Как закрыть досуп горе хакерам?

Добрый день!
Недавно заметил такое чудо в /var/log/secure
Feb 12 16:33:10 *** sshd[30516]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=220.174.22.182
Feb 12 16:33:10 *** sshd[30516]: pam_succeed_if(sshd:auth): error retrieving information about user admin
Feb 12 16:33:12 *** sshd[30516]: Failed password for invalid user admin from 220.174.22.182 port 43984 ssh2
Feb 12 16:33:13 *** sshd[30517]: Connection closed by 220.174.22.182
Feb 12 17:10:35 *** sshd[30977]: Invalid user test from 79.143.39.164
Feb 12 17:10:35 *** sshd[30978]: input_userauth_request: invalid user test
Feb 12 17:10:35 *** sshd[30977]: pam_unix(sshd:auth): check pass; user unknown
Feb 12 17:10:35 *** sshd[30977]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=nonstop.vn.ua
Feb 12 17:10:35 *** sshd[30977]: pam_succeed_if(sshd:auth): error retrieving information about user test
Feb 12 17:10:37 *** sshd[30977]: Failed password for invalid user test from 79.143.39.164 port 38192 ssh2
Feb 12 17:10:37 *** sshd[30978]: Received disconnect from 79.143.39.164: 11: Bye Bye
Feb 12 17:10:37 *** sshd[30981]: Invalid user oracle from 79.143.39.164
Feb 12 17:10:37 *** sshd[30982]: input_userauth_request: invalid user oracle
Feb 12 17:10:37 *** sshd[30981]: pam_unix(sshd:auth): check pass; user unknown
Feb 12 17:10:37 *** sshd[30981]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=nonstop.vn.ua
Feb 12 17:10:37 *** sshd[30981]: pam_succeed_if(sshd:auth): error retrieving information about user oracle
Feb 12 17:10:40 *** sshd[30981]: Failed password for invalid user oracle from 79.143.39.164 port 38505 ssh2
Feb 12 17:10:40 *** sshd[30982]: Received disconnect from 79.143.39.164: 11: Bye Bye
Feb 12 17:10:40 *** sshd[30983]: Invalid user guest from 79.143.39.164
Feb 12 17:10:40 *** sshd[30984]: input_userauth_request: invalid user guest
Feb 12 17:10:40 *** sshd[30983]: pam_unix(sshd:auth): check pass; user unknown
Feb 12 17:10:40 *** sshd[30983]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=nonstop.vn.ua
Feb 12 17:10:40 *** sshd[30983]: pam_succeed_if(sshd:auth): error retrieving information about user guest
Feb 12 17:10:42 *** sshd[30983]: Failed password for invalid user guest from 79.143.39.164 port 38925 ssh2
Feb 12 17:10:42 *** sshd[30984]: Received disconnect from 79.143.39.164: 11: Bye Bye
Feb 12 17:10:42 *** sshd[30985]: Invalid user user from 79.143.39.164
Feb 12 17:10:42 *** sshd[30986]: input_userauth_request: invalid user user
Feb 12 17:10:42 *** sshd[30985]: pam_unix(sshd:auth): check pass; user unknown
Feb 12 17:10:42 *** sshd[30985]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=nonstop.vn.ua
Feb 12 17:10:42 *** sshd[30985]: pam_succeed_if(sshd:auth): error retrieving information about user user
Feb 12 17:10:44 *** sshd[30985]: Failed password for invalid user user from 79.143.39.164 port 39234 ssh2
Feb 12 17:10:44 *** sshd[30986]: Received disconnect from 79.143.39.164: 11: Bye Bye
Feb 12 17:10:45 *** sshd[30987]: Invalid user info from 79.143.39.164


наскольео я понимаю, это какой-то чудак пытается подобрать доступ по бруту. Как можно отсекать таких умельцев?

