參考至鳥哥的私房菜和公司同事的建議:http://linux.vbird.org/linux_...php
登錄時提示被人爆破的痕跡linux
Connecting to 106.12.80.64:22... Connection established. To escape to local shell, press 'Ctrl+Alt+]'. Last failed login: Thu Jan 10 19:21:09 CST 2019 from 89.46.223.79 on ssh:notty There were 70 failed login attempts since the last successful login. Last login: Thu Jan 10 10:10:18 2019 from 116.228.237.226 root@jonathan-pc:~#
查看日誌shell
root@jonathan-pc:~# ls /var/log/ anaconda cloud-init-output.log lastlog messages-20190106 spooler audit collectd.log maillog qemu-ga spooler-20181216 boot.log cron maillog-20181216 rhsm spooler-20181223 boot.log-20181109 cron-20181216 maillog-20181223 sa spooler-20181230 boot.log-20181123 cron-20181223 maillog-20181230 samba spooler-20190106 boot.log-20190109 cron-20181230 maillog-20190106 secure thttpd.log btmp cron-20190106 messages secure-20181216 tuned btmp-20190101 dmesg messages-20181216 secure-20181223 wtmp chrony dmesg.old messages-20181223 secure-20181230 yum.log cloud-init.log grubby messages-20181230 secure-20190106 yum.log-20190101
被不一樣ip不停登錄。vim
# vi /var/log/secure Jan 6 03:43:04 localhost sshd[69671]: Invalid user cmf from 121.254.179.140 port 37980 Jan 6 03:43:04 localhost sshd[69671]: input_userauth_request: invalid user cmf [preauth] Jan 6 03:43:04 localhost sshd[69671]: pam_unix(sshd:auth): check pass; user unknown Jan 6 03:43:04 localhost sshd[69671]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.254.179.140 Jan 6 03:43:06 localhost sshd[69671]: Failed password for invalid user cmf from 121.254.179.140 port 37980 ssh2 Jan 6 03:43:06 localhost sshd[69671]: Received disconnect from 121.254.179.140 port 37980:11: Bye Bye [preauth] Jan 6 03:43:06 localhost sshd[69671]: Disconnected from 121.254.179.140 port 37980 [preauth] Jan 6 03:55:17 localhost sshd[70294]: Invalid user admin from 89.46.223.79 port 57882 Jan 6 03:55:17 localhost sshd[70294]: input_userauth_request: invalid user admin [preauth] Jan 6 03:55:17 localhost sshd[70294]: pam_unix(sshd:auth): check pass; user unknown Jan 6 03:55:17 localhost sshd[70294]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.46.223.79 Jan 6 03:55:19 localhost sshd[70294]: Failed password for invalid user admin from 89.46.223.79 port 57882 ssh2 Jan 6 03:55:19 localhost sshd[70294]: Received disconnect from 89.46.223.79 port 57882:11: Bye Bye [preauth] Jan 6 03:55:19 localhost sshd[70294]: Disconnected from 89.46.223.79 port 57882 [preauth] Jan 6 03:55:21 localhost sshd[70300]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.46.223.79 user=root Jan 6 03:55:21 localhost sshd[70300]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Jan 6 03:55:23 localhost sshd[70300]: Failed password for root from 89.46.223.79 port 60408 ssh2 Jan 6 03:55:24 localhost sshd[70300]: Received disconnect from 89.46.223.79 port 60408:11: Bye Bye [preauth] Jan 6 03:55:24 localhost sshd[70300]: Disconnected from 89.46.223.79 port 60408 [preauth] Jan 6 03:55:25 localhost sshd[70307]: Did not receive identification string from 204.16.193.162 port 38026 Jan 6 03:55:26 localhost sshd[70305]: Invalid user ubnt from 89.46.223.79 port 35132 Jan 6 03:55:26 localhost