我的系统日志文件 (/var/log/auth.log) 显示有数百个不同的 IP 试图登录我的系统。我该如何防止所有这些攻击?看起来所有 IP 地址都是假的(“pin”或“traceroute”),auth.log 文件中总是显示数百个不同的 IP 地址??
我确实需要帮助!谢谢!
我读到其他人建议
- StrictModes 是(这有什么作用?)
- hosts.allow ALL:(如果 IP 地址来自咖啡馆并且是“我我”,这是否允许我连接?)
这是我的防火墙“iptables”的样子。
asher@starparty:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
我读到其他人推荐...
- iptables -I 输入 -s -p tcp -m tcp --dport 22 -j 接受
SSH 远程登录输出示例:“tail /var/log/auth.log”
Dec 3 21:24:31 StarParty sshd[66702]: Failed password for root from 51.210.122.207 port 45722 ssh2
Dec 3 21:24:32 StarParty sshd[66702]: Received disconnect from 51.210.122.207 port 45722:11: Bye Bye [preauth]
Dec 3 21:24:32 StarParty sshd[66702]: Disconnected from authenticating user root 51.210.122.207 port 45722 [preauth]
Dec 3 21:24:38 StarParty sshd[66712]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=150.158.171.64 user=root
Dec 3 21:24:40 StarParty sshd[66712]: Failed password for root from 150.158.171.64 port 55444 ssh2
Dec 3 21:24:41 StarParty sshd[66721]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=142.93.34.237 user=root
Dec 3 21:24:41 StarParty sshd[66712]: Received disconnect from 150.158.171.64 port 55444:11: Bye Bye [preauth]
Dec 3 21:24:41 StarParty sshd[66712]: Disconnected from authenticating user root 150.158.171.64 port 55444 [preauth]
Dec 3 21:24:44 StarParty sshd[66721]: Failed password for root from 142.93.34.237 port 58226 ssh2
Dec 3 21:24:44 StarParty sshd[66721]: Received disconnect from 142.93.34.237 port 58226:11: Bye Bye [preauth]
Dec 3 21:24:44 StarParty sshd[66721]: Disconnected from authenticating user root 142.93.34.237 port 58226 [preauth]
Dec 3 21:25:00 StarParty sshd[66728]: Unable to negotiate with 218.92.0.212 port 45440: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 [preauth]
Dec 3 21:25:01 StarParty CRON[66730]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 3 21:25:01 StarParty CRON[66730]: pam_unix(cron:session): session closed for user root
Dec 3 21:25:26 StarParty sshd[66776]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=150.158.171.64 user=root
Dec 3 21:25:27 StarParty sshd[66776]: Failed password for root from 150.158.171.64 port 33534 ssh2
Dec 3 21:25:30 StarParty sshd[66776]: Received disconnect from 150.158.171.64 port 33534:11: Bye Bye [preauth]
Dec 3 21:25:30 StarParty sshd[66776]: Disconnected from authenticating user root 150.158.171.64 port 33534 [preauth]
“tcpdump -A”
curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256...Arsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,[email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]@openssh.com,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1....none,[email protected],[email protected].......................
21:27:59.780431 IP 46.101.194.220.40238 > starparty.ssh: Flags [.], ack 1098, win 501, options [nop,nop,TS val 431378467 ecr 1031716663], length 0
21:27:59.781114 IP 46.101.194.220.40238 > starparty.ssh: Flags [P.], seq 22:462, ack 1098, win 501, options [nop,nop,TS val 431378471 ecr 1031716663], length 440
[email protected],ecdh-sha2-nistp256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1...#ecdsa-sha2-nistp256,ssh-rsa,ssh-dss...daes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,blowfish-cbc,3des-cbc,des-cbc-ssh1...daes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,blowfish-cbc,3des-cbc,des-cbc-ssh1... hmac-sha1... hmac-sha1....none....none......
21:27:59.781131 IP starparty.ssh > 46.101.194.220.40238: Flags [.], ack 462, win 507, options [nop,nop,TS val 1031716853 ecr 431378471], length 0
21:27:59.983564 STP 802.1d, Config, Flags [none], bridge-id 8000.14:cc:20:b5:54:68.8003, length 35
我发现的其他帮助是...... https://help.ubuntu.com/community/IptablesHowTo
答案1
您可以尝试使用程序 Fail2Banhttps://www.fail2ban.org/wiki/index.php/Main_Page
这将自动阻止登录尝试失败的源 IP。
它运行得很好,而且你还可以配置很多选项。比如被禁止前尝试多少次或被禁止多长时间。
但是你应该考虑是否真的想让 SSH 对全世界开放。因此,如果你的机器直接连接到互联网,我建议使用防火墙,默认情况下阻止所有内容。并且只对来自该 IP 的 ssh 开放,你需要将其开放。
答案2
有一些事情可以消除 SSH 向世界开放的安全风险。
Fail2ban(前面已经提到过)很好。它支持在防火墙中永久阻止或暂时阻止。
在一个奇怪的高级端口(高于 8000)上运行 SSH。这不会阻止任何事情,但是会大大减少流量,因为大多数脚本小子都在探测端口 22。
确保 sshd_config 中的 PermitRootLogin 未以 Yes 值运行。您不需要通过 ssh 进行 root 登录。您可以以普通用户身份 ssh 登录,然后 su。这样,就需要两个密码才能获得管理员访问权限(除非这是 Ubuntu 或类似系统,其中普通用户具有 sudo 权限)。
考虑双因素身份验证。这可以通过 Duo 等商业产品或 Google 身份验证器等工具来实现。该设置的步骤由供应商提供。
登录成功后发送电子邮件。这样,您就可以立即知道是否有访问权限,以免黑客有机会破坏您设置的任何安全防护措施。为此,您需要在 /etc/pam.d/sshd 中添加一个会话行,如下所示:
会话需要 pam_exec.so /root/scripts/send-ssh-notice.sh
有一个脚本示例可以提供变量中的详细信息,可在 github 上找到:Github 托管 sshlogin_alert.sh
(是的,我在我的回答中提供了一个链接,为什么不呢? Github 代码得到了维护,支持分叉,并且反馈良好。我发布的答案在未来几个月或几年内都不会被我重新审视。此外,应该给予应得的赞扬,这个 Github 用户做得很好。)
答案3
悲伤.. 太悲伤了吗?
我可能只需要“停止我的 sshd 服务器”?
:(
也许存在一些无需安装额外软件的“简单”方法?
这还不能解决问题..但我认为它是正确的路径?
sudo gedit /etc/ssh/ssh_config
sudo systemctl restart ssh.service
“ssh_config” 的样子如下...
Include /etc/ssh/ssh_config.d/*.conf
Host *
# PermitRootLogin no
# ForwardAgent no
# ForwardX11 no
# ForwardX11Trusted yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
Port 22
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,[email protected]
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
对“iptable”进行一些修改是可能的吗?