1、背景
本次案例是出现在公司的预发布环境发版中。java编译打包->docker镜像构建->镜像推送harbor->业务机器拉取镜像,这几个步骤已经完成了,执行到最后一步(ssh连接业务机器采用docker-compose起容器)的时候报错如下:
ssh_exchange_identification: Connection closed by remote host
2、分析 & 解决
2.1 服务器环境
Centos 7.6
2.2 现象
通过以上异常提示可以看出是jenkins shell中连接远程机器的时候,被ssh的服务端给终端连接了。要么ssh挂了,要么连接数过多。于是采用第一方案 systemctl restart sshd.service
重启ssh未果。那么只能考虑从日志寻找蛛丝马迹了。
补充知识(主机防护的常用目录和文件):
- ssh日志文件:
/var/log/secure
- ssh配置文件:
/etc/ssh/sshd_config
- Linux白名单:
/etc/hosts.allow
- Linux黑名单:
/etc/hosts.deny
- 华为云主机防护(专有的使用方便):
/etc/sshd.deny.hostguard
ssh的日志:
Jan 26 14:58:04 ecs-cicd sshd[2692]: refused connect from 159.223.106.203 (159.223.106.203)
Jan 26 14:58:04 ecs-cicd sshd[2693]: refused connect from 159.223.106.203 (159.223.106.203)
Jan 26 14:58:04 ecs-cicd sshd[2694]: refused connect from 159.223.106.203 (159.223.106.203)
Jan 26 14:58:04 ecs-cicd sshd[2695]: refused connect from 159.223.106.203 (159.223.106.203)
Jan 26 14:58:04 ecs-cicd sshd[2696]: refused connect from 159.223.106.203 (159.223.106.203)
Jan 26 14:58:05 ecs-cicd sshd[2697]: refused connect from 159.223.106.203 (159.223.106.203)
Jan 26 14:58:05 ecs-cicd sshd[2698]: refused connect from 159.223.106.203 (159.223.106.203)
Jan 26 14:58:05 ecs-cicd sshd[2699]: refused connect from 159.223.106.203 (159.223.106.203)
Jan 26 14:58:05 ecs-cicd sshd[2700]: refused connect from 159.223.106.203 (159.223.106.203)
Jan 26 14:58:05 ecs-cicd sshd[2701]: refused connect from 159.223.106.203 (159.223.106.203)
Jan 26 14:58:05 ecs-cicd sshd[2702]: refused connect from 159.223.106.203 (159.223.106.203)
Jan 26 14:58:05 ecs-cicd sshd[2703]: refused connect from 159.223.106.203 (159.223.106.203)
Jan 26 14:58:06 ecs-cicd sshd[2704]: refused connect from 159.223.106.203 (159.223.106.203)
Jan 26 14:58:06 ecs-cicd sshd[2705]: refused connect from 159.223.106.203 (159.223.106.203)
Jan 26 14:58:06 ecs-cicd sshd[2706]: refused connect from 159.223.106.203 (159.223.106.203)
Jan 26 14:58:07 ecs-cicd sshd[2707]: refused connect from 159.223.106.203 (159.223.106.203)
Jan 26 14:58:07 ecs-cicd sshd[2711]: refused connect from 159.223.106.203 (159.223.106.203)
Jan 26 14:58:07 ecs-cicd sshd[2712]: refused connect from 159.223.106.203 (159.223.106.203)
Jan 26 14:58:07 ecs-cicd sshd[2713]: refused connect from 159.223.106.203 (159.223.106.203)
Jan 26 14:58:08 ecs-cicd sshd[2714]: refused connect from 159.223.106.203 (159.223.106.203)
Jan 26 14:58:08 ecs-cicd sshd[2718]: refused connect from 159.223.106.203 (159.223.106.203)
Jan 26 14:58:09 ecs-cicd sshd[2719]: refused connect from 159.223.106.203 (159.223.106.203)
Jan 26 14:58:09 ecs-cicd sshd[2720]: refused connect from 159.223.106.203 (159.223.106.203)
Jan 26 14:58:09 ecs-cicd sshd[2721]: refused connect from 159.223.106.203 (159.223.106.203)
ip地址归属:
IP 地址: 159.223.106.203
IP Long: 2682219211
归属地(纯真数据): 美国
归属地(ipip): 美国 美国 -
归属地(IP2REGION): 美国 德克萨斯
可见有大量的来自漂亮国的恶意攻击,果断将其加入ip黑名单:
/etc/hosts.deny
文件追加一行 sshd:159.223.106.203
3、总结
互联网的世界,每天都会有来自各地的黑客对服务器暴力破解,那么我们可以做些什么加强安全呢?
- 更改ssh服务端口并且使用高强度密码。
- 通过shell或者python自动化识别恶意连接ssh的ip,并进行封禁。
- 使用共有云上的服务器自带的主机防护服务。
- 关注最新的框架代码漏洞,并及时修复处理。(比如最近轰动码农界的Apache Log4j2 远程代码执行漏洞)