sshd[70305]: input_userauth_request: invalid user ubnt [preauth] Jan 6 03:55:26 localhost sshd[70305]: pam_unix(sshd:auth): check pass; user unknown Jan 6 03:55:26 localhost sshd[70305]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.46.223.79 Jan 6 03:55:27 localhost sshd[70310]: Invalid user arthur from 106.12.209.7 port 33917 Jan 6 03:55:27 localhost sshd[70310]: input_userauth_request: invalid user arthur [preauth] Jan 6 03:55:27 localhost sshd[70310]: pam_unix(sshd:auth): check pass; user unknown Jan 6 03:55:27 localhost sshd[70310]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=106.12.209.7 Jan 6 03:55:28 localhost sshd[70305]: Failed password for invalid user ubnt from 89.46.223.79 port 35132 ssh2 Jan 6 03:55:28 localhost sshd[70305]: Received disconnect from 89.46.223.79 port 35132:11: Bye Bye [preauth] Jan 6 03:55:28 localhost sshd[70305]: Disconnected from 89.46.223.79 port 35132 [preauth] Jan 6 03:55:29 localhost sshd[70310]: Failed password for invalid user arthur from 106.12.209.7 port 33917 ssh2 Jan 6 03:55:29 localhost sshd[70310]: Connection closed by 106.12.209.7 port 33917 [preauth] Jan 6 03:55:30 localhost sshd[70313]: Invalid user user from 89.46.223.79 port 37800
#useradd david #passwd david #visudo david ALL=(ALL) NOPASSWD: ALL #vi /etc/ssh/sshd_config #PermitRootLogin yes PermitRootLogin no
# vi /etc/ssh/sshd_config #Port 22 Port 65214 # systemctl restart sshd
服務端的authorized_keys文件注意可讀權限,不一樣環境可能權限不同,個人權限是004bash
vi /etc/ssh/sshd_config PasswordAuthentication no
netstat查看網絡端口,主要關閉0.0.0.0:XX,而且是LISTEN狀態的端口服務器
0.0.0.0:XX,針對所有界面放行網絡
127.0.0.1,僅在本機內部放行app
192.168.122.1,針對虛擬設備的服務器ssh
[root@cloud ~]# netstat -tulnp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1594/dnsmasq tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1243/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1526/master tcp6 0 0 :::111 :::* LISTEN 1/systemd tcp6 0 0 :::22 :::* LISTEN 1243/sshd tcp6 0 0 ::1:25 :::* LISTEN 1526/master udp 0 0 0.0.0.0:59036 0.0.0.0:* 30996/dhclient udp 0 0 192.168.122.1:53 0.0.0.0:* 1594/dnsmasq udp 0 0 0.0.0.0:67 0.0.0.0:* 1594/dnsmasq udp 0 0 0.0.0.0:68 0.0.0.0:* 30996/dhclient udp 0 0 127.0.0.1:323 0.0.0.0:* 862/chronyd udp6 0 0 :::22527 :::* 30996/dhclient udp6 0 0 ::1:323 :::* 862/chronyd
將以上不用的服務端口關閉,例如關閉111端口的服務socket
#1. 經過/etc/services查找端口對應的服務 [root@cloud ~]# grep ' 111/' /etc/services sunrpc 111/tcp portmapper rpcbind # RPC 4.0 portmapper TCP sunrpc 111/udp portmapper rpcbind # RPC 4.0 portmapper UDP #2. 查看端口對應的服務,哪一個在運行 [root@cloud ~]# systemctl list-unit-files --all | grep portmap [root@cloud ~]# systemctl list-unit-files --all | grep rpcbind rpcbind.service enabled rpcbind.socket enabled rpcbind.target static #3. 關閉服務,關閉開機自啓 [root@cloud ~]# systemctl stop rpcbind.socket <==馬上關閉該服務 [root@cloud ~]# systemctl stop rpcbind <==馬上關閉該服務 [root@cloud ~]# systemctl disable rpcbind.socket <==下次開機不會啓用 [root@cloud ~]# systemctl disable rpcbind <==下次開機不會啓用
# yum -y update # vim /etc/crontab 0 3 * * * root /bin/yum -y update
[root@cloud ~]# yum install logwatch [root@cloud ~]# sh /etc/cron.daily/0logwatch [root@cloud ~]# mail
http://linux.vbird.org/linux_...
對外開放的服務的權限不要隨便設置