[心得] 關於sshd一直被暴力攻擊的解決方法

看板Linux作者 (今、そこに いる僕)時間13年前 (2011/06/13 12:10), 編輯推噓15(15022)
留言37則, 23人參與, 最新討論串1/1
其實只要一架好ssh之類的服務, 就會被一直try帳號密碼, 很煩。 網路上有不少人家寫好的script, 其實照著用也行, 但是我想推薦的是sshguard這支 程式。 在linux上, 它可以搭配iptables來防堵。並且有時間到自動解鎖功能, 除了iptables 以外, 也可以搭配hosts.deny之類的。並且在非linux平台上也能好好的支援, 算是蠻 方便的程式... 它主要是常駐在系統裡, 藉由分析(r)syslogd所產生的報表, 來動態更新iptables裡的 清單。廢話不多說, 我來分享一下我的作法... 1. Install: apt-get install sshguard 2. Add the following lines to your /etc/init.d/rcS: ... #Create named pipe for rsyslog and sshguard. mkfifo /var/log/sshguard.fifo ... 3. Insert the following lines on the top of rules in /etc/rsyslog.conf: ... auth.info;authpriv.info |/var/log/sshguard.fifo ... 4. Modify your iptables initialization script to include a custom chain called 'sshguard': #Reset iptables. iptables -F iptables -F -t nat iptables -F -t mangle iptables -X iptables -Z #Add custom chain for SSHGuard iptables -N sshguard #Route all connections between internet and lan. iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp+ -j MASQUERADE iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu #Default rules: #1. Drop all incoming connections. #2. Accept all connections from loopback device. #3. Accept all connections from ethernet devices. #4. Accept all connections from wireless lan devices. #5. Accept all connections from tunnel pseudo devices. #6. Accept all consequent packets of accepted connections. #7. Block suckers who tried to brute attack my services. iptables -P INPUT DROP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i eth+ -j ACCEPT iptables -A INPUT -i wlan+ -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -j sshguard #Open port 6881 for DHT of BT. iptables -A INPUT -p tcp -m tcp --dport 6881 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 6881 -j ACCEPT #Open port 6890:6899 for BT and 7000:7004 for FTP. iptables -A INPUT -p tcp -m tcp --dport 6890:7004 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 6890:7004 -j ACCEPT #Open port 443 for OpenVPN. iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 443 -j ACCEPT #Open port 21 for FTP. iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT #Open port 22 for SSH. iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT #Start pppoe-relay. pr_pid=$(ps aux |grep "[0-9] pppoe-relay" |sed {s/\\s\\s*/' '/g} |cut -d' ' -f2) if [ ! -z $pr_pid ]; then echo "Stop pppoe-relay." kill -9 $pr_pid fi echo "Start pppoe-relay." pppoe-relay -C eth1 -S eth0 #Start sshguard FIFONAME="/var/log/sshguard.fifo" if [ ! -p $FIFONAME ]; then echo "Use mkfifo to create $FIFONAME first!" exit 0 fi cat_pid=$(ps aux |grep "[0-9] cat.*fifo" |sed {s/\\s\\s*/' '/g} |cut -d' ' -f2) sg_pid=$(ps aux |grep "[0-9] sshguard" |sed {s/\\s\\s*/' '/g} |cut -d' ' -f2) if [ ! -z $cat_pid ] || [ ! -z $sg_pid ]; then echo "Stop sshguard." [ ! -z $cat_pid ] && kill -9 $cat_pid [ ! -z $sg_pid ] && kill -9 $sg_pid fi echo "Start sshguard." cat $FIFONAME | sshguard & exit 0 5. Restart your computer. 反正我的想法很簡單, 先在rcS裡面把rsyslogd跟sshguard要共享的pipe建好, 接下來 把iptables裡要由sshguard來管理的chain給建出來, 最後再執行sshguard就好了。 如果是用更新版的syslogd的話, 好像不用管線也沒問題, 可以直接把log餵給sshguard 的樣子, 但我在rsyslogd裡試過, 辦不到, 一定要用pipe。 最後再試了一下...還蠻正常的的樣子... --               裸になって                                                   何が悪い?      -- ※ 發信站: 批踢踢實業坊(ptt.cc) ◆ From: 122.116.57.76
06/13 12:13, , 1F
用fail2ban會不會比較簡單一點@@?
