服务器上经常有人尝试ssh登录:
Last failed login: Wed Nov 13 22:01:00 CST 2019 from 80.48.126.5 on ssh:notty
There were 21 failed login attempts since the last successful login.
使用lastb查看一下登录失败的记录:
lastb | less
输出
info ssh:notty 122.51.83.37 Wed Nov 13 22:09 - 22:09 (00:00)
info ssh:notty 122.51.83.37 Wed Nov 13 22:09 - 22:09 (00:00)
mysql ssh:notty 118.24.38.53 Wed Nov 13 22:04 - 22:04 (00:00)
mysql ssh:notty 118.24.38.53 Wed Nov 13 22:04 - 22:04 (00:00)
cayouett ssh:notty 40.73.103.7 Wed Nov 13 22:00 - 22:00 (00:00)
cayouett ssh:notty 40.73.103.7 Wed Nov 13 22:00 - 22:00 (00:00)
sanjavie ssh:notty 118.24.38.53 Wed Nov 13 21:58 - 21:58 (00:00)
sanjavie ssh:notty 118.24.38.53 Wed Nov 13 21:58 - 21:58 (00:00)
root ssh:notty 94.191.47.204 Wed Nov 13 21:56 - 21:56 (00:00)
canon ssh:notty 40.73.103.7 Wed Nov 13 21:56 - 21:56 (00:00)
canon ssh:notty 40.73.103.7 Wed Nov 13 21:56 - 21:56 (00:00)
root ssh:notty 111.230.178.188 Wed Nov 13 21:52 - 21:52 (00:00)
root ssh:notty 111.230.178.188 Wed Nov 13 21:51 - 21:51 (00:00)
liesegan ssh:notty 94.191.47.204 Wed Nov 13 21:50 - 21:50 (00:00)
liesegan ssh:notty 94.191.47.204 Wed Nov 13 21:50 - 21:50 (00:00)
root ssh:notty 40.73.103.7 Wed Nov 13 21:50 - 21:50 (00:00)
tester ssh:notty 122.51.83.37 Wed Nov 13 21:48 - 21:48 (00:00)
tester ssh:notty 122.51.83.37 Wed Nov 13 21:48 - 21:48 (00:00)
korinkan ssh:notty 118.24.38.53 Wed Nov 13 21:47 - 21:47 (00:00)
korinkan ssh:notty 118.24.38.53 Wed Nov 13 21:47 - 21:47 (00:00)
greget ssh:notty 37.135.117.97 Wed Nov 13 21:43 - 21:43 (00:00)
greget ssh:notty 37.135.117.97 Wed Nov 13 21:43 - 21:43 (00:00)
keiki ssh:notty 158.69.204.172 Wed Nov 13 21:43 - 21:43 (00:00)
keiki ssh:notty 158.69.204.172 Wed Nov 13 21:43 - 21:43 (00:00)
daredevi ssh:notty 218.56.138.164 Wed Nov 13 21:43 - 21:43 (00:00)
daredevi ssh:notty 218.56.138.164 Wed Nov 13 21:43 - 21:43 (00:00)
gpadmin ssh:notty 54.37.204.154 Wed Nov 13 21:43 - 21:43 (00:00)
...
要封杀这些攻击,通常可以使用fail2ban,denyhosts等工具。
fail2ban使用firewalld限制登录,denyhosts使用host.deny限制登录,比较来说denyhosts的设置比较简单。
我们使用denyhosts。
1. 下载安装denyhosts
下载
wget http://ftp.tu-chemnitz.de/pub/linux/dag/redhat/el7/en/x86_64/rpmforge/RPMS/denyhosts-2.6-5.el7.rf.noarch.rpm
安装
rpm -ivh denyhosts-2.6-5.el7.rf.noarch.rpm
启动denyhosts服务
systemctl start denyhosts
查看状态
systemctl status denyhosts
设置随机启动
systemctl enable denyhosts
2. 配置denyhosts.conf
修改denyhosts.conf:
vim /etc/denyhosts/denyhosts.cfg
找到PURGE_DENY =这一行,修改为PURGE_DENY = 100y,意思是封杀100年。
修改配置后,重新启动denyhosts服务
systemctl restart denyhosts
其他一些常用配置,通常取默认值即可:
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 4w // ip被禁止之后,多久可以释放(w表示周,d表示天,h表示小时,m表示分钟)
BLOCK_SERVICE = sshd // 检测的服务
DENY_THRESHOLD_INVALID = 5 // 无效用户尝试次数之后即被锁定
DENY_THRESHOLD_VALID = 10 // 有效普通用户尝试次数
DENY_THRESHOLD_ROOT = 1 // root用户尝试次数
DENY_THRESHOLD_RESTRICTED = 1 // 设定denyhosts将数据写入到/etc/hosts.deny文件中
WORK_DIR = /var/lib/denyhosts //denyhosts工作数据目录
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES // 域名解析
LOCK_FILE = /var/lock/subsys/denyhosts
3. 查看封杀的IP
cat /etc/hosts.deny | less
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd: 128.199.142.0
sshd: 81.95.237.230
sshd: 219.149.108.195
sshd: 164.177.42.33
sshd: 106.39.15.168
sshd: 114.88.162.126
sshd: 124.16.164.2
sshd: 50.250.231.41
sshd: 106.13.204.195
sshd: 178.62.214.85
sshd: 59.126.69.60
sshd: 49.231.228.107
sshd: 175.126.176.21
sshd: 189.4.62.161
sshd: 182.61.136.23
sshd: 137.74.47.22
sshd: 104.236.250.88
sshd: 104.236.250.155
...