網絡攻防 - 雲服務器被攻擊(加固雲防護)

雲服務器被攻擊(加固雲防護)

參考至鳥哥的私房菜和公司同事的建議:http://linux.vbird.org/linux_...php

日誌

登錄時提示被人爆破的痕跡linux

Connecting to 106.12.80.64:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

Last failed login: Thu Jan 10 19:21:09 CST 2019 from 89.46.223.79 on ssh:notty
There were 70 failed login attempts since the last successful login.
Last login: Thu Jan 10 10:10:18 2019 from 116.228.237.226
root@jonathan-pc:~#

查看日誌shell

root@jonathan-pc:~# ls /var/log/
anaconda           cloud-init-output.log  lastlog            messages-20190106  spooler
audit              collectd.log           maillog            qemu-ga            spooler-20181216
boot.log           cron                   maillog-20181216   rhsm               spooler-20181223
boot.log-20181109  cron-20181216          maillog-20181223   sa                 spooler-20181230
boot.log-20181123  cron-20181223          maillog-20181230   samba              spooler-20190106
boot.log-20190109  cron-20181230          maillog-20190106   secure             thttpd.log
btmp               cron-20190106          messages           secure-20181216    tuned
btmp-20190101      dmesg                  messages-20181216  secure-20181223    wtmp
chrony             dmesg.old              messages-20181223  secure-20181230    yum.log
cloud-init.log     grubby                 messages-20181230  secure-20190106    yum.log-20190101

被不一樣ip不停登錄。vim

# vi /var/log/secure
Jan  6 03:43:04 localhost sshd[69671]: Invalid user cmf from 121.254.179.140 port 37980                                                                                           
Jan  6 03:43:04 localhost sshd[69671]: input_userauth_request: invalid user cmf [preauth]
Jan  6 03:43:04 localhost sshd[69671]: pam_unix(sshd:auth): check pass; user unknown
Jan  6 03:43:04 localhost sshd[69671]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.254.179.140
Jan  6 03:43:06 localhost sshd[69671]: Failed password for invalid user cmf from 121.254.179.140 port 37980 ssh2
Jan  6 03:43:06 localhost sshd[69671]: Received disconnect from 121.254.179.140 port 37980:11: Bye Bye [preauth]
Jan  6 03:43:06 localhost sshd[69671]: Disconnected from 121.254.179.140 port 37980 [preauth]
Jan  6 03:55:17 localhost sshd[70294]: Invalid user admin from 89.46.223.79 port 57882
Jan  6 03:55:17 localhost sshd[70294]: input_userauth_request: invalid user admin [preauth]
Jan  6 03:55:17 localhost sshd[70294]: pam_unix(sshd:auth): check pass; user unknown
Jan  6 03:55:17 localhost sshd[70294]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.46.223.79
Jan  6 03:55:19 localhost sshd[70294]: Failed password for invalid user admin from 89.46.223.79 port 57882 ssh2
Jan  6 03:55:19 localhost sshd[70294]: Received disconnect from 89.46.223.79 port 57882:11: Bye Bye [preauth]
Jan  6 03:55:19 localhost sshd[70294]: Disconnected from 89.46.223.79 port 57882 [preauth]
Jan  6 03:55:21 localhost sshd[70300]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.46.223.79  user=root
Jan  6 03:55:21 localhost sshd[70300]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan  6 03:55:23 localhost sshd[70300]: Failed password for root from 89.46.223.79 port 60408 ssh2
Jan  6 03:55:24 localhost sshd[70300]: Received disconnect from 89.46.223.79 port 60408:11: Bye Bye [preauth]
Jan  6 03:55:24 localhost sshd[70300]: Disconnected from 89.46.223.79 port 60408 [preauth]
Jan  6 03:55:25 localhost sshd[70307]: Did not receive identification string from 204.16.193.162 port 38026
Jan  6 03:55:26 localhost sshd[70305]: Invalid user ubnt from 89.46.223.79 port 35132
Jan  6 03:55:26 localhost sshd[70305]: input_userauth_request: invalid user ubnt [preauth]
Jan  6 03:55:26 localhost sshd[70305]: pam_unix(sshd:auth): check pass; user unknown
Jan  6 03:55:26 localhost sshd[70305]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.46.223.79
Jan  6 03:55:27 localhost sshd[70310]: Invalid user arthur from 106.12.209.7 port 33917
Jan  6 03:55:27 localhost sshd[70310]: input_userauth_request: invalid user arthur [preauth]
Jan  6 03:55:27 localhost sshd[70310]: pam_unix(sshd:auth): check pass; user unknown
Jan  6 03:55:27 localhost sshd[70310]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=106.12.209.7
Jan  6 03:55:28 localhost sshd[70305]: Failed password for invalid user ubnt from 89.46.223.79 port 35132 ssh2
Jan  6 03:55:28 localhost sshd[70305]: Received disconnect from 89.46.223.79 port 35132:11: Bye Bye [preauth]
Jan  6 03:55:28 localhost sshd[70305]: Disconnected from 89.46.223.79 port 35132 [preauth]
Jan  6 03:55:29 localhost sshd[70310]: Failed password for invalid user arthur from 106.12.209.7 port 33917 ssh2
Jan  6 03:55:29 localhost sshd[70310]: Connection closed by 106.12.209.7 port 33917 [preauth]
Jan  6 03:55:30 localhost sshd[70313]: Invalid user user from 89.46.223.79 port 37800

