1.问题背景 本打算买一个Linux服务器玩玩,系统为CentOS 7,供学习Linux和线上部署网站学习用。没想到买了没几天,啥都没做呢,登录之后发现了近2万条登录失败记录(输入lastb命令即可查看登入系统失败的用户相关信息)。什么?有人想通过暴力破解密码来登录我的服务器?!并且大量的攻击来自同一个ip地址。作为一个Linux小白,差点被吓尿了,网络真危险啊。 不过虽然是小白,也不甘示弱,有攻击就要有防御,现状开始逼迫我去学习关于Linux服务器安全防护的知识,要守住自己在网上的一块领地。 2.安装Fail2ban 在Q群上和小伙伴讨论过程中,发现了fail2ban这个利器。fail2ban能阻止暴力破解,如果fail2ban发现一个ip在暴力攻击,攻击次数达到一定次数时,就会禁止改ip连接服务器,以达到阻止暴力破解密码的目的。之前看登录失败日志,一个ip攻击了我上万次,现在有了fail2ban,它可做不了了,赶紧开始我们的安装。 安装fail2ban 输入以下两条命令即可安装
|
1 2 |
yum install epel-release yum install fail2ban |
说明: – yum install epel-release:安装EPEL仓库(Extra Packages for Enterprise Linux) – yum install fail2ban:从EPEL仓库安装fail2ban fail2ban配置文件 打开配置文件
|
1 |
nano /etc/fail2ban/jail.conf |
开头会见到如下说明
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
# # WARNING: heavily refactored in 0.9.0 release. Please review and # customize settings for your setup. # # Changes: in most of the cases you should not modify this # file, but provide customizations in jail.local file, # or separate .conf files under jail.d/ directory, e.g.: # # HOW TO ACTIVATE JAILS: # # YOU SHOULD NOT MODIFY THIS FILE. # # It will probably be overwritten or improved in a distribution update. # # Provide customizations in a jail.local file or a jail.d/customisation.local. # For example to change the default bantime for all jails and to enable the # ssh-iptables jail the following (uncommented) would appear in the .local file. # See man 5 jail.conf for details. # # [DEFAULT] # bantime = 3600 # # [sshd] # enabled = true # # See jail.conf(5) man page for more information |
大意是不要修改这个配置文件,而应该新建一个jail.conf来写用户配置。 先查看配置文件内默认的配置(仅列出前面5项):
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
[DEFAULT] # # MISCELLANEOUS OPTIONS # # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space (and/or comma) separator. ignoreip = 127.0.0.1/8 # External command that will take an tagged arguments to ignore, e.g. <ip>, # and return true if the IP is to be ignored. False otherwise. # # ignorecommand = /path/to/command <ip> ignorecommand = # "bantime" is the number of seconds that a host is banned. bantime = 600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 5 |
ignoreip 不会被ban的ip bantime 每秒内访问的最大次数,超过就被ban maxretry 最大失败次数 这里只是简单举例,其他一些配置不多做赘述,有需要的可以自己去看英文注释。 于是新建/打开一个jail.conf,写入用户自己的配置
|
1 |
nano /etc/fail2ban/jail.local |
把下列代码拷进去
|
1 2 3 4 5 6 7 8 |
[ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] # sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com] logpath = /var/log/secure maxretry = 5 |
说明: – enabled: 激活fail2ban。 – filter: 是sshd默认参考这个文件/etc/fail2ban/filter.d/sshd.conf。 – action: 符合/etc/fail2ban/action.d/iptables.conf这个文件的ip将会被fail2ban给ban掉. 如果你之前改过ssh端口,把 port=ssh改成新端口, 比如 port=2222. 如果还在用22,就不用改这里。 – logpath: Fail2Ban的日志文件路径. – maxretry: 最大尝试登陆失败次数. 启动fail2ban服务 运行这两个命令即可启动
|
1 2 |
chkconfig --level 23 fail2ban on service fail2ban start |
查看一下iptables是否添加了fail2ban的规则
|
1 |
iptables -L |
会看到如下字样f2b-SSH
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
Chain INPUT (policy ACCEPT) target prot opt source destination f2b-SSH tcp -- anywhere anywhere tcp dpt:EtherNet/IP-1 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain f2b-SSH (1 references) target prot opt source destination RETURN all -- anywhere anywhere |
查看登录失败日志 输入这条命令
|
1 |
cat /var/log/secure | grep 'Failed password' |
会看到类似这样的结果
|
1 2 3 4 5 6 7 8 9 10 11 12 |
Dec 6 22:47:12 vultr sshd[7942]: Failed password for root from 43.229.53.67 port 23021 ssh2 Dec 6 22:47:15 vultr sshd[7944]: Failed password for root from 43.229.53.67 port 40996 ssh2 Dec 6 22:47:16 vultr sshd[7944]: Failed password for root from 43.229.53.67 port 40996 ssh2 Dec 6 22:47:18 vultr sshd[7944]: Failed password for root from 43.229.53.67 port 40996 ssh2 Dec 6 22:47:31 vultr sshd[7948]: Failed password for root from 43.229.53.67 port 29907 ssh2 Dec 6 22:47:34 vultr sshd[7948]: Failed password for root from 43.229.53.67 port 29907 ssh2 Dec 6 22:47:36 vultr sshd[7948]: Failed password for root from 43.229.53.67 port 29907 ssh2 Dec 6 22:47:39 vultr sshd[7950]: Failed password for root from 43.229.53.67 port 48386 ssh2 Dec 6 22:47:41 vultr sshd[7950]: Failed password for root from 43.229.53.67 port 48386 ssh2 Dec 6 22:47:43 vultr sshd[7950]: Failed password for root from 43.229.53.67 port 48386 ssh2 Dec 6 22:47:47 vultr sshd[7952]: Failed password for root from 43.229.53.67 port 62846 ssh2 Dec 6 22:47:49 vultr sshd[7952]: Failed password for root from 43.229.53.67 port 62846 ssh2 |
