Connecting to 106.12.80.64:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Last failed login: Thu Jan 10 19:21:09 CST 2019 from 89.46.223.79 on ssh:notty
There were 70 failed login attempts since the last successful login.
Last login: Thu Jan 10 10:10:18 2019 from 116.228.237.226
root@jonathan-pc:~#
root@jonathan-pc:~# ls /var/log/
anaconda cloud-init-output.log lastlog messages-20190106 spooler
audit collectd.log maillog qemu-ga spooler-20181216
boot.log cron maillog-20181216 rhsm spooler-20181223
boot.log-20181109 cron-20181216 maillog-20181223 sa spooler-20181230
boot.log-20181123 cron-20181223 maillog-20181230 samba spooler-20190106
boot.log-20190109 cron-20181230 maillog-20190106 secure thttpd.log
btmp cron-20190106 messages secure-20181216 tuned
btmp-20190101 dmesg messages-20181216 secure-20181223 wtmp
chrony dmesg.old messages-20181223 secure-20181230 yum.log
cloud-init.log grubby messages-20181230 secure-20190106 yum.log-20190101
# vi /var/log/secure
Jan 6 03:43:04 localhost sshd[69671]: Invalid user cmf from 121.254.179.140 port 37980
Jan 6 03:43:04 localhost sshd[69671]: input_userauth_request: invalid user cmf [preauth]
Jan 6 03:43:04 localhost sshd[69671]: pam_unix(sshd:auth): check pass; user unknown
Jan 6 03:43:04 localhost sshd[69671]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.254.179.140
Jan 6 03:43:06 localhost sshd[69671]: Failed password for invalid user cmf from 121.254.179.140 port 37980 ssh2
Jan 6 03:43:06 localhost sshd[69671]: Received disconnect from 121.254.179.140 port 37980:11: Bye Bye [preauth]
Jan 6 03:43:06 localhost sshd[69671]: Disconnected from 121.254.179.140 port 37980 [preauth]
Jan 6 03:55:17 localhost sshd[70294]: Invalid user admin from 89.46.223.79 port 57882
Jan 6 03:55:17 localhost sshd[70294]: input_userauth_request: invalid user admin [preauth]
Jan 6 03:55:17 localhost sshd[70294]: pam_unix(sshd:auth): check pass; user unknown
Jan 6 03:55:17 localhost sshd[70294]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.46.223.79
Jan 6 03:55:19 localhost sshd[70294]: Failed password for invalid user admin from 89.46.223.79 port 57882 ssh2
Jan 6 03:55:19 localhost sshd[70294]: Received disconnect from 89.46.223.79 port 57882:11: Bye Bye [preauth]
Jan 6 03:55:19 localhost sshd[70294]: Disconnected from 89.46.223.79 port 57882 [preauth]
Jan 6 03:55:21 localhost sshd[70300]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.46.223.79 user=root
Jan 6 03:55:21 localhost sshd[70300]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 6 03:55:23 localhost sshd[70300]: Failed password for root from 89.46.223.79 port 60408 ssh2
Jan 6 03:55:24 localhost sshd[70300]: Received disconnect from 89.46.223.79 port 60408:11: Bye Bye [preauth]
Jan 6 03:55:24 localhost sshd[70300]: Disconnected from 89.46.223.79 port 60408 [preauth]
Jan 6 03:55:25 localhost sshd[70307]: Did not receive identification string from 204.16.193.162 port 38026
Jan 6 03:55:26 localhost sshd[70305]: Invalid user ubnt from 89.46.223.79 port 35132
Jan 6 03:55:26 localhost sshd[70305]: input_userauth_request: invalid user ubnt [preauth]
Jan 6 03:55:26 localhost sshd[70305]: pam_unix(sshd:auth): check pass; user unknown
Jan 6 03:55:26 localhost sshd[70305]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.46.223.79
