sshd:root@notty: linux 被暴力登录处理

一、背景

今天打开自己的私有服务器，猛然间发现最近登录失败将近2000次， 登录失败的ip 134.209.236.115 德国法兰克福。一顿吃鲸。。。。

由于我是私有服务器，在进行外网和内网ssh的端口映射时已经提前改为非22端口了，这算是第一道防线。密码设置也相对复杂，所以比较幸运的是，还好还未被攻破，赶紧处理一番

二、常规处理方案
1、修改公网的端口和内网端口映射为不常见的端口(一般ssh端口默认是22)。如果是阿里、腾讯云服务，则可以变更ssh端口为非22端口.同时配置安全策略组。

2、修改root 用户不可远程登录

3、限制ip登录（指定ip可进行远程登录访问服务器）

三、问题处理

1、问题查看

第一步，我之前已经做了，第三部，限制ip登录，对我来讲，由于可能会随时随地使用公司网络、家里的网络、手机公网、或者其他公共区域访问自己的私有服务，故而，限制ip，指定ip 这个方案，对我不太合适。所以接下来主要是针对 第二步进行处理。

在处理前，先查看登录失败的信息，输入命令，发现破解者使用了多种用户进行试登录

lastb  （等同于查看 /var/log/btmp 文件内容）

[root@localhost ~]# lastb

root     ssh:notty    61.238.103.153   Mon Aug  9 03:29 - 03:29  (00:00)
debianus ssh:notty    136.144.41.41    Mon Aug  9 02:48 - 02:48  (00:00)
debianus ssh:notty    136.144.41.41    Mon Aug  9 02:48 - 02:48  (00:00)
debianus ssh:notty    136.144.41.41    Mon Aug  9 02:48 - 02:48  (00:00)
debianus ssh:notty    136.144.41.41    Mon Aug  9 02:48 - 02:48  (00:00)
admin    ssh:notty    136.144.41.41    Mon Aug  9 02:44 - 02:44  (00:00)
admin    ssh:notty    136.144.41.41    Mon Aug  9 02:44 - 02:44  (00:00)
admin    ssh:notty    136.144.41.41    Mon Aug  9 02:44 - 02:44  (00:00)
admin    ssh:notty    136.144.41.41    Mon Aug  9 02:44 - 02:44  (00:00)
admin    ssh:notty    136.144.41.41    Mon Aug  9 02:41 - 02:41  (00:00)
admin    ssh:notty    136.144.41.41    Mon Aug  9 02:41 - 02:41  (00:00)
admin    ssh:notty    136.144.41.41    Mon Aug  9 02:41 - 02:41  (00:00)
admin    ssh:notty    136.144.41.41    Mon Aug  9 02:40 - 02:40  (00:00)
root     ssh:notty    97.90.87.195     Mon Aug  9 02:37 - 02:37  (00:00)
root     ssh:notty    97.90.87.195     Mon Aug  9 02:37 - 02:37  (00:00)
support  ssh:notty    97.90.87.195     Mon Aug  9 02:37 - 02:37  (00:00)
support  ssh:notty    97.90.87.195     Mon Aug  9 02:37 - 02:37  (00:00)
root     ssh:notty    97.90.87.195     Mon Aug  9 02:37 - 02:37  (00:00)
usuario  ssh:notty    97.90.87.195     Mon Aug  9 02:37 - 02:37  (00:00)
usuario  ssh:notty    97.90.87.195     Mon Aug  9 02:37 - 02:37  (00:00)
default  ssh:notty    97.90.87.195     Mon Aug  9 02:37 - 02:37  (00:00)
default  ssh:notty    97.90.87.195     Mon Aug  9 02:37 - 02:37  (00:00)
root     ssh:notty    97.90.87.195     Mon Aug  9 02:37 - 02:37  (00:00)
root     ssh:notty    97.90.87.195     Mon Aug  9 02:37 - 02:37  (00:00)
root     ssh:notty    97.90.87.195     Mon Aug  9 02:37 - 02:37  (00:00)
root     ssh:notty    97.90.87.195     Mon Aug  9 02:36 - 02:36  (00:00)
admin    ssh:notty    136.144.41.41    Mon Aug  9 02:36 - 02:36  (00:00)
admin    ssh:notty    136.144.41.41    Mon Aug  9 02:36 - 02:36  (00:00)
admin    ssh:notty    136.144.41.41    Mon Aug  9 02:36 - 02:36  (00:00)
admin    ssh:notty    136.144.41.41    Mon Aug  9 02:36 - 02:36  (00:00)
ethos    ssh:notty    136.144.41.41    Mon Aug  9 02:32 - 02:32  (00:00)
ethos    ssh:notty    136.144.41.41    Mon Aug  9 02:32 - 02:32  (00:00)
ethos    ssh:notty    136.144.41.41    Mon Aug  9 02:32 - 02:32  (00:00)
ethos    ssh:notty    136.144.41.41    Mon Aug  9 02:32 - 02:32  (00:00)
mos      ssh:notty    136.144.41.41    Mon Aug  9 02:29 - 02:29  (00:00)
mos      ssh:notty    136.144.41.41    Mon Aug  9 02:29 - 02:29  (00:00)
user     ssh:notty    136.144.41.41    Mon Aug  9 02:26 - 02:26  (00:00)
user     ssh:notty    136.144.41.41    Mon Aug  9 02:26 - 02:26  (00:00)
user     ssh:notty    136.144.41.41    Mon Aug  9 02:26 - 02:26  (00:00)
user     ssh:notty    136.144.41.41    Mon Aug  9 02:26 - 02:26  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
hadoop   ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
admin    ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
hadoop   ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
hadoop   ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
root     ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
hadoop   ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
admin    ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
hadoop   ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
hadoop   ssh:notty    119.8.236.111    Mon Aug  9 01:51 - 01:51  (00:00)
minersta ssh:notty    141.98.10.203    Mon Aug  9 00:15 - 00:15  (00:00)
minersta ssh:notty    141.98.10.203    Mon Aug  9 00:15 - 00:15  (00:00)

查看登录记录文件大小：

[root@localhost ~]# ll -h /var/log/btmp
-rw------- 1 root utmp 40M 8月  19 00:36 /var/log/btmp


# 统计登录
lastb | awk '{ print $3}' | sort | uniq -c | sort -n

2、添加新用户，禁止root 用户远程登录

添加新用户 useradd  newusername

设置密码  passwd  newusername

编辑 vim /etc/sudoers 

在root ALL=(ALL) ALL 下面添加

newusername ALL=(ALL) ALL 或者newusername ALL=(ALL) NOPASSWD:ALL

3、禁止root用户远程登录

vim /etc/ssh/sshd_config

文件中，# PermitRootLogin yes 修改为

PermitRootLogin no

4、重启sshd 服务

低版本centos使用： service sshd restart

高版本centos使用： systemctl restart sshd.service

5、之后远程登录，可以使用 newusername 登录，然后通过

sudo su 切换为root 用户。

以上三种方案：可参看博文：

https://blog.csdn.net/gammey/article/details/80404375