sshd:root@notty: linux 被暴力登录处理

一、背景

今天打开自己的私有服务器,猛然间发现最近登录失败将近2000次, 登录失败的ip 134.209.236.115 德国法兰克福。一顿吃鲸。。。。

由于我是私有服务器,在进行外网和内网ssh的端口映射时已经提前改为非22端口了,这算是第一道防线。密码设置也相对复杂,所以比较幸运的是,还好还未被攻破,赶紧处理一番

二、常规处理方案
1、修改公网的端口和内网端口映射为不常见的端口(一般ssh端口默认是22)。如果是阿里、腾讯云服务,则可以变更ssh端口为非22端口.同时配置安全策略组。

2、修改root 用户不可远程登录

3、限制ip登录(指定ip可进行远程登录访问服务器)

三、问题处理

1、问题查看

第一步,我之前已经做了,第三部,限制ip登录,对我来讲,由于可能会随时随地使用公司网络、家里的网络、手机公网、或者其他公共区域访问自己的私有服务,故而,限制ip,指定ip 这个方案,对我不太合适。所以接下来主要是针对 第二步进行处理。

在处理前,先查看登录失败的信息,输入命令,发现破解者使用了多种用户进行试登录

lastb  (等同于查看 /var/log/btmp 文件内容)

[root@localhost ~]# lastb

root     ssh:notty    61.238.103.153   Mon Aug  9 03:29 - 03:29  (00:00)
debianus ssh:notty    136.144.41.41    Mon Aug  9 02:48 - 02:48  (00:00)
debianus ssh:notty    136.144.41.41    Mon Aug  9 02:48 - 02:48  (00:00)
debianus ssh:notty    136.144.41.41    Mon Aug  9 02:48 - 02:48  (00:00)
debianus ssh:notty    136.144.41.41    Mon Aug  9 02:48 - 02:48  (00:00)
admin    ssh:notty    136.144.41.41    Mon Aug  9 02:44 - 02:44  (00:00)
admin    ssh:notty    136.144.41.41    Mon Aug  9 02:44 - 02:44  (00:00)
admin    ssh:notty    136.144.41.41    Mon Aug  9 02:44 - 02:44  (00:00)
admin    ssh:notty    136.144.41.41    Mon Aug  9 02:44 - 02:44  (00:00)
admin    ssh:notty    136.144.41.41    Mon Aug  9 02:41 - 02:41  (00:00)
admin    ssh:notty    136.144.41.41    Mon Aug  9 02:41 - 02:41  (00:00)
admin    ssh:notty    136.144.41.41    Mon Aug  9 02:41 - 02:41  (00:00)
admin    ssh:notty    136.144.41.41    Mon Aug  9 02:40 - 02:40  (00:00)
root     ssh:notty    97.90.87.195     Mon Aug  9 02:37 - 02:37  (00:00)
root     ssh:notty    97.90.87.195     Mon Aug  9 02:37 - 02:37  (00:00)
support  ssh:notty    97.90.87.195     Mon Aug  9 02:37 - 02:37  (00:00)
support  ssh:notty    97.90.87.195     Mon Aug  9 02:37 - 02:37  (00:00)
root     ssh:notty    97.90.87.195     Mon Aug  9 02:37 - 02:37  (00:00)
usuario  ssh:notty    97.90.87.195     Mon Aug  9 02:37 - 02:37  (00:00)
usuario  ssh:notty    97.90.87.195     Mon Aug  9 02:37 - 02:37  (00:00)
default  ssh:notty    97.90.87.195     Mon Aug  9 02:37 - 02:37  (00:00)
default  ssh:notty    97.90.87.195     Mon Aug  9 02:37 - 02:37  (00:00)
root     ssh:notty    97.90.87.195     Mon Aug  9 02:37 - 02:37  (00:00)
root     ssh:notty    97.90.87.195     Mon Aug  9 02:37 - 02:37  (00:00)
root     ssh:notty    97.90.87.195     Mon Aug  9 02:37 - 02:37  (00:00)
root     ssh:notty    97.90.87.195     Mon Aug  9 02:36 - 02:36  (00:00)
admin    ssh:notty    136.144.41.41    Mon Aug  9 02:36 - 02:36  (00:00)
admin    ssh:notty    136.144.41.41    Mon Aug  9 02:36 - 02:36  (00:00)
admin    ssh:notty    136.144.41.41    Mon Aug  9 02:36 - 02:36  (00:00)
admin    ssh:notty    136.144.41.41    Mon Aug  9 02:36 - 02:36  (00:00)
ethos    ssh:notty    136.144.41.41    Mon Aug  9 02:32 - 02:32  (00:00)
ethos    ssh:notty    136.144.41.41    Mon Aug  9 02:32 - 02:32  (00:00)
ethos    ssh:notty    136.144.41.41    Mon Aug  9 02:32 - 02:32  (00:00)
ethos    ssh:notty    136.144.41.41    Mon Aug  9 02:32 - 02:32  (00:00)
mos      ssh:notty    136.144.41.41    Mon Aug  9 02:29 - 02:29  (00:00)
mos      ssh:notty    136.144.41.41    Mon Aug  9 02:29 - 02:29  (00:00)
user     ssh:notty    136.144.41.41    Mon Aug  9 02:26 - 02:26  (00:00)
user     ssh:notty    136.144.41.41    Mon Aug  9 02:26 - 02:26  (00:00)
user     ssh:notty    136.144.41.41    Mon Aug  9 02:26 - 02:26  (00:00)
user     ssh:notty    136.144.41.41    Mon Aug  9 02:26 - 02:26  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
hadoop   ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
admin    ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
hadoop   ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
hadoop   ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
hadoop   ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
admin    ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
hadoop   ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
hadoop   ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
minersta ssh:notty    141.98.10.203    Mon Aug  9 00:15 - 00:15  (00:00)
minersta ssh:notty    141.98.10.203    Mon Aug  9 00:15 - 00:15  (00:00)