Jan 6 03:55:27 localhost sshd[70310]: Invalid user arthur from 106.12.209.7 port 33917
Jan 6 03:55:27 localhost sshd[70310]: input_userauth_request: invalid user arthur [preauth]
Jan 6 03:55:27 localhost sshd[70310]: pam_unix(sshd:auth): check pass; user unknown
Jan 6 03:55:27 localhost sshd[70310]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=106.12.209.7
Jan 6 03:55:28 localhost sshd[70305]: Failed password for invalid user ubnt from 89.46.223.79 port 35132 ssh2
Jan 6 03:55:28 localhost sshd[70305]: Received disconnect from 89.46.223.79 port 35132:11: Bye Bye [preauth]
Jan 6 03:55:28 localhost sshd[70305]: Disconnected from 89.46.223.79 port 35132 [preauth]
Jan 6 03:55:29 localhost sshd[70310]: Failed password for invalid user arthur from 106.12.209.7 port 33917 ssh2
Jan 6 03:55:29 localhost sshd[70310]: Connection closed by 106.12.209.7 port 33917 [preauth]
Jan 6 03:55:30 localhost sshd[70313]: Invalid user user from 89.46.223.79 port 37800
-
禁止使用root登陆
#useradd david #passwd david #visudo david ALL=(ALL) NOPASSWD: ALL #vi /etc/ssh/sshd_config #PermitRootLogin yes PermitRootLogin no
-
更改sshd端口
# vi /etc/ssh/sshd_config #Port 22 Port 65214 # systemctl restart sshd
-
iptables开启黑名单
-
使用RSA8192密钥+密码 登陆
服务端的authorized_keys文件注意可读权限,不同环境可能权限不一样,我的权限是004
vi /etc/ssh/sshd_config PasswordAuthentication no
-
减少网络服务端口
netstat查看网络端口,主要关闭0.0.0.0:XX,并且是LISTEN状态的端口
0.0.0.0:XX,针对全部界面放行
127.0.0.1,仅在本机内部放行
192.168.122.1,针对虚拟设备的服务器
[root@cloud ~]# netstat -tulnp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1594/dnsmasq tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1243/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1526/master tcp6 0 0 :::111 :::* LISTEN 1/systemd tcp6 0 0 :::22 :::* LISTEN 1243/sshd tcp6 0 0 ::1:25 :::* LISTEN 1526/master udp 0 0 0.0.0.0:59036 0.0.0.0:* 30996/dhclient udp 0 0 192.168.122.1:53 0.0.0.0:* 1594/dnsmasq udp 0 0 0.0.0.0:67 0.0.0.0:* 1594/dnsmasq udp 0 0 0.0.0.0:68 0.0.0.0:* 30996/dhclient udp 0 0 127.0.0.1:323 0.0.0.0:* 862/chronyd udp6 0 0 :::22527 :::* 30996/dhclient udp6 0 0 ::1:323 :::* 862/chronyd
将以上不用的服务端口关闭,例如关闭111端口的服务
#1. 通过/etc/services查找端口对应的服务 [root@cloud ~]# grep ' 111/' /etc/services sunrpc 111/tcp portmapper rpcbind # RPC 4.0 portmapper TCP sunrpc 111/udp portmapper rpcbind # RPC 4.0 portmapper UDP #2. 查看端口对应的服务,哪个在运行 [root@cloud ~]# systemctl list-unit-files --all | grep portmap [root@cloud ~]# systemctl list-unit-files --all | grep rpcbind rpcbind.service enabled rpcbind.socket enabled rpcbind.target static #3. 关闭服务,关闭开机自启 [root@cloud ~]# systemctl stop rpcbind.socket <==立刻关闭该服务 [root@cloud ~]# systemctl stop rpcbind <==立刻关闭该服务 [root@cloud ~]# systemctl disable rpcbind.socket <==下次开机不会启用 [root@cloud ~]# systemctl disable rpcbind <==下次开机不会启用
- 让系统软件保持在最新状态
# yum -y update # vim /etc/crontab 0 3 * * * root /bin/yum -y update
-
用logwatch 分析登录档
[root@cloud ~]# yum install logwatch [root@cloud ~]# sh /etc/cron.daily/0logwatch [root@cloud ~]# mail
-
firewall
http://linux.vbird.org/linux_server/0250simple_firewall.php
-
网络服务的权限,对外开放的服务的权限不要随便设置
-
selinux管理服务权限
http://linux.vbird.org/linux_server/0210network-secure.php
参考至鸟哥的私房菜和公司同事的建议:http://linux.vbird.org/linux_server/0107cloudandvm.php