怎么办?
以下是我做的设置,centos7.
- sshd_config禁止root登录,禁止密码验证,只能秘钥验证,并且秘钥加密码
- 安装了denyhosts工具,加上fail2ban工具;
- 在sshd_config设置了两个端口:22和其他任意一个;
- firewall-cmd添加forward-port,
将22端口的数据转到23端口,将22端口转发到攻击ip的22端口上;
这样做的好处是,/var/log/secure没有很多日志,攻击者无法连接,会出现一些 Bad protocol version identification ,也不影响。
20180622更新如下
取消denyhosts工具,改用fail2ban工具;
保留denyhosts工具,加上fail2ban工具;
在/etc/fail2ban/filter.d/sshd.conf添加过滤规则
^%(__prefix_line)sReceived disconnect from <HOST> port .*:11: (Bye Bye)? \[preauth\]$
^%(__prefix_line)sDisconnected from <HOST> port .* \[preauth\]$
^%(__prefix_line)sConnection closed by <HOST>%(__on_port_opt)s \[preauth\]$
新增/etc/fail2ban/action.d/firewallcmd-forward.conf
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = for p in $(firewall-cmd --list-forward-ports);do firewall-cmd --remove-forward-port="$p" ; done ; firewall-cmd --add-forward-port=port=22:proto=tcp:toport=22:toaddr=<ip>
actionunban = for i in $(firewall-cmd --list-forward-ports); do firewall-cmd --remove-forward-port="$i" ; done
[Init]
name = default
zone = public
service = ssh
blocktype = reject type='icmp-port-unreachable'