可能重复:
数百次 ssh 登录失败
最近,我花了更多时间在生产服务器上,试图将几个配置傀儡化,我碰巧发出了一个命令,find /var/log -mmin1它返回了该/var/log/secure文件(以及其他文件)。出于对最近记录到这个特定文件中的活动的好奇,我开始跟踪它,并记录了以下几个条目:
Jan 9 22:15:59 myhost sshd[22916]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.213.48.82 user=apache
Jan 9 22:16:01 myhost sshd[22916]: Failed password for apache from 58.213.48.82 port 36464 ssh2
Jan 9 22:16:01 myhost sshd[22917]: Received disconnect from 58.213.48.82: 11: Bye Bye
Jan 9 22:16:03 myhost unix_chkpwd[22922]: password check failed for user (apache)
Jan 9 22:16:03 myhost sshd[22919]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.213.48.82 user=apache
Jan 9 22:16:04 myhost sshd[22919]: Failed password for apache from 58.213.48.82 port 37392 ssh2
Jan 9 22:16:05 myhost sshd[22920]: Received disconnect from 58.213.48.82: 11: Bye Bye
Jan 9 22:16:06 myhost unix_chkpwd[22925]: password check failed for user (apache)
Jan 9 22:16:06 myhost sshd[22923]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.213.48.82 user=apache
Jan 9 22:16:08 myhost sshd[22923]: Failed password for apache from 58.213.48.82 port 38244 ssh2
Jan 9 22:16:08 myhost sshd[22924]: Received disconnect from 58.213.48.82: 11: Bye Bye
看起来不太友好,但我确实注意到请求来自保存的 IP 地址,目的地是不同的本地端口。所以我做了一个whois 58.213.48.82,它返回了以下内容:
[Querying whois.apnic.net]
[whois.apnic.net]
% [whois.apnic.net node-4]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 58.208.0.0 - 58.223.255.255
netname: CHINANET-JS
descr: CHINANET jiangsu province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
admin-c: CH93-AP
tech-c: CJ186-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-JS
mnt-routes: MAINT-CHINANET-JS
....
这看起来又不太友好。那么,这就是潜在的攻击吗?我应该如何处理?在 IPTables 中设置一个条目来阻止来自给定 IP 的任何请求?
答案1
这很正常。我每天都会收到来自世界各地的大量此类邮件。
防止这些登录尝试是一种很好的做法。
3 种可能的方法。
设置防火墙规则,阻止除已知良好 IP 之外的所有人访问 ssh 端口 22。
安装并配置类似 fail2ban 的工具。这将通过防火墙规则自动阻止重复登录失败。它会在超时后再次解除阻止(以防您将自己锁在外面!)
1 和 2 均如此。
在前两种方法中,方法 1 是最安全的。但并不总是合适的。例如,您可能正在运行 sftp,并且您希望有用户访问它,但不确定他们的 IP 范围。因此,单独使用 2 可能比较合适。但是,同时安装两者是最安全的设置。
以下是 fail2ban 最近在我的服务器上阻止的用户:
DROP all -- 124.202.129.123 anywhere
DROP all -- 183.61.135.236 anywhere
DROP all -- mailhost.best.server.h2omedia.de anywhere
DROP all -- ip223.hichina.com anywhere
DROP all -- 124.202.129.124 anywhere
DROP all -- 59.46.172.67 anywhere
DROP all -- 198.15.109.254 anywhere
DROP all -- 61.183.35.3 anywhere
DROP all -- 122.225.107.98 anywhere
DROP all -- 61.142.106.34 anywhere
DROP all -- customer-201-96-126-213.uninet-ide.com.mx anywhere
DROP all -- 122.155.222.4 anywhere
DROP all -- 114.80.116.124 anywhere
DROP all -- 202.153.46.18 anywhere
DROP all -- cncln.online.ln.cn anywhere
DROP all -- 222.28.155.2 anywhere
DROP all -- ns.km22643.keymachine.de anywhere
DROP all -- 111.74.82.33 anywhere
DROP all -- 119.188.3.56 anywhere
DROP all -- 60.174.198.14 anywhere
DROP all -- 123.127.160.102 anywhere
DROP all -- 202.29.16.59 anywhere
DROP all -- wsc.jalamobile.net anywhere
DROP all -- 58.248.62.48 anywhere
DROP all -- 211.161.45.136 anywhere
DROP all -- 153.128.19.93 anywhere
DROP all -- 50.22.249.204-static.reverse.softlayer.com anywhere
DROP all -- 58.252.68.177 anywhere
DROP all -- fire.deltax.com.br anywhere
DROP all -- 117.79.80.242 anywhere
DROP all -- 202.202.232.202 anywhere
RETURN all -- anywhere anywhere