苦逼的周一开始了,苦逼的工作开始了,坐到工位上,上班气正在逐渐的减弱,但是当我发现,我的三台服务器又被那些无情的小黑人们盯上了的时候,我的怒气值达到了顶点,同时还感觉有点丢脸,哈哈哈。
由于这三台服务器属于我个人的,没有经过运维兄弟的照顾,所以在安全方面,基本上没有防护。
这次是怎么发现的呢,是因为我服务器上的爬虫突然停止了,我带着疑问去看了下系统日志。于是敲下了下面的命令
映入眼帘的是满屏的扫描和ssh尝试登陆
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
| Sep 09 11:02:50 4Z-J16-A47 sshd[303]: Failed password for invalid user admin from 117.132.175.25 port 42972 ssh2
Sep 09 11:02:50 4Z-J16-A47 sshd[303]: Received disconnect from 117.132.175.25 port 42972:11: Bye Bye [preauth]
Sep 09 11:02:50 4Z-J16-A47 sshd[303]: Disconnected from 117.132.175.25 port 42972 [preauth]
Sep 09 11:02:50 4Z-J16-A47 sshd[65525]: Failed password for root from 49.88.112.54 port 24184 ssh2
Sep 09 11:02:50 4Z-J16-A47 sshd[302]: Failed password for invalid user ansible from 149.56.96.78 port 44980 ssh2
Sep 09 11:02:50 4Z-J16-A47 sshd[302]: Received disconnect from 149.56.96.78 port 44980:11: Bye Bye [preauth]
Sep 09 11:02:50 4Z-J16-A47 sshd[302]: Disconnected from 149.56.96.78 port 44980 [preauth]
Sep 09 11:02:50 4Z-J16-A47 sshd[65525]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Sep 09 11:02:51 4Z-J16-A47 sshd[65522]: Failed password for root from 218.92.0.163 port 45157 ssh2
Sep 09 11:02:51 4Z-J16-A47 sshd[65522]: error: maximum authentication attempts exceeded for root from 218.92.0.163 port 45157 ssh2 [preauth]
Sep 09 11:02:51 4Z-J16-A47 sshd[65522]: Disconnecting: Too many authentication failures [preauth]
Sep 09 11:02:51 4Z-J16-A47 sshd[65522]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.163 user=root
Sep 09 11:02:51 4Z-J16-A47 sshd[65522]: PAM service(sshd) ignoring max retries; 6 > 3
Sep 09 11:02:52 4Z-J16-A47 sshd[310]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.163 user=root
Sep 09 11:02:52 4Z-J16-A47 sshd[310]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Sep 09 11:02:53 4Z-J16-A47 sshd[65525]: Failed password for root from 49.88.112.54 port 24184 ssh2
Sep 09 11:02:53 4Z-J16-A47 sshd[65525]: error: maximum authentication attempts exceeded for root from 49.88.112.54 port 24184 ssh2 [preauth]
Sep 09 11:02:53 4Z-J16-A47 sshd[65525]: Disconnecting: Too many authentication failures [preauth]
Sep 09 11:02:53 4Z-J16-A47 sshd[65525]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.88.112.54 user=root
Sep 09 11:02:53 4Z-J16-A47 sshd[65525]: PAM service(sshd) ignoring max retries; 6 > 3
Sep 09 11:02:54 4Z-J16-A47 sshd[314]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.88.112.54 user=root
Sep 09 11:02:54 4Z-J16-A47 sshd[314]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
lines 1105-1127/1127 (END)
Sep 09 11:02:49 4Z-J16-A47 sshd[65522]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Sep 09 11:02:50 4Z-J16-A47 sshd[303]: Failed password for invalid user admin from 117.132.175.25 port 42972 ssh2
Sep 09 11:02:50 4Z-J16-A47 sshd[303]: Received disconnect from 117.132.175.25 port 42972:11: Bye Bye [preauth]
Sep 09 11:02:50 4Z-J16-A47 sshd[303]: Disconnected from 117.132.175.25 port 42972 [preauth]