P.S. я не очень хороший админ, поэтому буду благодарен за развернутый ответ
  • Вопрос задан
  • 7196 просмотров
Решения вопроса 1
VELIK505
@VELIK505
Руководитель департамента profitcentr.com
/etc/ssh/sshd_config
Port 22 - можно и порт заменить
LoginGraceTime 15s - максимум время на ввод пароля
PermitRootLogin off - запретить ssh для рута
MaxAuthTries 1 - максимум попыток ввода пароля.
Этого достаточно будет за глаза.
можете ещё через iptables можете закрыть токо своему айпи открыть
iptables -A INPUT -s xxx.x.x.x -p tcp --dport 22 -j accept
где xxx.x.x.x - айпи с которого можно в ssh попадать.
так же в /etc/hosts.allow можете прописать:
SSHD: xxx.x.x.x - где xxx.x.x.x ваш айпи с которого можно заходить в ssh.
ребутьте токо sshd после настроек новых чтобы они вступили в силу
/etc/init.d/ssh
Ответ написан
Пригласить эксперта
Ответы на вопрос 4
1. Сменить 22 порт
2. Запретить вход от root /etc/ssh/sshd_config:
# Authentication:
LoginGraceTime 20
#PermitRootLogin without-password
PermitRootLogin no
StrictModes yes
#SSH разрешен только пользователям:
AllowUsers bla-bla-bla(тут пользователь, которым ты коннектишься)
#время закрытия неработающей сессии
ClientAliveInterval 300
ClientAliveCountMax 0
3. Fail2ban
Ответ написан
Комментировать
@kryvel
Системный администратор
можно еще установить fail2ban
он достаточно хорошо справляется с этой заразой
Ответ написан
Комментировать
dimonchik2013
@dimonchik2013
non progredi est regredi
смена порта + ключ , обычно достаточно

если очень хочется - двухфакторная аутентификация

если еще сильнее - knock knock
Ответ написан
Комментировать
@bukass
Современным ботам, пофигу на нестандартный порт.

Для тех кто все еще сомневается.

