苦逼的周一开始了,苦逼的工作开始了,坐到工位上,上班气正在逐渐的减弱,但是当我发现,我的三台服务器又被那些无情的小黑人们盯上了的时候,我的怒气值达到了顶点,同时还感觉有点丢脸,哈哈哈。
由于这三台服务器属于我个人的,没有经过运维兄弟的照顾,所以在安全方面,基本上没有防护。
这次是怎么发现的呢,是因为我服务器上的爬虫突然停止了,我带着疑问去看了下系统日志。于是敲下了下面的命令
映入眼帘的是满屏的扫描和ssh尝试登陆
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
| Sep 09 11:02:50 4Z-J16-A47 sshd[303]: Failed password for invalid user admin from 117.132.175.25 port 42972 ssh2 Sep 09 11:02:50 4Z-J16-A47 sshd[303]: Received disconnect from 117.132.175.25 port 42972:11: Bye Bye [preauth] Sep 09 11:02:50 4Z-J16-A47 sshd[303]: Disconnected from 117.132.175.25 port 42972 [preauth] Sep 09 11:02:50 4Z-J16-A47 sshd[65525]: Failed password for root from 49.88.112.54 port 24184 ssh2 Sep 09 11:02:50 4Z-J16-A47 sshd[302]: Failed password for invalid user ansible from 149.56.96.78 port 44980 ssh2 Sep 09 11:02:50 4Z-J16-A47 sshd[302]: Received disconnect from 149.56.96.78 port 44980:11: Bye Bye [preauth] Sep 09 11:02:50 4Z-J16-A47 sshd[302]: Disconnected from 149.56.96.78 port 44980 [preauth] Sep 09 11:02:50 4Z-J16-A47 sshd[65525]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Sep 09 11:02:51 4Z-J16-A47 sshd[65522]: Failed password for root from 218.92.0.163 port 45157 ssh2 Sep 09 11:02:51 4Z-J16-A47 sshd[65522]: error: maximum authentication attempts exceeded for root from 218.92.0.163 port 45157 ssh2 [preauth] Sep 09 11:02:51 4Z-J16-A47 sshd[65522]: Disconnecting: Too many authentication failures [preauth] Sep 09 11:02:51 4Z-J16-A47 sshd[65522]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.163 user=root Sep 09 11:02:51 4Z-J16-A47 sshd[65522]: PAM service(sshd) ignoring max retries; 6 > 3 Sep 09 11:02:52 4Z-J16-A47 sshd[310]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.163 user=root Sep 09 11:02:52 4Z-J16-A47 sshd[310]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Sep 09 11:02:53 4Z-J16-A47 sshd[65525]: Failed password for root from 49.88.112.54 port 24184 ssh2 Sep 09 11:02:53 4Z-J16-A47 sshd[65525]: error: maximum authentication attempts exceeded for root from 49.88.112.54 port 24184 ssh2 [preauth] Sep 09 11:02:53 4Z-J16-A47 sshd[65525]: Disconnecting: Too many authentication failures [preauth] Sep 09 11:02:53 4Z-J16-A47 sshd[65525]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.88.112.54 user=root Sep 09 11:02:53 4Z-J16-A47 sshd[65525]: PAM service(sshd) ignoring max retries; 6 > 3 Sep 09 11:02:54 4Z-J16-A47 sshd[314]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.88.112.54 user=root Sep 09 11:02:54 4Z-J16-A47 sshd[314]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" lines 1105-1127/1127 (END) Sep 09 11:02:49 4Z-J16-A47 sshd[65522]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Sep 09 11:02:50 4Z-J16-A47 sshd[303]: Failed password for invalid user admin from 117.132.175.25 port 42972 ssh2 Sep 09 11:02:50 4Z-J16-A47 sshd[303]: Received disconnect from 117.132.175.25 port 42972:11: Bye Bye [preauth] Sep 09 11:02:50 4Z-J16-A47 sshd[303]: Disconnected from 117.132.175.25 port 42972 [preauth] Sep 09 11:02:50 4Z-J16-A47 sshd[65525]: Failed password for root from 49.88.112.54 port 24184 ssh2 Sep 09 11:02:50 4Z-J16-A47 sshd[302]: Failed password for invalid user ansible from 149.56.96.78 port 44980 ssh2 Sep 09 11:02:50 4Z-J16-A47 sshd[302]: Received disconnect from 149.56.96.78 port 44980:11: Bye Bye [preauth] Sep 09 11:02:50 4Z-J16-A47 sshd[302]: Disconnected from 149.56.96.78 port 44980 [preauth] Sep 09 11:02:50 4Z-J16-A47 sshd[65525]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Sep 09 11:02:51 4Z-J16-A47 sshd[65522]: Failed password for root from 218.92.0.163 port 45157 ssh2 Sep 09 11:02:51 4Z-J16-A47 sshd[65522]: error: maximum authentication attempts exceeded for root from 218.92.0.163 port 45157 ssh2 [preauth] Sep 09 11:02:51 4Z-J16-A47 sshd[65522]: Disconnecting: Too many authentication failures [preauth] Sep 09 11:02:51 4Z-J16-A47 sshd[65522]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.163 user=root Sep 09 11:02:51 4Z-J16-A47 sshd[65522]: PAM service(sshd) ignoring max retries; 6 > 3 Sep 09 11:02:52 4Z-J16-A47 sshd[310]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.0.163 user=root Sep 09 11:02:52 4Z-J16-A47 sshd[310]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Sep 09 11:02:53 4Z-J16-A47 sshd[65525]: Failed password for root from 49.88.112.54 port 24184 ssh2 Sep 09 11:02:53 4Z-J16-A47 sshd[65525]: error: maximum authentication attempts exceeded for root from 49.88.112.54 port 24184 ssh2 [preauth] Sep 09 11:02:53 4Z-J16-A47 sshd[65525]: Disconnecting: Too many authentication failures [preauth] Sep 09 11:02:53 4Z-J16-A47 sshd[65525]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=49.88.112.54 user=root Sep 09 11:02:53 4Z-J16-A47 sshd[65525]: PAM service(sshd) ignoring max retries; 6 > 3
|
看到这里,感觉自己家的鸡,随时都要被偷走呀。。。。这还了得。于是马上开始了加固防护
对待这种情况,就是要禁止root用户远程登录,使用新建普通用户,进行远程登录,还有重要的一点,修改默认22端口。
1 2
| [root@*** ~] [root@*** ~]
|
输入新用户密码
首先确保文件 /etc/sudoers 中
1 2 3 4 5 6 7
| %wheel ALL=(ALL) ALL ``` 没有被注释
```linux usermod -g wheel onerocket
|
设置只有指定用户组才能使用su命令切换到root用户
在linux中,有一个默认的管理组 wheel。在实际生产环境中,即使我们有系统管理员root的权限,也不推荐用root用户登录。一般情况下用普通用户登录就可以了,在需要root权限执行一些操作时,再su登录成为root用户。但是,任何人只要知道了root的密码,就都可以通过su命令来登录为root用户,这无疑为系统带来了安全隐患。所以,将普通用户加入到wheel组,被加入的这个普通用户就成了管理员组内的用户。然后设置只有wheel组内的成员可以使用su命令切换到root用户。
1 2 3 4 5 6 7
|
sed -i '/pam_wheel.so use_uid/c\auth required pam_wheel.so use_uid ' /etc/pam.d/su n=`cat /etc/login.defs | grep SU_WHEEL_ONLY | wc -l` if [ $n -eq 0 ];then echo SU_WHEEL_ONLY yes >> /etc/login.defs fi
|
打开SSHD的配置文件
1
| vim /etc/ssh/sshd_config
|
查找“#PermitRootLogin yes”,将前面的“#”去掉,短尾“yes”改为“no”(不同版本可能区分大小写),并保存文件。
修改sshd默认端口
虽然更改端口无法在根本上抵御端口扫描,但是,可以在一定程度上提高防御。
打开sshd配置文件
找到#Port 22 删掉注释
服务器端口最大可以开到65536
同时再添加一个Port 61024 (随意设置)
Port 22
Port 61024
重启sshd服务
1 2 3
| service sshd restart systemctl restart sshd firewall-cmd --add-port=61024/tcp
|
测试,使用新用户,新端口进行登录
如果登陆成功后,再将Port22注释掉,重启sshd服务。
到这里,关于远程登录的防护工作,就做好了。
最后,告诫大家,亲身体验,没有防护裸奔的服务器,真的太容易被抓肉鸡了!!!!!