多台linux服务器遭受攻击,部分攻击记录如下:
Mar 23 02:02:19 zgyt-server sshd[8161]: pam_unix(sshd:auth): check pass; user unknown
Mar 23 02:02:19 zgyt-server sshd[8161]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.15.21.106
Mar 23 02:02:19 zgyt-server sshd[8161]: pam_succeed_if(sshd:auth): error retrieving information about user test
Mar 23 02:02:21 zgyt-server sshd[8161]: Failed password for invalid user test from 218.15.21.106 port 53996 ssh2
Mar 23 02:02:21 zgyt-server sshd[8162]: Received disconnect from 218.15.21.106: 11: Bye Bye
Mar 23 02:02:21 zgyt-server sshd[8163]: Invalid user guest from 218.15.21.106
Mar 23 02:02:21 zgyt-server sshd[8164]: input_userauth_request: invalid user guest
Mar 23 02:02:21 zgyt-server sshd[8163]: pam_unix(sshd:auth): check pass; user unknown
Mar 23 02:02:21 zgyt-server sshd[8163]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.15.21.106
Mar 23 02:02:21 zgyt-server sshd[8163]: pam_succeed_if(sshd:auth): error retrieving information about user guest
Mar 23 02:02:23 zgyt-server sshd[8163]: Failed password for invalid user guest from 218.15.21.106 port 54275 ssh2
Mar 23 02:02:23 zgyt-server sshd[8164]: Received disconnect from 218.15.21.106: 11: Bye Bye
Mar 23 02:02:24 zgyt-server sshd[8165]: Invalid user admin from 218.15.21.106
Mar 23 02:02:24 zgyt-server sshd[8166]: input_userauth_request: invalid user admin
Mar 23 02:02:24 zgyt-server sshd[8165]: pam_unix(sshd:auth): check pass; user unknown
Mar 23 02:02:24 zgyt-server sshd[8165]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.15.21.106
Mar 23 02:02:24 zgyt-server sshd[8165]: pam_succeed_if(sshd:auth): error retrieving information about user admin
Mar 23 02:02:27 zgyt-server sshd[8165]: Failed password for invalid user admin from 218.15.21.106 port 54534 ssh2
Mar 23 02:02:27 zgyt-server sshd[8166]: Received disconnect from 218.15.21.106: 11: Bye Bye
Mar 23 02:02:27 zgyt-server sshd[8167]: Invalid user admin from 218.15.21.106
Mar 23 02:02:27 zgyt-server sshd[8168]: input_userauth_request: invalid user admin
Mar 23 02:02:27 zgyt-server sshd[8167]: pam_unix(sshd:auth): check pass; user unknown
Mar 23 02:02:27 zgyt-server sshd[8167]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.15.21.106
Mar 23 02:02:27 zgyt-server sshd[8167]: pam_succeed_if(sshd:auth): error retrieving information about user admin
Mar 23 02:02:29 zgyt-server sshd[8167]: Failed password for invalid user admin from 218.15.21.106 port 54855 ssh2
Mar 23 02:02:29 zgyt-server sshd[8168]: Received disconnect from 218.15.21.106: 11: Bye Bye
Mar 23 02:02:30 zgyt-server sshd[8169]: Invalid user user from 218.15.21.106
Mar 23 02:02:30 zgyt-server sshd[8170]: input_userauth_request: invalid user user
Mar 23 02:02:30 zgyt-server sshd[8169]: pam_unix(sshd:auth): check pass; user unknown
Mar 23 02:02:30 zgyt-server sshd[8169]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.15.21.106
Mar 23 02:02:30 zgyt-server sshd[8169]: pam_succeed_if(sshd:auth): error retrieving information about user user
Mar 23 02:02:32 zgyt-server sshd[8169]: Failed password for invalid user user from 218.15.21.106 port 55041 ssh2
Mar 23 02:02:32 zgyt-server sshd[8170]: Received disconnect from 218.15.21.106: 11: Bye Bye
Mar 23 02:02:32 zgyt-server sshd[8171]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.15.21.106 user=root
Mar 23 02:02:34 zgyt-server sshd[8171]: Failed password for root from 218.15.21.106 port 55204 ssh2
Mar 23 02:02:34 zgyt-server sshd[8172]: Received disconnect from 218.15.21.106: 11: Bye Bye
Mar 23 02:02:35 zgyt-server sshd[8173]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.15.21.106 user=root
Mar 23 02:02:37 zgyt-server sshd[8173]: Failed password for root from 218.15.21.106 port 55314 ssh2
Mar 23 02:02:37 zgyt-server sshd[8174]: Received disconnect from 218.15.21.106: 11: Bye Bye
下面是我的解决办法,希望对大家有所帮助。
1、制作密钥,用密钥登录系统 详见linux ssh密钥详解
2、用DenyHosts防止重复登录爆破
2.1、DenyHosts是python语言写的一个程序,它会分析SSHD的日志文件,当发现重复的攻击时就会记录IP到/etc/hosts.deny文件,从而达到自动屏蔽IP的功能。
2.2下载DenyHosts与安装
地址:DenyHosts官方网站为:http://denyhosts.sourceforge.net,下载与你操作系统对应的版本安装。如我的系统centos5.2操作为:
sudo rpm -ivh DenyHosts-2.6-python2.4.noarch.rpm
Preparing... ########################################### [100%]
1:DenyHosts ########################################### [100%]
2.3、配置
默认安装目录为/usr/share/denyhosts/,操作命令:
DenyHosts配置文件: vi /etc/denyhosts.cfg
SECURE_LOG = /var/log/secure
#ssh 日志文件,如果是redhat系列是根据/var/log/secure文件来判断的。
#Mandrake、FreeBSD是根据 /var/log/auth.log来判断的,而SUSE则是用/var/log/messages来判断的。这些在配置文件里面都有很详细的解释。
HOSTS_DENY = /etc/hosts.deny
#控制用户登陆的文件
PURGE_DENY = 30m
#过多久后清除已经禁止的,空表示永久不清除
# 'm' = minutes
# 'h' = hours
# 'd' = days
# 'w' = weeks
# 'y' = years
BLOCK_SERVICE = sshd
#禁止的服务名,当然DenyHost不仅仅用于SSH服务,还可用于SMTP等等。
DENY_THRESHOLD_INVALID = 1
#允许无效用户失败的次数
DENY_THRESHOLD_VALID = 5
#允许普通用户登陆失败的次数
DENY_THRESHOLD_ROOT = 3
#允许root登陆失败的次数
hostname_LOOKUP=NO
#是否做域名反解
ADMIN_EMAIL =
#管理员邮件地址,它会给管理员发邮件
DAEMON_LOG = /var/log/denyhosts
#DenyHosts日志文件存放的路径
2.4、重启denyhosts服务
sudo /sbin/service denyhosts restart
Password:
sent DenyHosts SIGTERM
starting DenyHosts: /usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg
大功告成,检查/etc/hosts.deny文件内是否有禁止的IP。