下文的操作均在ubuntu上進(jìn)行.
背景
最近剛把騰訊云服務(wù)器搭建好,就發(fā)現(xiàn)訪問(wèn)時(shí)間異常的長(zhǎng),覺(jué)得不應(yīng)該呀,意識(shí)到可能是服務(wù)器遭受到攻擊.
于是登錄服務(wù)器打開(kāi)/var/log/auth.log下的訪問(wèn)日志,果然有大量的非法ip訪問(wèn)
- ...
- May 25 13:57:49 localhost sshd[27673]: Invalid user test9 from 128.199.30.172 port 51386
- May 25 13:57:49 localhost sshd[27673]: pam_unix(sshd:auth): check pass; user unknown
- May 25 13:57:49 localhost sshd[27673]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=128.199.30.172
- May 25 13:57:51 localhost sshd[27673]: Failed password for invalid user test9 from 128.199.30.172 port 51386 ssh2
- May 25 13:57:51 localhost sshd[27673]: Received disconnect from 128.199.30.172 port 51386:11: Bye Bye [preauth]
- May 25 13:57:51 localhost sshd[27673]: Disconnected from invalid user test9 128.199.30.172 port 51386 [preauth]
- May 25 13:58:01 localhost CRON[27700]: pam_unix(cron:session): session opened for user root by (uid=0)
- May 25 13:58:01 localhost CRON[27700]: pam_unix(cron:session): session closed for user root
- May 25 13:58:06 localhost sshd[27651]: Connection closed by 20.194.166.160 port 54602 [preauth]
- May 25 13:58:24 localhost sshd[27787]: Invalid user ec2-user from 117.79.132.166 port 38400
- ...
這是才想到服務(wù)器自從搭建后,系統(tǒng)的配置都是默認(rèn)的包括SSH(安全外殼協(xié)議),也難怪遭受到了攻擊.
于是想到了對(duì)SSH配置
1.修改SSH配置
(1).禁止root賬號(hào)遠(yuǎn)程登錄
root賬號(hào)是系統(tǒng)默認(rèn)的賬號(hào),且擁有最高的權(quán)限,攻擊者在攻擊的時(shí)候,也會(huì)首先選擇root進(jìn)行攻擊,
才看日志也發(fā)現(xiàn)user root的最多
首先我們進(jìn)入到/etc/ssh目錄面,打開(kāi)sshd_config文件,將PermitRootLogin設(shè)置為no
關(guān)于ubuntu賬戶的創(chuàng)建可以查看
(2).修改端口
服務(wù)器默認(rèn)的的端口Port是22,建議不定時(shí)修改一下.
<Badge text="注" type="error" vertical="middle"/>:端口最大只能修改到65536,注意不要超過(guò)
修改SSH配置后,重啟SSHsudo service sshd restart
2.配置IP訪問(wèn)黑白名單
進(jìn)入/etc文件下有hosts.allow和hosts.deny兩個(gè)文件,分別是填寫(xiě)允許和禁止IP的
(1).允許某一個(gè)IP
允許shh遠(yuǎn)程協(xié)議的:hosts.allow中填寫(xiě)sshd:192.168.0.1
允許telnet遠(yuǎn)程協(xié)議的:hosts.allow中填寫(xiě)in.telnetd:192.168.0.1
允許所有遠(yuǎn)程協(xié)議的:hosts.allow中填寫(xiě)ALL:192.168.0.1
(2).允許某一個(gè)IP段
允許shh遠(yuǎn)程協(xié)議的:hosts.allow中填寫(xiě)sshd:192.168.0
允許telnet遠(yuǎn)程協(xié)議的:hosts.allow中填寫(xiě)in.telnetd:192.168.0
允許所有遠(yuǎn)程協(xié)議的:hosts.allow中填寫(xiě)ALL:192.168.0
(3).禁止所有IP
允許shh遠(yuǎn)程協(xié)議的:hosts.deny中填寫(xiě)sshd:ALL
允許telnet遠(yuǎn)程協(xié)議的:hosts.deny中填寫(xiě)in.telnetd:ALL
允許所有遠(yuǎn)程協(xié)議的:hosts.deny中填寫(xiě)ALL:ALL
(4).禁止某一個(gè)ip
允許shh遠(yuǎn)程協(xié)議的:hosts.deny中填寫(xiě)sshd:192.168.0.1
允許telnet遠(yuǎn)程協(xié)議的:hosts.deny中填寫(xiě)in.telnetd:192.168.0.1
允許所有遠(yuǎn)程協(xié)議的:hosts.deny中填寫(xiě)ALL:192.168.0.1
(4).禁止某一個(gè)ip段
允許shh遠(yuǎn)程協(xié)議的:hosts.deny中填寫(xiě)sshd:192.168.0
允許telnet遠(yuǎn)程協(xié)議的:hosts.deny中填寫(xiě)in.telnetd:192.168.0
允許所有遠(yuǎn)程協(xié)議的:hosts.deny中填寫(xiě)ALL:192.168.0
另外還可以使用
sshd : ALL EXCEPT 111.111.111.0/255.255.255.0 222.222.222.222 333.333.333.0/255.255.255.0
就是允許222.222.222.222固定IP和111.111.111.0和333.333.333.0 IP段訪問(wèn)
重啟 service sshd restart和 service xinetd restart
<Badge text="注" type="error" vertical="middle"/>:hosts.allow和hosts.deny沖突時(shí)候,以hosts.allow為準(zhǔn)
3.netfilter/iptables封禁IP
`sudo iptables -A INPUT -s 1.1.1.1 -p TCP -j DROP `封禁多次惡意訪問(wèn)的IP
