当你的linux服务器暴露在互联网之中,该服务器将会遭到互联网上的扫描软件进行扫描,并试图猜测SSH登录口令你会发现,每天会有多条SSH登录失败纪录。那些扫描工具将对你的服务器构成威胁,你必须设置复杂登录口令,并将尝试多次登录失败的IP给阻止掉,让其在一段时间内不能访问该服务器。简单方法也可以修改22端口号.
用DenyHosts可以阻止试图猜测SSH登录口令,它会分析/var/log/secure等日志文件,当发现同一IP在进行多次SSH密码尝试时就会记录IP到/etc/hosts.deny文件,从而达到自动屏蔽该IP的目的。last命令的信息来自/var/log/wtmp,如果对有经验的人可能会删除掉这个。但是还是会留下痕迹,使用nmap命令扫描端口,
nmap -PO -sS ip,使用lsof命令,停掉一些不必要的服务,多关注漏洞,配置强有力的iptables来保护自己的系统或者尝试使用Chkrootkit应用程序对rootkit的跟踪,尝试AIDE来检查文件系统的完整性。服务器上除了root外,Linux用户越少越好,如果非要添加就添加shell为nologin。
DenyHosts安装
1.环境检查:安装环境Centos x64 6.4
下载到/usr/src目录中,查询一下系统是否符合要求
ldd /usr/sbin/sshd|grep libwrap //查看libwrap动态链接库文件。 libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f4b2a1b9000) python -V //查询版本为2.6.5 Python 2.6.6 2、安装步骤:
cd /usr/src
yum install wget -y
wget http://ncu.dl.sourceforge.net/sourceforge/denyhosts/DenyHosts-2.6.tar.gz
tar -xzvf DenyHosts-2.6.tar.gz
cd DenyHosts-2.6 python setup.py install //安装Denyhost 3. #切换目录进入/usr/share/denyhosts目录cd /usr/share/denyhosts/
4. 拷贝一份denyhosts.cfgcp denyhosts.cfg-dist denyhosts.cfg
5、DenyHosts参数配置vi denyhosts.cfg
切换到命令行模式 清空内容,然后输入如下内容: SECURE_LOG = /var/log/secure # format is: i[dhwmy] # Where i is an integer (eg. 7) # m = minutes # h = hours # d = days # w = weeks # y = years # # never purge: PURGE_DENY=50m HOSTS_DENY=/etc/hosts.deny BLOCK_SERVICE=sshd DENY_THRESHOLD_INVALID=1 DENY_THRESHOLD_VALID=10 DENY_THRESHOLD_ROOT=5 WORK_DIR=/usr/local/share/denyhosts/data DENY_THRESHOLD_RESTRICTED =1 LOCK_FILE=/var/lock/subsys/denyhosts HOSTNAME_LOOKUP=NO ADMIN_EMAIL=10402852@qq.com DAEMON_LOG=/var/log/denyhosts DAEMON_PURGE=10m 解释如下: SECURE_LOG = /var/log/secure #ssh日志文件 # format is: i[dhwmy] # Where i is an integer (eg. 7) # m = minutes # h = hours # d = days # w = weeks # y = years # # never purge: PURGE_DENY = 50m #过多久后清除已阻止IP HOSTS_DENY = /etc/hosts.deny #将阻止IP写入到hosts.deny BLOCK_SERVICE = sshd #阻止服务名 DENY_THRESHOLD_INVALID = 1 #允许无效用户登录失败的次数 DENY_THRESHOLD_VALID = 10 #允许普通用户登录失败的次数 DENY_THRESHOLD_ROOT = 5 #允许root登录失败的次数 WORK_DIR = /usr/local/share/denyhosts/data #将deny的host或ip纪录到Work_dir中 DENY_THRESHOLD_RESTRICTED = 1 #设定 deny host 写入到该资料夹 LOCK_FILE = /var/lock/subsys/denyhosts #将DenyHOts启动的pid纪录到LOCK_FILE中,已确保服务正确启动,防止同时启动多个服务。 HOSTNAME_LOOKUP=NO #是否做域名反解 ADMIN_EMAIL =10402852@qq.com #设置管理员邮件地址 DAEMON_LOG = /var/log/denyhosts #自己的日志文件 DAEMON_PURGE = 10m #该项与PURGE_DENY 设置成一样,也是清除hosts.deniedssh 用户的时间。 注意:不能把带注释的配置文件粘贴上去,会报错!!! 5.DenyHosts启动文件配置cp daemon-control-dist daemon-control chown root daemon-control chmod 700 daemon-control ./daemon-control start #启动DenyHosts 如果要使DenyHosts每次重起后自动启动还需做如下设置:
ln -s /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts #建立符号链接
chkconfig --add denyhosts #增加denyhosts服务进程
chkconfig denyhosts on #设置开机启动denyhosts
chkconfig --list denyhosts
denyhosts 0:off 1:off 2:on 3:on 4:on 5:on 6:off
6.查看日志异常信息
tail -f /var/log/secure
Feb 27 18:43:10 localhost login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=test
Feb 27 18:43:12 localhost login: FAILED LOGIN 1 FROM (null) FOR test, Authentication failure Feb 27 18:43:15 localhost login: FAILED LOGIN 2 FROM (null) FOR test, Authentication failure Feb 27 18:43:21 localhost login: FAILED LOGIN 3 FROM (null) FOR test, Authentication failure Feb 27 18:43:26 localhost login: pam_unix(login:session): session opened for user test by LOGIN(uid=0) Feb 27 18:43:26 localhost login: LOGIN ON tty1 BY test Feb 27 18:45:32 localhost su: pam_unix(su:auth): authentication failure; logname=test uid=500 euid=0 tty=tty1 ruser=test rhost= user=root Feb 27 18:45:47 localhost su: pam_unix(su-l:session): session opened for user root by test(uid=500) Feb 27 19:00:03 localhost sshd[19861]: Accepted password for root from 192.168.40.41 port 4289 ssh2 设置入侵检测工具之PortSentry (责任编辑:IT) |