查看登录记录文件大小:


[root@localhost ~]# ll -h /var/log/btmp
-rw------- 1 root utmp 40M 8月  19 00:36 /var/log/btmp


# 统计登录
lastb | awk '{ print $3}' | sort | uniq -c | sort -n

2、添加新用户,禁止root 用户远程登录

添加新用户 useradd  newusername

设置密码  passwd  newusername

编辑 vim /etc/sudoers 

在root ALL=(ALL) ALL 下面添加

newusername ALL=(ALL) ALL 或者newusername ALL=(ALL) NOPASSWD:ALL

3、禁止root用户远程登录

vim /etc/ssh/sshd_config

文件中,# PermitRootLogin yes 修改为

PermitRootLogin no

4、重启sshd 服务

低版本centos使用: service sshd restart

高版本centos使用: systemctl restart sshd.service

5、之后远程登录,可以使用 newusername 登录,然后通过

sudo su 切换为root 用户。

以上三种方案:可参看博文:

https://blog.csdn.net/gammey/article/details/80404375

  • 4
    点赞
  • 8
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
在搭建Hadoop完全分布式集群时,出现"master: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password)"的错误提示。这个错误提示表明在连接到master节点时,SSH认证被拒绝了。 解决这个问题的方法是将本地的公钥添加到服务器的authorized_keys文件中。可以使用以下命令将公钥追加到authorized_keys文件中: ```shell cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys ``` 这样就可以解决"Permission denied (publickey,gssapi-keyex,gssapi-with-mic)"的错误信息了。 此外,如果遇到"PasswordAuthentication"字段被设置为"no"的情况,可以通过修改ssh配置文件来解决。可以使用以下命令打开ssh配置文件: ```shell sudo vim /etc/ssh/sshd_config ``` 然后找到"PasswordAuthentication"字段,并将其修改为"yes",保存文件并重启sshd服务: ```shell sudo systemctl restart sshd ``` 这样就可以解决"Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password)"的问题了。<span class="em">1</span><span class="em">2</span><span class="em">3</span> #### 引用[.reference_title] - *1* *2* [错误:master: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).](https://blog.csdn.net/hsx15777894525/article/details/117899115)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v93^chatsearchT3_2"}}] [.reference_item style="max-width: 50%"] - *3* [Permission denied (publickey,gssapi-keyex,gssapi-with-mic) 解决方法](https://blog.csdn.net/albertjone/article/details/84946557)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v93^chatsearchT3_2"}}] [.reference_item style="max-width: 50%"] [ .reference_list ]

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值