防止sshd被暴力破解

多台linux服务器遭受攻击，部分攻击记录如下：
Mar 23 02:02:19 zgyt-server sshd[8161]: pam_unix(sshd:auth): check pass; user unknown
Mar 23 02:02:19 zgyt-server sshd[8161]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.15.21.106
Mar 23 02:02:19 zgyt-server sshd[8161]: pam_succeed_if(sshd:auth): error retrieving information about user test
Mar 23 02:02:21 zgyt-server sshd[8161]: Failed password for invalid user test from 218.15.21.106 port 53996 ssh2
Mar 23 02:02:21 zgyt-server sshd[8162]: Received disconnect from 218.15.21.106: 11: Bye Bye
Mar 23 02:02:21 zgyt-server sshd[8163]: Invalid user guest from 218.15.21.106
Mar 23 02:02:21 zgyt-server sshd[8164]: input_userauth_request: invalid user guest
Mar 23 02:02:21 zgyt-server sshd[8163]: pam_unix(sshd:auth): check pass; user unknown
Mar 23 02:02:21 zgyt-server sshd[8163]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.15.21.106
Mar 23 02:02:21 zgyt-server sshd[8163]: pam_succeed_if(sshd:auth): error retrieving information about user guest
Mar 23 02:02:23 zgyt-server sshd[8163]: Failed password for invalid user guest from 218.15.21.106 port 54275 ssh2
Mar 23 02:02:23 zgyt-server sshd[8164]: Received disconnect from 218.15.21.106: 11: Bye Bye
Mar 23 02:02:24 zgyt-server sshd[8165]: Invalid user admin from 218.15.21.106
Mar 23 02:02:24 zgyt-server sshd[8166]: input_userauth_request: invalid user admin
Mar 23 02:02:24 zgyt-server sshd[8165]: pam_unix(sshd:auth): check pass; user unknown
Mar 23 02:02:24 zgyt-server sshd[8165]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.15.21.106
Mar 23 02:02:24 zgyt-server sshd[8165]: pam_succeed_if(sshd:auth): error retrieving information about user admin
Mar 23 02:02:27 zgyt-server sshd[8165]: Failed password for invalid user admin from 218.15.21.106 port 54534 ssh2
Mar 23 02:02:27 zgyt-server sshd[8166]: Received disconnect from 218.15.21.106: 11: Bye Bye
Mar 23 02:02:27 zgyt-server sshd[8167]: Invalid user admin from 218.15.21.106
Mar 23 02:02:27 zgyt-server sshd[8168]: input_userauth_request: invalid user admin
Mar 23 02:02:27 zgyt-server sshd[8167]: pam_unix(sshd:auth): check pass; user unknown
Mar 23 02:02:27 zgyt-server sshd[8167]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.15.21.106
Mar 23 02:02:27 zgyt-server sshd[8167]: pam_succeed_if(sshd:auth): error retrieving information about user admin
Mar 23 02:02:29 zgyt-server sshd[8167]: Failed password for invalid user admin from 218.15.21.106 port 54855 ssh2
Mar 23 02:02:29 zgyt-server sshd[8168]: Received disconnect from 218.15.21.106: 11: Bye Bye
Mar 23 02:02:30 zgyt-server sshd[8169]: Invalid user user from 218.15.21.106
Mar 23 02:02:30 zgyt-server sshd[8170]: input_userauth_request: invalid user user
Mar 23 02:02:30 zgyt-server sshd[8169]: pam_unix(sshd:auth): check pass; user unknown
Mar 23 02:02:30 zgyt-server sshd[8169]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.15.21.106
Mar 23 02:02:30 zgyt-server sshd[8169]: pam_succeed_if(sshd:auth): error retrieving information about user user
Mar 23 02:02:32 zgyt-server sshd[8169]: Failed password for invalid user user from 218.15.21.106 port 55041 ssh2
Mar 23 02:02:32 zgyt-server sshd[8170]: Received disconnect from 218.15.21.106: 11: Bye Bye
Mar 23 02:02:32 zgyt-server sshd[8171]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.15.21.106 user=root
Mar 23 02:02:34 zgyt-server sshd[8171]: Failed password for root from 218.15.21.106 port 55204 ssh2
Mar 23 02:02:34 zgyt-server sshd[8172]: Received disconnect from 218.15.21.106: 11: Bye Bye
Mar 23 02:02:35 zgyt-server sshd[8173]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.15.21.106 user=root
Mar 23 02:02:37 zgyt-server sshd[8173]: Failed password for root from 218.15.21.106 port 55314 ssh2
Mar 23 02:02:37 zgyt-server sshd[8174]: Received disconnect from 218.15.21.106: 11: Bye Bye

下面是我的解决办法，希望对大家有所帮助。

1、制作密钥，用密钥登录系统详见linux ssh密钥详解

2、用DenyHosts防止重复登录爆破

2.1、DenyHosts是Python语言写的一个程序，它会分析SSHD的日志文件，当发现重复的攻击时就会记录IP到/etc/hosts.deny文件，从而达到自动屏蔽IP的功能。

2.2下载DenyHosts与安装
地址：DenyHosts官方网站为：http://denyhosts.sourceforge.net，下载与你操作系统对应的版本安装。如我的系统centos5.2操作为：
sudo rpm -ivh DenyHosts-2.6-python2.4.noarch.rpm
Preparing... ########################################### [100%]
1:DenyHosts ########################################### [100%]

2.3、配置
默认安装目录为/usr/share/denyhosts/，操作命令:

复制代码代码如下:

	cd /usr/share/denyhosts/

	sudo cp daemon-control-dist daemon-control

	sudo cp denyhosts.cfg-dist denyhosts.cfg

	cd /etc/init.d/

	sudo ln -s /usr/share/denyhosts/daemon-control denyhosts

	sudo /sbin/chkconfig --add denyhosts

	sudo /sbin/chkconfig --level 2345 denyhosts on

	sudo /sbin/service denyhosts start

	starting DenyHosts:    /usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg

DenyHosts配置文件： vi /etc/denyhosts.cfg
SECURE_LOG = /var/log/secure
#ssh 日志文件，如果是redhat系列是根据/var/log/secure文件来判断的。
#Mandrake、FreeBSD是根据 /var/log/auth.log来判断的，而SUSE则是用/var/log/messages来判断的。这些在配置文件里面都有很详细的解释。
HOSTS_DENY = /etc/hosts.deny
#控制用户登陆的文件
PURGE_DENY = 30m
#过多久后清除已经禁止的，空表示永久不清除
# 'm' = minutes
# 'h' = hours
# 'd' = days
# 'w' = weeks
# 'y' = years
BLOCK_SERVICE = sshd
#禁止的服务名，当然DenyHost不仅仅用于SSH服务，还可用于SMTP等等。
DENY_THRESHOLD_INVALID = 1
#允许无效用户失败的次数
DENY_THRESHOLD_VALID = 5
#允许普通用户登陆失败的次数
DENY_THRESHOLD_ROOT = 3
#允许root登陆失败的次数
HOSTNAME_LOOKUP=NO
#是否做域名反解
ADMIN_EMAIL =
#管理员邮件地址,它会给管理员发邮件
DAEMON_LOG = /var/log/denyhosts
#DenyHosts日志文件存放的路径

2.4、重启denyhosts服务
sudo /sbin/service denyhosts restart
Password:
sent DenyHosts SIGTERM
starting DenyHosts: /usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg
大功告成，检查/etc/hosts.deny文件内是否有禁止的IP。

(责任编辑：IT)

搜索

热门标签:

防止sshd被暴力破解