我最近收到了 OSSEC HIDS 的通知,警告我有关 SSHD 暴力攻击。为了完整起见,我在下面报告了整个消息:
OSSEC HIDS Notification.
2020 Mar 03 12:00:17
Received From: commodore->/var/log/auth.log
Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access to the system."
Src IP: 188.166.xxx.xxx
Portion of the log(s):
Mar 3 12:00:16 commodore sshd[21661]: Disconnected from invalid user www 188.166.xxx.xxx port 45788 [preauth]
Mar 3 12:00:16 commodore sshd[21661]: Invalid user www from 188.166.xxx.xxx port 45788
Mar 3 11:59:53 commodore sshd[21204]: Disconnected from invalid user weblogic 188.166.xxx.xxx port 34582 [preauth]
Mar 3 11:59:53 commodore sshd[21204]: Invalid user weblogic from 188.166.xxx.xxx port 34582
Mar 3 11:59:08 commodore sshd[21198]: Disconnected from invalid user stack 188.166.xxx.xxx port 40352 [preauth]
Mar 3 11:59:08 commodore sshd[21198]: Invalid user stack from 188.166.xxx.xxx port 40352
Mar 3 11:58:28 commodore sshd[21193]: Disconnected from invalid user jira 188.166.xxx.xxx port 46186 [preauth]
Mar 3 11:58:28 commodore sshd[21193]: Invalid user jira from 188.166.xxx.xxx port 46186
为了加强对我的机器的 SSH 访问,我将我的公钥上传到我的 VPS 并禁用了 SSH 密码验证。总而言之,我进行了/etc/ssh/sshd_config如下编辑:
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
Banner none
AllowTcpForwarding no
GatewayPorts no
AddressFamily inet
目前我的 iptables 规则是:
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 7
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
由于我不是经验丰富的管理员,如果您能建议我应该采取什么措施来应对此类攻击,我将不胜感激。我的 sshd 和防火墙配置是否足够,或者是否需要采取进一步的措施,例如阻止 188.166.xxx.xxx IP 地址?
答案1
您可以使用fail2ban。这将对尝试次数过多的 IP 地址进行临时阻止。
您可以检查一下:如何在 Ubuntu Server 18.04 上安装 fail2ban。它也适用于其他版本。
答案2
您可以使用recentiptables 中的模块自动识别和禁止坏人。但是,近年来,大玩家(主要是中国)只是切换到同一子网上的另一个 IP 地址并继续攻击,所以我现在使用任意位掩码进行阻止。(我不关心附带损害,但其他人可能关心。)实际上,我现在使用 ipsec 并阻止整个中国,但这是另一个话题。示例 iptables 规则:
# Dynamic Badguy List. Detect and DROP Bad IPs that do password attacks on SSH.
# Once they are on the BADGUY list then DROP all packets from them.
# Sometimes make the lock time very long. Typically to try to get rid of coordinated attacks from China.
$IPTABLES -A INPUT -i $EXTIF -m recent --mask $BIT_MASK --update --hitcount 3 --seconds 90000 --name BADGUY_SSH -j LOG --log-prefix "SSH BAD:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -m recent --mask $BIT_MASK --update --hitcount 3 --seconds 90000 --name BADGUY_SSH -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 -m recent --mask $BIT_MASK --set --name BADGUY_SSH -j ACCEPT
这些规则可能在某处被这样规定过:
# Allow any related traffic coming back to the server in.
#
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
就我而言:
#Arbitrary bit mask for the automatic IP blocking stuff (v2.08)
#
BIT_MASK="255.255.252.0"
请注意,我还对文件做了另一项更改,/etc/ssh/sshd_config以减少每个连接的登录尝试次数:
#Smythies.com
#Limit the number of bad passwords per connection to 2. Default is 6.
#Then the iptables connection counter will kick in sooner to drop
#password attack hackers.
MaxAuthTries 2