加固雲防護

禁止使用root登錄

#useradd david
#passwd david

#visudo
david    ALL=(ALL)   NOPASSWD: ALL

#vi /etc/ssh/sshd_config
    #PermitRootLogin yes
    PermitRootLogin no

更改sshd端口

# vi /etc/ssh/sshd_config
    #Port 22
    Port 65214

# systemctl restart sshd

iptables開啓黑名單

使用RSA8192密鑰+密碼 登錄

服務端的authorized_keys文件注意可讀權限,不一樣環境可能權限不同,個人權限是004bash

vi /etc/ssh/sshd_config
    PasswordAuthentication no

減小網絡服務端口

netstat查看網絡端口,主要關閉0.0.0.0:XX,而且是LISTEN狀態的端口服務器

0.0.0.0:XX,針對所有界面放行網絡

127.0.0.1,僅在本機內部放行app

192.168.122.1,針對虛擬設備的服務器ssh

[root@cloud ~]# netstat -tulnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1594/dnsmasq
tcp 0 0 0.0.0.0:22         0.0.0.0:* LISTEN 1243/sshd
tcp 0 0 127.0.0.1:25       0.0.0.0:* LISTEN 1526/master
tcp6 0 0 :::111 :::* LISTEN 1/systemd
tcp6 0 0 :::22              :::* LISTEN 1243/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1526/master
udp 0 0 0.0.0.0:59036 0.0.0.0:* 30996/dhclient
udp 0 0 192.168.122.1:53 0.0.0.0:* 1594/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 1594/dnsmasq
udp 0 0 0.0.0.0:68 0.0.0.0:* 30996/dhclient
udp 0 0 127.0.0.1:323 0.0.0.0:* 862/chronyd
udp6 0 0 :::22527 :::* 30996/dhclient
udp6 0 0 ::1:323 :::* 862/chronyd

將以上不用的服務端口關閉,例如關閉111端口的服務socket

#1. 經過/etc/services查找端口對應的服務
[root@cloud ~]# grep ' 111/' /etc/services
sunrpc 111/tcp portmapper rpcbind # RPC 4.0 portmapper TCP
sunrpc 111/udp portmapper rpcbind # RPC 4.0 portmapper UDP
#2. 查看端口對應的服務,哪一個在運行
[root@cloud ~]# systemctl list-unit-files --all | grep portmap 
[root@cloud ~]# systemctl list-unit-files --all | grep rpcbind
rpcbind.service                                 enabled
rpcbind.socket                                 enabled
rpcbind.target static
#3. 關閉服務,關閉開機自啓
[root@cloud ~]# systemctl stop rpcbind.socket     <==馬上關閉該服務
[root@cloud ~]# systemctl stop rpcbind              <==馬上關閉該服務
[root@cloud ~]# systemctl disable rpcbind.socket  <==下次開機不會啓用
[root@cloud ~]# systemctl disable rpcbind           <==下次開機不會啓用

讓系統軟件保持在最新狀態

# yum -y update
# vim /etc/crontab
0 3 * * * root /bin/yum -y update

用logwatch 分析登陸檔

[root@cloud ~]# yum install logwatch 
[root@cloud ~]# sh /etc/cron.daily/0logwatch 
[root@cloud ~]# mail

firewall

http://linux.vbird.org/linux_...

網絡服務的權限

對外開放的服務的權限不要隨便設置

selinux管理服務權限

http://linux.vbird.org/linux_...

相關文章
相關標籤/搜索