關於sshd一直被暴力攻擊的解決方法 - Linux
By Thomas
at 2011-06-13T12:10
at 2011-06-13T12:10
Table of Contents
其實只要一架好ssh之類的服務, 就會被一直try帳號密碼, 很煩。
網路上有不少人家寫好的script, 其實照著用也行, 但是我想推薦的是sshguard這支
程式。
在linux上, 它可以搭配iptables來防堵。並且有時間到自動解鎖功能, 除了iptables
以外, 也可以搭配hosts.deny之類的。並且在非linux平台上也能好好的支援, 算是蠻
方便的程式...
它主要是常駐在系統裡, 藉由分析(r)syslogd所產生的報表, 來動態更新iptables裡的
清單。廢話不多說, 我來分享一下我的作法...
1. Install:
apt-get install sshguard
2. Add the following lines to your /etc/init.d/rcS:
...
#Create named pipe for rsyslog and sshguard.
mkfifo /var/log/sshguard.fifo
...
3. Insert the following lines on the top of rules in /etc/rsyslog.conf:
...
auth.info;authpriv.info |/var/log/sshguard.fifo
...
4. Modify your iptables initialization script to include a custom chain called
'sshguard':
#Reset iptables.
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X
iptables -Z
#Add custom chain for SSHGuard
iptables -N sshguard
#Route all connections between internet and lan.
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp+ -j MASQUERADE
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
#Default rules:
#1. Drop all incoming connections.
#2. Accept all connections from loopback device.
#3. Accept all connections from ethernet devices.
#4. Accept all connections from wireless lan devices.
#5. Accept all connections from tunnel pseudo devices.
#6. Accept all consequent packets of accepted connections.
#7. Block suckers who tried to brute attack my services.
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth+ -j ACCEPT
iptables -A INPUT -i wlan+ -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j sshguard
#Open port 6881 for DHT of BT.
iptables -A INPUT -p tcp -m tcp --dport 6881 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 6881 -j ACCEPT
#Open port 6890:6899 for BT and 7000:7004 for FTP.
iptables -A INPUT -p tcp -m tcp --dport 6890:7004 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 6890:7004 -j ACCEPT
#Open port 443 for OpenVPN.
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 443 -j ACCEPT
#Open port 21 for FTP.
iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
#Open port 22 for SSH.
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
#Start pppoe-relay.
pr_pid=$(ps aux |grep "[0-9] pppoe-relay" |sed {s/\\s\\s*/' '/g} |cut -d' '
-f2)
if [ ! -z $pr_pid ]; then
echo "Stop pppoe-relay."
kill -9 $pr_pid
fi
echo "Start pppoe-relay."
pppoe-relay -C eth1 -S eth0
#Start sshguard
FIFONAME="/var/log/sshguard.fifo"
if [ ! -p $FIFONAME ]; then
echo "Use mkfifo to create $FIFONAME first!"
exit 0
fi
cat_pid=$(ps aux |grep "[0-9] cat.*fifo" |sed {s/\\s\\s*/' '/g} |cut -d' '
-f2)
sg_pid=$(ps aux |grep "[0-9] sshguard" |sed {s/\\s\\s*/' '/g} |cut -d' ' -f2)
if [ ! -z $cat_pid ] || [ ! -z $sg_pid ]; then
echo "Stop sshguard."
[ ! -z $cat_pid ] && kill -9 $cat_pid
[ ! -z $sg_pid ] && kill -9 $sg_pid
fi
echo "Start sshguard."
cat $FIFONAME | sshguard &
exit 0
5. Restart your computer.
反正我的想法很簡單, 先在rcS裡面把rsyslogd跟sshguard要共享的pipe建好, 接下來
把iptables裡要由sshguard來管理的chain給建出來, 最後再執行sshguard就好了。
如果是用更新版的syslogd的話, 好像不用管線也沒問題, 可以直接把log餵給sshguard
的樣子, 但我在rsyslogd裡試過, 辦不到, 一定要用pipe。
最後再試了一下...還蠻正常的的樣子...
--
裸になって
何が悪い?
--
網路上有不少人家寫好的script, 其實照著用也行, 但是我想推薦的是sshguard這支
程式。
在linux上, 它可以搭配iptables來防堵。並且有時間到自動解鎖功能, 除了iptables
以外, 也可以搭配hosts.deny之類的。並且在非linux平台上也能好好的支援, 算是蠻
方便的程式...
它主要是常駐在系統裡, 藉由分析(r)syslogd所產生的報表, 來動態更新iptables裡的
清單。廢話不多說, 我來分享一下我的作法...
1. Install:
apt-get install sshguard
2. Add the following lines to your /etc/init.d/rcS:
...
#Create named pipe for rsyslog and sshguard.
mkfifo /var/log/sshguard.fifo
...
3. Insert the following lines on the top of rules in /etc/rsyslog.conf:
...
auth.info;authpriv.info |/var/log/sshguard.fifo
...
