昨晚苦逼加班完后,今早上班继续干活时,ssh连接服务器发现异常的提示,仔细看了一下吓一小跳,昨晚9点钟到现在,一夜之间被人尝试连接200+,慌~~~
[root@zwlbsweb ~]# cd /var/log [root@zwlbsweb log]# ll -h -------------------------省略部分信息------------------------------ -rw------- 1 root root 4.9m jul 17 10:10 secure -rw------- 1 root root 38m jun 24 03:29 secure-20190624 -rw------- 1 root root 64m jun 30 03:10 secure-20190630 -rw------- 1 root root 46m jul 7 03:37 secure-20190707 -rw------- 1 root root 14m jul 15 03:41 secure-20190715 -------------------------省略部分信息------------------------------
发现secure日志文件咋都这么大?原来不止是昨晚被攻击,之前就已经挨无数的暴击了。
发现被无数不同的ip地址和不同的用户进行ssh尝试连接。
随便拿个ip地址,百度一下,全是国外的ip地址,太可恶了:
虽然我的密码很复杂了,但是为了以防万一,还是速度百度一下,斩草除根
[root@zwlbsweb ~]# vim /etc/ssh/sshd_config ---------------配置如下---------------- port 2298
[root@zwlbsweb ~]# systemctl restart sshd
[root@zwlbsweb ~]# netstat -ntlp | grep 2298 tcp 0 0 0.0.0.0:2298 0.0.0.0:* listen 15156/sshd tcp6 0 0 :::2298 :::* listen 15156/sshd
注:还有个步骤就是“禁止root登录”,我这里就不禁止root登录了,因为密码太复杂记不住,切换root用户不方便。
注:同一个ip地址超过10次的尝试,就加入/etc/hosts.deny。
#! /bin/bash cat /var/log/secure|awk '/failed/{print $(nf-3)}'|sort|uniq -c|awk '{print $2"="$1;}' > /sshprevent/black.txt define="10" for i in `cat /sshprevent/black.txt` do ip=`echo $i |awk -f= '{print $1}'` num=`echo $i|awk -f= '{print $2}'` if [ $num -gt $define ]; then grep $ip /etc/hosts.deny > /dev/null if [ $? -gt 0 ]; then echo "sshd:$ip" >> /etc/hosts.deny fi fi done
添加计划任务:
[root@zwlbsweb ~]# crontab -e */5 * * * * /bin/bash /sshprevent/ssh_pervent.sh # 每五分钟检查一次 # 重启crontab [root@zwlbsweb ~]# systemctl restart crond
五分钟后,查看是否成功:
[root@zwlbsweb ~]# cat /sshprevent/black.txt 103.101.232.208=1 103.108.187.4=2 103.248.220.249=15 104.131.93.33=1 104.236.122.193=2 104.236.186.24=2 104.236.246.16=1 104.244.79.33=4 104.248.211.180=2 ...... -------------------------------我是分割线---------------------------------- [root@zwlbsweb ~]# cat /etc/hosts.deny # # hosts.deny this file contains access rules which are used to # deny connections to network services that either use # the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # the rules in this file can also be set up in # /etc/hosts.allow with a 'deny' option instead. # # see 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # see 'man tcpd' for information on tcp_wrappers # sshd:103.248.220.249 sshd:104.248.88.106 sshd:106.12.18.37 sshd:106.51.230.186 sshd:106.75.17.91 sshd:112.21.188.183 sshd:112.221.179.133 ......
小小的防范措施就到此完成了!
半天已经过去了,我们再次查看 secure 日志文件。
ssh连接没有提示了,日志也恢复了正常状态,感谢博友们,收工!
如对本文有疑问, 点击进行留言回复!!
linux下文本编辑器vim的使用方法(复制、粘贴、替换、行号、撤销、多文件操作)
网友评论