06/13 12:13, 1F
06/13 12:17, , 2F
我之前寫過一個呼叫iptables的腳本,當同一個來源IP
06/13 12:17, 2F
06/13 12:18, , 3F
在一分鐘內用同一個帳號try三次或是不同帳號10次失敗
06/13 12:18, 3F
06/13 12:18, , 4F
就直接把該IP整個擋掉。
06/13 12:18, 4F
06/13 12:29, , 5F
fail2ban已經把大部分的規則寫好了
06/13 12:29, 5F
06/13 12:47, , 6F
呵呵呵 改port 別人就不知道哪個是ssh服務了
06/13 12:47, 6F
06/13 13:02, , 7F
掃log檔總是沒那麼好,所以sshguard會比fail2ban安全一些
06/13 13:02, 7F
06/13 13:03, , 8F
不過其實現在 botnet 太普及了,改 port 或 port knockin
06/13 13:03, 8F
06/13 13:04, , 9F
g 反而是可考慮的做法。
06/13 13:04, 9F
06/13 13:31, , 10F
其實換一個PORT就好了....簡單有效
06/13 13:31, 10F
06/13 13:36, , 11F
直接限定ip不是更快
06/13 13:36, 11F
06/13 13:49, , 12F
fail2ban 不用改 iptables
06/13 13:49, 12F
06/13 14:02, , 13F
為啥要重開機?
06/13 14:02, 13F
06/13 14:26, , 14F
使用 knock 的方法比較簡單和效率。
06/13 14:26, 14F
06/13 14:37, , 15F
推樓上,確實用 knock+knockd 是好方法,幾乎等效於匿蹤
06/13 14:37, 15F
06/13 15:19, , 16F
port knocking 己經到了瘋狂的地步了吧....
06/13 15:19, 16F
06/13 15:21, , 17F
DenyHosts
06/13 15:21, 17F
06/13 15:28, , 18F
換port有效+1
06/13 15:28, 18F
06/13 16:01, , 19F
改port +1
06/13 16:01, 19F
06/13 16:39, , 20F
用cron去改knock的序列,就相當於美軍以前最先進的跳頻通訊
06/13 16:39, 20F
06/13 16:40, , 21F
再怎麼會掃port也幾乎不可能被試到sshd的.更何況合法序列
06/13 16:40, 21F
06/13 16:41, , 22F
一次要好幾秒.除非被全球疆屍網集中攻擊,不然應該是很安全
06/13 16:41, 22F
06/13 16:52, , 23F
用 knockd 太弱了,用 iptables 做 port knocking 才潮
06/13 16:52, 23F
06/13 17:12, , 24F
樓上,linux server不見得怕駭客,但絕對怕潮 XD
06/13 17:12, 24F
06/13 19:43, , 25F
就用ssh的免密碼的登入方式不就好了,在把密碼認證拿掉
06/13 19:43, 25F
06/13 19:44, , 26F
密碼打對也進不來...
06/13 19:44, 26F
06/14 04:32, , 28F
-ssh-security-tips-and-tricks
06/14 04:32, 28F
06/14 09:59, , 29F
denyhosts +1
06/14 09:59, 29F
06/14 11:13, , 30F
06/14 11:13, 30F
06/14 11:42, , 31F
換port有效+1
06/14 11:42, 31F
06/15 08:00, , 32F
我是允許VPN IP封包進入,但是DROP來自internet port 22封包
06/15 08:00, 32F
06/15 08:00, , 33F
使用前就先VPN連線
06/15 08:00, 33F
06/15 21:59, , 34F
apt-get install fail2ban
06/15 21:59, 34F
06/16 13:23, , 35F
換port 用umap之類的硬掃還是可以掃的到吧~ :P
06/16 13:23, 35F
06/16 15:53, , 36F
nmap 當然掃的出來,但問題是多半先快速掃過 port22比較快
06/16 15:53, 36F
06/25 10:40, , 37F
弄個假帳號 讓他登吧 然後寫隻惡意程式 讓他抓回去執行
06/25 10:40, 37F
更多 ccbruce 的文章
文章代碼(AID): #1DzOsRYf (Linux)