Feb 9 05:38:25 vyatta sshd[31650]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.10.51.49 user=root
Feb 9 05:38:29 vyatta sshd[31652]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.10.51.49 user=root
Feb 9 05:38:47 vyatta sshd[31654]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.10.51.49 user=root
Feb 9 05:38:51 vyatta sshd[31656]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.10.51.49 user=root
Feb 9 05:38:55 vyatta sshd[31658]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.10.51.49 user=root
Feb 9 05:39:14 vyatta sshd[31660]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.10.51.49 user=root
Feb 9 05:39:18 vyatta sshd[31662]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.10.51.49 user=root
Feb 9 05:39:22 vyatta sshd[31664]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.10.51.49 user=root
Feb 9 05:39:41 vyatta sshd[31666]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.10.51.49 user=root
Feb 9 05:40:40 vyatta sshd[31682]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.10.51.49 user=root
Feb 9 05:40:59 vyatta sshd[31684]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.10.51.49 user=root
Feb 9 05:41:02 vyatta sshd[31686]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.10.51.49 user=root
Feb 9 05:41:06 vyatta sshd[31688]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.10.51.49 user=root
Feb 9 05:41:25 vyatta sshd[31690]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.10.51.49 user=root
Feb 9 05:41:28 vyatta sshd[31692]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.10.51.49 user=root
Feb 9 05:41:32 vyatta sshd[31694]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.10.51.49 user=root
Feb 9 08:05:20 vyatta pptpd[31792]: CTRL: EOF or bad error reading ctrl packet length.
Feb 9 08:05:20 vyatta pptpd[31792]: CTRL: couldn't read packet header (exit)
Feb 9 08:05:20 vyatta pptpd[31792]: CTRL: CTRL read failed
Feb 9 11:50:19 vyatta sshd[31830]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.124 user=root
Feb 9 11:50:31 vyatta sshd[31830]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.124 user=root
Feb 9 11:50:31 vyatta sshd[31830]: PAM service(sshd) ignoring max retries; 5 > 3
Feb 9 11:51:24 vyatta sshd[31848]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.124 user=root
Feb 9 11:51:35 vyatta sshd[31848]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.124 user=root
Feb 9 11:51:35 vyatta sshd[31848]: PAM service(sshd) ignoring max retries; 5 > 3
Feb 9 11:54:32 vyatta sshd[31900]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.124 user=root
Feb 9 11:54:44 vyatta sshd[31900]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.124 user=root
Feb 9 11:54:44 vyatta sshd[31900]: PAM service(sshd) ignoring max retries; 5 > 3
Feb 9 11:55:54 vyatta sshd[31922]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.124 user=root
Feb 9 11:56:05 vyatta sshd[31922]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.124 user=root
Feb 9 11:56:05 vyatta sshd[31922]: PAM service(sshd) ignoring max retries; 5 > 3
Feb 9 11:56:18 vyatta sshd[31927]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.124 user=root
Feb 9 11:56:30 vyatta sshd[31927]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.124 user=root
Feb 9 11:56:30 vyatta sshd[31927]: PAM service(sshd) ignoring max retries; 5 > 3
Feb 9 11:57:30 vyatta sshd[31946]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.124 user=root
Feb 9 11:57:41 vyatta sshd[31946]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.124 user=root
Feb 9 11:57:41 vyatta sshd[31946]: PAM service(sshd) ignoring max retries; 5 > 3
Feb 9 11:59:55 vyatta sshd[31986]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.124 user=root
Feb 9 12:00:06 vyatta sshd[31986]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.124 user=root
Feb 9 12:00:06 vyatta sshd[31986]: PAM service(sshd) ignoring max retries; 5 > 3
Feb 9 12:02:13 vyatta sshd[32025]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.124 user=root
Feb 9 12:02:24 vyatta sshd[32025]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.10.124 user=root
Feb 9 12:02:24 vyatta sshd[32025]: PAM service(sshd) ignoring max retries; 5 > 3
Feb 9 13:50:12 vyatta pptpd[32103]: CTRL: EOF or bad error reading ctrl packet length.
Feb 9 13:50:12 vyatta pptpd[32103]: CTRL: couldn't read packet header (exit)
Feb 9 13:50:12 vyatta pptpd[32103]: CTRL: CTRL read failed
Feb 10 12:46:32 vyatta sshd[32345]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.15.235 user=root
Feb 10 12:46:39 vyatta sshd[32348]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.15.235 user=root
Feb 10 12:47:00 vyatta sshd[32350]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.15.235 user=root
Feb 10 12:47:20 vyatta sshd[32352]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.15.235 user=root
Feb 10 12:47:27 vyatta sshd[32354]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.15.235 user=root
Feb 10 12:47:51 vyatta sshd[32356]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.15.235 user=root
Feb 10 12:48:03 vyatta sshd[32358]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.15.235 user=root
Feb 10 12:48:15 vyatta sshd[32360]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.15.235 user=root
Feb 10 12:48:44 vyatta sshd[32362]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.15.235 user=root
Feb 10 12:48:51 vyatta sshd[32364]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.15.235 user=root
Feb 10 12:48:58 vyatta sshd[32366]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.15.235 user=root
Feb 10 12:49:18 vyatta sshd[32368]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.15.235 user=root
Feb 10 12:49:27 vyatta sshd[32370]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.15.235 user=root
Feb 10 12:49:31 vyatta sshd[32372]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.15.235 user=root
Feb 11 08:28:57 vyatta pptpd[32594]: CTRL: EOF or bad error reading ctrl packet length.
Feb 11 08:28:57 vyatta pptpd[32594]: CTRL: couldn't read packet header (exit)
Feb 11 08:28:57 vyatta pptpd[32594]: CTRL: CTRL read failed
Feb 11 14:13:46 vyatta pptpd[32626]: CTRL: EOF or bad error reading ctrl packet length.
Feb 11 14:13:46 vyatta pptpd[32626]: CTRL: couldn't read packet header (exit)
Feb 11 14:13:46 vyatta pptpd[32626]: CTRL: CTRL read failed
Feb 11 14:49:17 vyatta pptpd[32633]: CTRL: EOF or bad error reading ctrl packet length.
Feb 11 14:49:17 vyatta pptpd[32633]: CTRL: couldn't read packet header (exit)
Feb 11 14:49:17 vyatta pptpd[32633]: CTRL: CTRL read failed
Feb 13 08:37:59 vyatta sshd[984]: warning: can't get client address: Connection reset by peer
Feb 13 09:39:11 vyatta pptpd[1039]: CTRL: EOF or bad error reading ctrl packet length.
Feb 13 09:39:11 vyatta pptpd[1039]: CTRL: couldn't read packet header (exit)
Feb 13 09:39:11 vyatta pptpd[1039]: CTRL: CTRL read failed
Feb 13 14:45:25 vyatta sshd[1071]: pam_unix(sshd:auth): check pass; user unknown
Feb 13 14:45:25 vyatta sshd[1071]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.57.72.114
Feb 13 14:45:31 vyatta sshd[1073]: pam_unix(sshd:auth): check pass; user unknown
Feb 13 14:45:31 vyatta sshd[1073]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.57.72.114
Feb 13 14:45:35 vyatta sshd[1076]: pam_unix(sshd:auth): check pass; user unknown
Feb 13 14:45:35 vyatta sshd[1076]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.57.72.114
Feb 13 14:45:40 vyatta sshd[1078]: pam_unix(sshd:auth): check pass; user unknown
Feb 13 14:45:40 vyatta sshd[1078]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=183.57.72.114

А для запрета ssh с каких попало адресов /etc/hosts.deny /etc/hosts.alow
Ответ написан
Комментировать
Ваш ответ на вопрос

Войдите, чтобы написать ответ

Похожие вопросы