3.修改22端口并启用 先在sshd_config里面添加新端口 查看sshd_confifg
|
1 |
/etc/ssh/sshd_config |
可以看到如下片段:
|
1 2 3 4 5 6 7 8 |
# If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: |
添加一个新端口,如22222,在Port 22下面添加一行Port 22222,Port 22先不要注释掉,以防新端口登录不上。 再在防火墙里添加新端口 查看防火墙运行状态
|
1 |
systemctl status firewalld.service |
查看所有打开的端口
|
1 |
firewall-cmd --zone=public --list-ports |
添加端口
|
1 |
firewall-cmd --zone=public --add-port=22222/tcp --permanent |
[…]
View Details修改/etc/ssh/sshd_config
|
1 2 3 4 |
vi <span class="hljs-meta-keyword">/etc/</span>ssh/sshd_config <span class="hljs-meta">#Port 22 <span class="hljs-comment">//这行去掉#号,防止配置不好以后不能远程登录,还得去机房修改,等修改以后的端口能使用以后在注释掉</span></span> Port <span class="hljs-number">33378</span> <span class="hljs-comment">//下面添加这一行</span> |
修改firewall配置 firewall添加想要修改的ssh端口:
|
1 2 3 4 5 6 |
添加到防火墙: firewall-cmd <span class="hljs-comment">--zone=public --add-port=33378/tcp --permanent (permanent是保存配置,不然下次重启以后这次修改无效)</span> 重启: firewall-cmd <span class="hljs-comment">--reload</span> 查看添加端口是否成功,如果添加成功则会显示yes,否则no firewall-cmd <span class="hljs-comment">--zone=public --query-port=33378/tcp</span> |
修改SELinux 使用以下命令查看当前SElinux 允许的ssh端口:
|
1 |
semanage port -l | <span class="hljs-keyword">grep</span> ssh |
添加33378端口到 SELinux
|
1 |
semanage port -a -t <span class="hljs-keyword">ssh_port_t</span> -p tcp <span class="hljs-number">33378</span> |
然后确认一下是否添加进去
|
1 |
semanage port -l | <span class="hljs-keyword">grep</span> ssh |
如果成功会输出
|
1 |
<span class="hljs-keyword">ssh_port_t</span> tcp <span class="hljs-number">33378</span>, <span class="hljs-number">22</span> |
重启ssh
|
1 |
<span class="hljs-selector-tag">systemctl</span> <span class="hljs-selector-tag">restart</span> <span class="hljs-selector-tag">sshd</span><span class="hljs-selector-class">.service</span> |
测试新端口的ssh连接 测试修改端口以后的ssh连接,如果成功则将step1里面的port 22 重新注释掉 from:https://www.cnblogs.com/rwxwsblog/p/5756894.html
View Details进程 # ps -ef # 查看所有进程 # top # 实时显示进程状态(另一篇文章里面有详细的介绍) 用户: # w # 查看活动用户 # id <用户名> # 查看指定用户信息 # last # 查看用户登录日志 # cut -d: -f1 /etc/passwd # 查看系统所有用户 # cut -d: -f1 /etc/group # 查看系统所有组 # crontab -l # 查看当前用户的计划任务 系统 日志文件( 可以通过cat 或tail 命令来查看) /var/log/message 系统启动后的信息和错误日志,是Red Hat Linux中最常用的日志之一 /var/log/secure 与安全相关的日志信息 /var/log/maillog 与邮件相关的日志信息 /var/log/cron 与定时任务相关的日志信息 /var/log/spooler 与UUCP和news设备相关的日志信息 /var/log/boot.log 守护进程启动和停止相关的日志消息 系统信息 # uname -a # 查看内核/操作系统/CPU信息 # cat /etc/issue # cat /etc/redhat-release # 查看操作系统版本 # cat /proc/cpuinfo # 查看CPU信息 # hostname # 查看计算机名 # lspci -tv # 列出所有PCI设备 # lsusb […]
View Details一、查看Linux内核版本命令(两种方法): 1、cat /proc/version [root@S-CentOS home]# cat /proc/version Linux version 2.6.32-431.el6.x86_64 (mockbuild@c6b8.bsys.dev.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC) ) #1 SMP Fri Nov 22 03:15:09 UTC 2013 2、uname -a [root@S-CentOS home]# uname -a Linux S-CentOS 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux 二、查看Linux系统版本的命令(3种方法): 1、lsb_release -a,即可列出所有版本信息: [root@S-CentOS ~]# lsb_release -a LSB Version: :base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch Distributor ID: CentOS Description: CentOS release 6.5 (Final) Release: 6.5 Codename: Final 这个命令适用于所有的Linux发行版,包括RedHat、SUSE、Debian…等发行版。 2、cat /etc/redhat-release,这种方法只适合Redhat系的Linux: [root@S-CentOS home]# cat /etc/redhat-release CentOS release 6.5 (Final) 3、cat /etc/issue,此命令也适用于所有的Linux发行版。 [root@S-CentOS home]# cat /etc/issue CentOS release […]
View Details