网络上无聊的人一大堆,SSH端口密码扫描破解的人也很多,如果你的VPS被攻破那么会被用来攻击别人(如DDOS攻击),那么遇到严格的服务商,那么就会被关闭或者永久关闭,下面微饭给大家推荐个检测SSH破解及防护方法。
SSH暴力破解检测方法
如果你CPU/内存异常爆表,连接速度极慢,有异常进程等情况,有可能你的VPS被人扫描破解或者已经沦陷。。
可以用此方法检测下多少人在“盯着”你的VPS
# cat /var/log/secure | awk '/Failed/{print $(NF-3)}' | sort | uniq -c | awk '{print $2" = "$1;}'通过上面的命令可以查看有哪些IP尝试过连接和破解次数,如下所示:
109.74.209.197 = 9 113.195.145.70 = 740 113.195.145.85 = 1038 115.197.42.232 = 3 115.239.212.132 = 19 115.239.212.133 = 14 115.239.212.134 = 17 115.239.212.135 = 18 115.239.212.136 = 16 115.239.212.137 = 23 115.239.212.138 = 16 115.239.212.139 = 14 115.47.26.53 = 10 117.245.5.85 = 6 118.69.223.246 = 28 121.247.3.54 = 4 123.141.29.11 = 31 125.211.222.103 = 32 128.199.84.180 = 771 138.94.87.253 = 6 14.140.241.75 = 1 14.177.108.180 = 1 158.69.195.20 = 74 161.202.147.197 = 15 161.202.41.20 = 15 169.229.3.91 = 1 177.220.212.90 = 13 1.85.21.39 = 3 1.85.62.39 = 24 186.215.198.163 = 5 187.110.243.90 = 1 187.210.107.242 = 32 188.130.145.134 = 18 189.28.243.113 = 3 191.243.17.43 = 1 193.104.41.54 = 9 193.189.117.120 = 1 193.95.84.205 = 32 198.251.79.54 = 38 202.126.93.18 = 32 202.198.129.78 = 32 218.57.241.59 = 1 218.98.39.43 = 30 220.225.7.31 = 1 221.232.129.51 = 61 222.186.21.113 = 20 222.186.50.141 = 1 222.21.43.56 = 12 27.254.67.185 = 2 27.75.167.208 = 8 37.58.97.4 = 15 43.229.53.12 = 7947 43.229.53.50 = 50043 46.146.220.219 = 1 46.161.40.34 = 6 50.57.160.46 = 274 51.254.142.83 = 45 5.140.213.177 = 1 58.185.2.22 = 978 5.8.66.101 = 3 59.29.245.226 = 32 59.45.79.116 = 10506 79.60.38.244 = 5 80.82.64.109 = 17 80.82.78.57 = 1 81.18.133.246 = 1 82.138.1.118 = 32 85.93.5.64 = 2 85.93.5.65 = 2 85.93.5.66 = 1 89.23.194.194 = 4 91.211.132.9 = 24 93.190.143.30 = 12 93.95.214.120 = 4 94.102.49.125 = 15
DenyHosts安装与配置演示:
1、下载DenyHosts 并解压
# wget http://soft.vpser.net/security/denyhosts/DenyHosts-2.6.tar.gz # tar zxvf DenyHosts-2.6.tar.gz # cd DenyHosts-2.6
2、安装、配置和启动
安装前建议执行:
echo "" > /var/log/secure && service rsyslog restart # 清空以前的日志并重启一下rsyslog
# python setup.py install
因为DenyHosts是基于python的,所以要已安装python,大部分Linux发行版一般都有。默认是安装到/usr/share/denyhosts/目录的,进入相应的目录修改配置文件
# cd /usr/share/denyhosts/ # cp denyhosts.cfg-dist denyhosts.cfg # cp daemon-control-dist daemon-control
默认的设置已经可以适合centos系统环境,你们可以使用vi命令查看一下denyhosts.cfg和daemon-control,里面有详细的解释
接着使用下面命令启动denyhosts程序
# chown root daemon-control # chmod 700 daemon-control # ./daemon-control start
如果要使DenyHosts每次重起后自动启动还需做如下设置:
# ln -sf /usr/share/denyhosts/daemon-control /etc/init.d/denyhosts # chkconfig --add denyhosts # chkconfig --level 2345 denyhosts on
或者执行下面的命令加入开机启动,将会修改/etc/rc.local文件:
# echo "/usr/share/denyhosts/daemon-control start" >> /etc/rc.local
DenyHosts配置文件/usr/share/denyhosts/denyhosts.cfg说明:
SECURE_LOG = /var/log/secure #sshd日志文件,它是根据这个文件来判断的,不同的操作系统,文件名稍有不同。 HOSTS_DENY = /etc/hosts.deny #控制用户登陆的文件 PURGE_DENY = 5m DAEMON_PURGE = 5m #过多久后清除已经禁止的IP,如5m(5分钟)、5h(5小时)、5d(5天)、5w(5周)、1y(一年) BLOCK_SERVICE = sshd #禁止的服务名,可以只限制不允许访问ssh服务,也可以选择ALL DENY_THRESHOLD_INVALID = 5 #允许无效用户失败的次数 DENY_THRESHOLD_VALID = 10 #允许普通用户登陆失败的次数 DENY_THRESHOLD_ROOT = 5 #允许root登陆失败的次数 HOSTNAME_LOOKUP=NO #是否做域名反解 DAEMON_LOG = /var/log/denyhosts
为防止自己的IP被屏蔽,可以:echo “你的IP” >> /usr/share/denyhosts/allowed-hosts 将你的IP加入白名单,再重启DenyHosts:/etc/init.d/denyhosts ,如果已经被封,需要先按下面的命令删除被封IP后再加白名单。
如有IP被误封,可以执行下面的命令解封:wget http://soft.vpser.net/security/denyhosts/denyhosts_removeip.sh && bash denyhost_removeip.sh 要解封的IP
查看攻击ip 记录
# cat /etc/hosts.deny