[心得] 關於sshd一直被暴力攻擊的解決方法
其實只要一架好ssh之類的服務, 就會被一直try帳號密碼, 很煩。
網路上有不少人家寫好的script, 其實照著用也行, 但是我想推薦的是sshguard這支
程式。
在linux上, 它可以搭配iptables來防堵。並且有時間到自動解鎖功能, 除了iptables
以外, 也可以搭配hosts.deny之類的。並且在非linux平台上也能好好的支援, 算是蠻
方便的程式...
它主要是常駐在系統裡, 藉由分析(r)syslogd所產生的報表, 來動態更新iptables裡的
清單。廢話不多說, 我來分享一下我的作法...
1. Install:
apt-get install sshguard
2. Add the following lines to your /etc/init.d/rcS:
...
#Create named pipe for rsyslog and sshguard.
mkfifo /var/log/sshguard.fifo
...
3. Insert the following lines on the top of rules in /etc/rsyslog.conf:
...
auth.info;authpriv.info |/var/log/sshguard.fifo
...
4. Modify your iptables initialization script to include a custom chain called
'sshguard':
#Reset iptables.
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X
iptables -Z
#Add custom chain for SSHGuard
iptables -N sshguard
#Route all connections between internet and lan.
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp+ -j MASQUERADE
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
#Default rules:
#1. Drop all incoming connections.
#2. Accept all connections from loopback device.
#3. Accept all connections from ethernet devices.
#4. Accept all connections from wireless lan devices.
#5. Accept all connections from tunnel pseudo devices.
#6. Accept all consequent packets of accepted connections.
#7. Block suckers who tried to brute attack my services.
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth+ -j ACCEPT
iptables -A INPUT -i wlan+ -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j sshguard
#Open port 6881 for DHT of BT.
iptables -A INPUT -p tcp -m tcp --dport 6881 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 6881 -j ACCEPT
#Open port 6890:6899 for BT and 7000:7004 for FTP.
iptables -A INPUT -p tcp -m tcp --dport 6890:7004 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 6890:7004 -j ACCEPT
#Open port 443 for OpenVPN.
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 443 -j ACCEPT
#Open port 21 for FTP.
iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
#Open port 22 for SSH.
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
#Start pppoe-relay.
pr_pid=$(ps aux |grep "[0-9] pppoe-relay" |sed {s/\\s\\s*/' '/g} |cut -d' '
-f2)
if [ ! -z $pr_pid ]; then
echo "Stop pppoe-relay."
kill -9 $pr_pid
fi
echo "Start pppoe-relay."
pppoe-relay -C eth1 -S eth0
#Start sshguard
FIFONAME="/var/log/sshguard.fifo"
if [ ! -p $FIFONAME ]; then
echo "Use mkfifo to create $FIFONAME first!"
exit 0
fi
cat_pid=$(ps aux |grep "[0-9] cat.*fifo" |sed {s/\\s\\s*/' '/g} |cut -d' '
-f2)
sg_pid=$(ps aux |grep "[0-9] sshguard" |sed {s/\\s\\s*/' '/g} |cut -d' ' -f2)
if [ ! -z $cat_pid ] || [ ! -z $sg_pid ]; then
echo "Stop sshguard."
[ ! -z $cat_pid ] && kill -9 $cat_pid
[ ! -z $sg_pid ] && kill -9 $sg_pid
fi
echo "Start sshguard."
cat $FIFONAME | sshguard &
exit 0
5. Restart your computer.
反正我的想法很簡單, 先在rcS裡面把rsyslogd跟sshguard要共享的pipe建好, 接下來
把iptables裡要由sshguard來管理的chain給建出來, 最後再執行sshguard就好了。
如果是用更新版的syslogd的話, 好像不用管線也沒問題, 可以直接把log餵給sshguard
的樣子, 但我在rsyslogd裡試過, 辦不到, 一定要用pipe。
最後再試了一下...還蠻正常的的樣子...
--
裸になって
何が悪い?
--
※ 發信站: 批踢踢實業坊(ptt.cc)
◆ From: 122.116.57.76
推
06/13 12:13, , 1F
06/13 12:13, 1F
→
06/13 12:17, , 2F
06/13 12:17, 2F
→
06/13 12:18, , 3F
06/13 12:18, 3F
→
06/13 12:18, , 4F
06/13 12:18, 4F
推
06/13 12:29, , 5F
06/13 12:29, 5F
推
06/13 12:47, , 6F
06/13 12:47, 6F
→
06/13 13:02, , 7F
06/13 13:02, 7F
→
06/13 13:03, , 8F
06/13 13:03, 8F
→
06/13 13:04, , 9F
06/13 13:04, 9F
推
06/13 13:31, , 10F
06/13 13:31, 10F
推
06/13 13:36, , 11F
06/13 13:36, 11F
→
06/13 13:49, , 12F
06/13 13:49, 12F
→
06/13 14:02, , 13F
06/13 14:02, 13F
推
06/13 14:26, , 14F
06/13 14:26, 14F
→
06/13 14:37, , 15F
06/13 14:37, 15F
→
06/13 15:19, , 16F
06/13 15:19, 16F
推
06/13 15:21, , 17F
06/13 15:21, 17F
推
06/13 15:28, , 18F
06/13 15:28, 18F
推
06/13 16:01, , 19F
06/13 16:01, 19F
→
06/13 16:39, , 20F
06/13 16:39, 20F
→
06/13 16:40, , 21F
06/13 16:40, 21F
→
06/13 16:41, , 22F
06/13 16:41, 22F
→
06/13 16:52, , 23F
06/13 16:52, 23F
推
06/13 17:12, , 24F
06/13 17:12, 24F
推
06/13 19:43, , 25F
06/13 19:43, 25F
→
06/13 19:44, , 26F
06/13 19:44, 26F
→
06/14 04:32, , 27F
06/14 04:32, 27F
→
06/14 04:32, , 28F
06/14 04:32, 28F
推
06/14 09:59, , 29F
06/14 09:59, 29F
推
06/14 11:13, , 30F
06/14 11:13, 30F
推
06/14 11:42, , 31F
06/14 11:42, 31F
→
06/15 08:00, , 32F
06/15 08:00, 32F
→
06/15 08:00, , 33F
06/15 08:00, 33F
推
06/15 21:59, , 34F
06/15 21:59, 34F
→
06/16 13:23, , 35F
06/16 13:23, 35F
→
06/16 15:53, , 36F
06/16 15:53, 36F
→
06/25 10:40, , 37F
06/25 10:40, 37F