Sep 09 11:02:50 4Z-J16-A47 sshd[65525]: Failed password for root from 49.88.112.54 port 24184 ssh2
Sep 09 11:02:50 4Z-J16-A47 sshd[302]: Failed password for invalid user ansible from 149.56.96.78 port 44980 ssh2
Sep 09 11:02:50 4Z-J16-A47 sshd[302]: Received disconnect from 149.56.96.78 port 44980:11: Bye Bye [preauth]
Sep 09 11:02:50 4Z-J16-A47 sshd[302]: Disconnected from 149.56.96.78 port 44980 [preauth]
Sep 09 11:02:50 4Z-J16-A47 sshd[65525]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Sep 09 11:02:51 4Z-J16-A47 sshd[65522]: Failed password for root from 218.92.0.163 port 45157 ssh2
Sep 09 11:02:51 4Z-J16-A47 sshd[65522]: error: maximum authentication attempts exceeded for root from 218.92.0.163 port 45157 ssh2 [preauth]
Sep 09 11:02:51 4Z-J16-A47 sshd[65522]: Disconnecting: Too many authentication failures [preauth]
Sep 09 11:02:51 4Z-J16-A47 sshd[65522]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.163 user=root
Sep 09 11:02:51 4Z-J16-A47 sshd[65522]: PAM service(sshd) ignoring max retries; 6 > 3
Sep 09 11:02:52 4Z-J16-A47 sshd[310]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.163 user=root
Sep 09 11:02:52 4Z-J16-A47 sshd[310]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Sep 09 11:02:53 4Z-J16-A47 sshd[65525]: Failed password for root from 49.88.112.54 port 24184 ssh2
Sep 09 11:02:53 4Z-J16-A47 sshd[65525]: error: maximum authentication attempts exceeded for root from 49.88.112.54 port 24184 ssh2 [preauth]
Sep 09 11:02:53 4Z-J16-A47 sshd[65525]: Disconnecting: Too many authentication failures [preauth]
Sep 09 11:02:53 4Z-J16-A47 sshd[65525]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.88.112.54 user=root
Sep 09 11:02:53 4Z-J16-A47 sshd[65525]: PAM service(sshd) ignoring max retries; 6 > 3
|
看到这里,感觉自己家的鸡,随时都要被偷走呀。。。。这还了得。于是马上开始了加固防护
对待这种情况,就是要禁止root用户远程登录,使用新建普通用户,进行远程登录,还有重要的一点,修改默认22端口。
1
2
| [root@*** ~]
[root@*** ~]
|
输入新用户密码
首先确保文件 /etc/sudoers 中
1
2
3
4
5
6
7
| %wheel ALL=(ALL) ALL
```
没有被注释
```linux
usermod -g wheel onerocket
|
设置只有指定用户组才能使用su命令切换到root用户
在linux中,有一个默认的管理组 wheel。在实际生产环境中,即使我们有系统管理员root的权限,也不推荐用root用户登录。一般情况下用普通用户登录就可以了,在需要root权限执行一些操作时,再su登录成为root用户。但是,任何人只要知道了root的密码,就都可以通过su命令来登录为root用户,这无疑为系统带来了安全隐患。所以,将普通用户加入到wheel组,被加入的这个普通用户就成了管理员组内的用户。然后设置只有wheel组内的成员可以使用su命令切换到root用户。
1
2
3
4
5
6
7
|
sed -i '/pam_wheel.so use_uid/c\auth required pam_wheel.so use_uid ' /etc/pam.d/su
n=`cat /etc/login.defs | grep SU_WHEEL_ONLY | wc -l`
if [ $n -eq 0 ];then
echo SU_WHEEL_ONLY yes >> /etc/login.defs
fi
|
打开SSHD的配置文件
1
| vim /etc/ssh/sshd_config
|
查找“#PermitRootLogin yes”,将前面的“#”去掉,短尾“yes”改为“no”(不同版本可能区分大小写),并保存文件。
修改sshd默认端口
虽然更改端口无法在根本上抵御端口扫描,但是,可以在一定程度上提高防御。
打开sshd配置文件
找到#Port 22 删掉注释
服务器端口最大可以开到65536
同时再添加一个Port 61024 (随意设置)
Port 22
Port 61024
重启sshd服务
1
2
3
| service sshd restart
systemctl restart sshd
firewall-cmd --add-port=61024/tcp
|
测试,使用新用户,新端口进行登录
如果登陆成功后,再将Port22注释掉,重启sshd服务。
到这里,关于远程登录的防护工作,就做好了。
最后,告诫大家,亲身体验,没有防护裸奔的服务器,真的太容易被抓肉鸡了!!!!!
