 6 Time(s)
su:
Authentication Failures:
UserName(1000) -> root: 1 Time(s)
Sessions Opened:
UserName -> root: 6 Time(s)
systemd-user:
Unknown Entries:
session opened for user UserName by (uid=0): 1 Time(s)
---------------------- pam_unix End -------------------------
--------------------- Connections (secure-log) Begin ------------------------
**Unmatched Entries**
polkitd: <no filename>:0: uncaught exception: Terminating runaway script: 1 Time(s)
polkitd: Acquired the name org.freedesktop.PolicyKit1 on the system bus: 3 Time(s)
polkitd: Error evaluating authorization rules: 1 Time(s)
polkitd: Finished loading, compiling and executing 6 rules: 3 Time(s)
polkitd: Loading rules from directory /etc/polkit-1/rules.d: 3 Time(s)
polkitd: Loading rules from directory /usr/share/polkit-1/rules.d: 3 Time(s)
polkitd: Operator of unix-session:1 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.freedesktop.problems.getall for system-bus-name::1.66 [/usr/bin/abrt-applet] (owned by unix-user:UserName): 2 Time(s)
polkitd: Registered Authentication Agent for unix-session:1 (system bus name :1.70 [/usr/libexec/kde4/polkit-kde-authentication-agent-1], object path /org/kde/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8): 2 Time(s)
polkitd: Registered Authentication Agent for unix-session:13 (system bus name :1.92 [/usr/libexec/kde4/polkit-kde-authentication-agent-1], object path /org/kde/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8): 2 Time(s)
polkitd: Terminating runaway script: 1 Time(s)
---------------------- Connections (secure-log) End -------------------------
--------------------- SSHD Begin ------------------------
Disconnecting after too many authentication failures for user:
admin : 30 Time(s)
root : 937 Time(s)
Failed logins from:
113.106.88.235: 2 times
122.225.103.125: 1016 times
122.225.109.106: 256 times
122.225.109.205: 194 times
122.225.109.208: 183 times
122.225.109.216: 178 times
219.138.135.64: 3850 times
Illegal users from:
undef: 14 times
113.106.88.235: 15 times
122.225.109.106: 57 times
122.225.109.205: 22 times
122.225.109.208: 63 times
122.225.109.216: 54 times
Login attempted when shell does not exist:
tomcat : 1 Time(s)
Received disconnect:
11: Bye Bye [preauth] : 16 Time(s)
**Unmatched Entries**
PAM service(sshd) ignoring max retries; 6 > 3 : 945 time(s)
ecryptfs: pam_sm_authenticate: pam_ecryptfs: Error getting passwd info for user; rc = [0] : 210 time(s)
PAM service(sshd) ignoring max retries; 4 > 3 : 6 time(s)
pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "nagios" : 1 time(s)
PAM service(sshd) ignoring max retries; 5 > 3 : 29 time(s)
pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "bin" : 1 time(s)
pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" : 5677 time(s)
fatal: Write failed: Connection reset by peer [preauth] : 17 time(s)
pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "tomcat" : 1 time(s)
---------------------- SSHD End -------------------------
--------------------- Sudo (secure-log) Begin ------------------------
UserName => root
----------------
/bin/yum - 2 Time(s).
---------------------- Sudo (secure-log) End -------------------------
--------------------- yum Begin ------------------------
Packages Installed:
binutils-2.23.88.0.1-13.fc20.x86_64
libgomp-4.8.3-1.fc20.x86_64
perl-Sys-CPU-0.54-5.fc20.x86_64
VirtualBox-4.3.16-1.fc20.x86_64
1:make-3.82-19.fc20.x86_64
glibc-devel-2.18-14.fc20.x86_64
logwatch-7.4.0-33.20140704svn198.fc20.noarch
kernel-headers-3.16.2-200.fc20.x86_64
glibc-headers-2.18-14.fc20.x86_64
epylog-1.0.7-6.fc20.noarch
perl-Sys-MemInfo-0.91-8.fc20.x86_64
akmod-VirtualBox-4.3.16-1.fc20.x86_64
gcc-4.8.3-1.fc20.x86_64
dkms-2.2.0.3-25.fc20.noarch
libgomp-4.8.3-1.fc20.i686
patch-2.7.1-7.fc20.x86_64
Packages Erased:
kmod-VirtualBox-3.15.10-200.fc20.x86_64-4.3.14-1.fc20.6.x86_64
kmod-VirtualBox-3.16.2-200.fc20.x86_64-4.3.16-1.fc20.x86_64
kmod-VirtualBox-3.15.10-201.fc20.x86_64-4.3.14-1.fc20.7.x86_64
---------------------- yum End -------------------------
--------------------- Disk Space Begin ------------------------
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/luks- 59G 55G 1.3G 98% /
devtmpfs 5.8G 0 5.8G 0% /dev
/dev/sda2 477M 131M 317M 30% /boot
/dev/sda1 200M 9.5M 191M 5% /boot/efi
/dev/mapper/fedora_Hostname-home 395G 236G 156G 61% /home
/dev/mapper/luks- => 98% Used. Warning. Disk Filling up.
---------------------- Disk Space End -------------------------
--------------------- Fortune Begin ------------------------
One man's brain plus one other will produce one half as many ideas as one
man would have produced alone. These two plus two more will produce half
again as many ideas. These four plus four more begin to represent a
creative meeting, and the ratio changes to one quarter as many ...
-- Anthony Chevins
---------------------- Fortune End -------------------------
--------------------- lm_sensors output Begin ------------------------
coretemp-isa-0000
Adapter: ISA adapter
Physical id 0: +52.0 C (high = +100.0 C, crit = +100.0 C)
Core 0: +52.0 C (high = +100.0 C, crit = +100.0 C)
Core 1: +51.0 C (high = +100.0 C, crit = +100.0 C)
---------------------- lm_sensors output End -------------------------
###################### Logwatch End #########################
编辑#1
显然没有运行,我认为它与安装时自动设置的fail2ban
相同。denyhosts
这是输出fail2ban-client
:
root ~ # fail2ban-client status
ERROR Unable to contact server. Is it running?
root ~ # systemctl start fail2ban
root ~ # fail2ban-client status sshd
ERROR NOK: ('sshd',)
Sorry but the jail 'sshd' does not exist
root ~ # fail2ban-client status
Status
|- Number of jail: 0
`- Jail list:
答案1
我将尝试在这里专门回答问题 3,因为看来您已经找到了能够回答问题 1 和 2 的 failed2ban 的配置部分。如果想增强 SSH 的安全性,我建议采用以下方法。
- 确保严格模式设置为 true
- 禁用 root 登录
- 更改您的 SSH 端口
- 禁用密码登录
- 使用端口敲击
要回答您的编辑,您需要在 /etc/fail2ban/filter.d/ssh.conf 中创建 ssh 配置并粘贴以下内容...
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
如果您已经按照我的建议更改了端口,您可以在此处设置端口号。重新启动fail2ban并测试。