标签:sshd 01 21 23 扫描 52 ssh localhost fail2ban
前言
暴露公网ip端口能显著提高访问效率,代价是容易被端口扫描无差别攻击。
虽说关闭了password actuation查看认证日志/var/log/auth.log
还是挺闹心的……
Aug 21 23:52:01 localhost sshd[3282]: Invalid user xiao from 159.89.178.62 port 38156
Aug 21 23:52:01 localhost sshd[3282]: input_userauth_request: invalid user xiao [preauth]
Aug 21 23:52:01 localhost sshd[3276]: Received disconnect from 159.89.178.62 port 38048:11: Normal Shutdown, Thank you for playing [preauth]
Aug 21 23:52:01 localhost sshd[3276]: Disconnected from 159.89.178.62 port 38048 [preauth]
Aug 21 23:52:01 localhost sshd[3278]: Received disconnect from 159.89.178.62 port 38066:11: Normal Shutdown, Thank you for playing [preauth]
Aug 21 23:52:01 localhost sshd[3278]: Disconnected from 159.89.178.62 port 38066 [preauth]
Aug 21 23:52:01 localhost sshd[3242]: Received disconnect from 159.89.178.62 port 37454:11: Normal Shutdown, Thank you for playing [preauth]
Aug 21 23:52:01 localhost sshd[3242]: Disconnected from 159.89.178.62 port 37454 [preauth]
Aug 21 23:52:01 localhost sshd[3281]: Received disconnect from 159.89.178.62 port 38138:11: Normal Shutdown, Thank you for playing [preauth]
Aug 21 23:52:01 localhost sshd[3281]: Disconnected from 159.89.178.62 port 38138 [preauth]
Aug 21 23:52:01 localhost sshd[3248]: Received disconnect from 159.89.178.62 port 37292:11: Normal Shutdown, Thank you for playing [preauth]
Aug 21 23:52:01 localhost sshd[3248]: Disconnected from 159.89.178.62 port 37292 [preauth]
为过滤此类端口扫描,安装网上推荐的fail2ban作基本的sshd爆破防御。
原理
fail2ban本质上是一个python脚本,内置了很多攻击防护规则(jail)。
基本原理是定时扫描指定log文件,使用正则表达式获取关注fail信息并提取ip地址。
当某一ip再限定时间段内fail次数达到上限则调用iptables规则对ip进行阻止(ban)。
部署
Ubuntu/Debian系统使用apt进行包管理
sudo apt install fail2ban
调用官方自带的jail规则已默认开启sshd
sudo cp /etc/fail2ban.{conf,local}
修改规则sudo vi /etc/fail2ban.local
# 封禁时间默认为600建议延长,单位sec
bantime = 43200
# action默认值iptables-multiport会产生iptables错误,表现为加入banlist的ip依然能够访问
banaction = iptables-allports
reload规则生效并查看sshd状态
sudo fail2ban-client reload
sudo fail2ban-client status sshd
正常工况状态如下
Status for the jail: sshd
|- Filter
| |- Currently failed: 21
| |- Total failed: 21
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 159.89.178.62
参考
Fail2ban Configuration for Secure Servers: One Step at a Time
linux - fail2ban keeps saying already banned but it didn't actually ban - Unix & Linux Stack Exchange
标签:sshd,01,21,23,扫描,52,ssh,localhost,fail2ban 来源: https://www.cnblogs.com/azureology/p/15185460.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。