状况: 绑定公网IP的云服务被同一个IP ssh测密码了
lastb | tail -n 30 #查看登录失败信息
hadoop ssh:notty 124.70.118.18 Thu Mar 4 22:13 - 22:13 (00:00)
postgres ssh:notty 124.70.118.18 Thu Mar 4 22:13 - 22:13 (00:00)
hadoop ssh:notty 124.70.118.18 Thu Mar 4 22:13 - 22:13 (00:00)
oracle ssh:notty 124.70.118.18 Thu Mar 4 22:12 - 22:12 (00:00)
oracle ssh:notty 124.70.118.18 Thu Mar 4 22:12 - 22:12 (00:00)
oracle ssh:notty 124.70.118.18 Thu Mar 4 22:12 - 22:12 (00:00)
oracle ssh:notty 124.70.118.18 Thu Mar 4 22:12 - 22:12 (00:00)
hadoop ssh:notty 124.70.118.18 Thu Mar 4 22:12 - 22:12 (00:00)
hadoop ssh:notty 124.70.118.18 Thu Mar 4 22:12 - 22:12 (00:00)
spark ssh:notty 124.70.118.18 Thu Mar 4 22:11 - 22:11 (00:00)
spark ssh:notty 124.70.118.18 Thu Mar 4 22:11 - 22:11 (00:00)
spark ssh:notty 124.70.118.18 Thu Mar 4 22:11 - 22:11 (00:00)
spark ssh:notty 124.70.118.18 Thu Mar 4 22:11 - 22:11 (00:00)
kafka ssh:notty 124.70.118.18 Thu Mar 4 22:11 - 22:11 (00:00)
kafka ssh:notty 124.70.118.18 Thu Mar 4 22:10 - 22:10 (00:00)
kafka ssh:notty 124.70.118.18 Thu Mar 4 22:10 - 22:10 (00:00)
kafka ssh:notty 124.70.118.18 Thu Mar 4 22:10 - 22:10 (00:00)
root ssh:notty 124.70.118.18 Thu Mar 4 22:10 - 22:10 (00:00)
root ssh:notty 124.70.118.18 Thu Mar 4 22:10 - 22:10 (00:00)
root ssh:notty 124.70.118.18 Thu Mar 4 22:10 - 22:10 (00:00)
root ssh:notty 124.70.118.18 Thu Mar 4 22:09 - 22:09 (00:00)
root ssh:notty 14.18.234.98 Thu Mar 4 18:56 - 18:56 (00:00)
root ssh:notty 14.18.234.98 Thu Mar 4 18:56 - 18:56 (00:00)
root ssh:notty 14.18.234.98 Thu Mar 4 18:55 - 18:55 (00:00)
root ssh:notty 14.18.234.98 Thu Mar 4 18:55 - 18:55 (00:00)
root ssh:notty 14.18.234.98 Thu Mar 4 18:55 - 18:55 (00:00)
jolien ssh:notty 68.183.210.203 Thu Mar 4 15:56 - 15:56 (00:00)
jolien ssh:notty 68.183.210.203 Thu Mar 4 15:56 - 15:56 (00:00)
lastb 查看/var/log/btmp 登录失败的记录 lastlog 查看用户登录的最后信息
可以发现被同一个IP测试一些服务的用户ssh连接
查看下连接失败情况
#过滤下
lastb | awk '{sum[$3]++} END{for(i in sum){print i" "sum[i]}}'
1 #空为1
14.18.234.98 5
Thu 1 #lastb最后一行的提示 简单查看就不过滤了
68.183.210.203 2
111.19.129.43 5
177.78.60.48 9
124.70.118.24 1775 #被一个IPssh失败1775次 好家伙
124.70.118.18 391 #391次 也没上面这个猛
知道IP了 ssh黑名单走起
#设置配置文件
vim /etc/ssh/sshd_config
==========================
#黑名单 禁止该IP如何用户登录
DenyUsers *@124.70.118.24 *@124.70.118.18.391
===============================================
systemctl restart sshd #重启下服务
或者设置ssh白名单
AllowUsers myuser@myip
密码还是不能用简单的和默认的,其实可以考虑写个晚上的(晚上10点开始测试连接的)定时脚本,检索登录失败IP 用sed加入ssh黑名单