4. Modify your iptables initialization script to include a custom chain called
'sshguard':
#Reset iptables.
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X
iptables -Z
#Add custom chain for SSHGuard
iptables -N sshguard
#Route all connections between internet and lan.
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp+ -j MASQUERADE
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
#Default rules:
#1. Drop all incoming connections.
#2. Accept all connections from loopback device.
#3. Accept all connections from ethernet devices.
#4. Accept all connections from wireless lan devices.
#5. Accept all connections from tunnel pseudo devices.
#6. Accept all consequent packets of accepted connections.
#7. Block suckers who tried to brute attack my services.
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth+ -j ACCEPT
iptables -A INPUT -i wlan+ -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j sshguard
#Open port 6881 for DHT of BT.
iptables -A INPUT -p tcp -m tcp --dport 6881 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 6881 -j ACCEPT
#Open port 6890:6899 for BT and 7000:7004 for FTP.
iptables -A INPUT -p tcp -m tcp --dport 6890:7004 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 6890:7004 -j ACCEPT
#Open port 443 for OpenVPN.
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 443 -j ACCEPT
#Open port 21 for FTP.
iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
#Open port 22 for SSH.
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
#Start pppoe-relay.
pr_pid=$(ps aux |grep "[0-9] pppoe-relay" |sed {s/\\s\\s*/' '/g} |cut -d' '
-f2)
if [ ! -z $pr_pid ]; then
echo "Stop pppoe-relay."
kill -9 $pr_pid
fi
echo "Start pppoe-relay."
pppoe-relay -C eth1 -S eth0
#Start sshguard
FIFONAME="/var/log/sshguard.fifo"
if [ ! -p $FIFONAME ]; then
echo "Use mkfifo to create $FIFONAME first!"
exit 0
fi
cat_pid=$(ps aux |grep "[0-9] cat.*fifo" |sed {s/\\s\\s*/' '/g} |cut -d' '
-f2)
sg_pid=$(ps aux |grep "[0-9] sshguard" |sed {s/\\s\\s*/' '/g} |cut -d' ' -f2)
if [ ! -z $cat_pid ] || [ ! -z $sg_pid ]; then
echo "Stop sshguard."
[ ! -z $cat_pid ] && kill -9 $cat_pid
[ ! -z $sg_pid ] && kill -9 $sg_pid
fi
echo "Start sshguard."
cat $FIFONAME | sshguard &
exit 0
5. Restart your computer.
反正我的想法很簡單, 先在rcS裡面把rsyslogd跟sshguard要共享的pipe建好, 接下來
把iptables裡要由sshguard來管理的chain給建出來, 最後再執行sshguard就好了。
如果是用更新版的syslogd的話, 好像不用管線也沒問題, 可以直接把log餵給sshguard
的樣子, 但我在rsyslogd裡試過, 辦不到, 一定要用pipe。
最後再試了一下...還蠻正常的的樣子...
--
裸になって
何が悪い?
--
Tags:
Linux
All Comments
By Irma
at 2011-06-15T12:01
at 2011-06-15T12:01
By Puput
at 2011-06-19T06:38
at 2011-06-19T06:38
By Hazel
at 2011-06-20T05:10
at 2011-06-20T05:10
By Regina
at 2011-06-20T06:49
at 2011-06-20T06:49
By Annie
at 2011-06-23T07:37
at 2011-06-23T07:37
By Emily
at 2011-06-26T01:22
at 2011-06-26T01:22
By William
at 2011-06-28T17:15
at 2011-06-28T17:15
By Ula
at 2011-06-29T19:25
at 2011-06-29T19:25
By Mason
at 2011-07-03T07:01
at 2011-07-03T07:01
By Poppy
at 2011-07-05T19:31
at 2011-07-05T19:31
By Sierra Rose
at 2011-07-08T02:10
at 2011-07-08T02:10
By David
at 2011-07-10T04:23
at 2011-07-10T04:23
By Isla
at 2011-07-14T13:36
at 2011-07-14T13:36
By Heather
at 2011-07-15T16:43
at 2011-07-15T16:43
By Joe
at 2011-07-19T10:36
at 2011-07-19T10:36
By Elma
at 2011-07-21T17:41
at 2011-07-21T17:41
By Michael
at 2011-07-24T07:12
at 2011-07-24T07:12
By Ida
at 2011-07-27T22:55
at 2011-07-27T22:55
By Megan
at 2011-07-30T11:30
at 2011-07-30T11:30
By Xanthe
at 2011-07-31T07:35
at 2011-07-31T07:35
By Dinah
at 2011-08-03T05:07
at 2011-08-03T05:07
By Lucy
at 2011-08-04T11:52
at 2011-08-04T11:52
By Delia
at 2011-08-04T22:06
at 2011-08-04T22:06
By Robert
at 2011-08-06T19:55
at 2011-08-06T19:55
By Caroline
at 2011-08-07T10:01
at 2011-08-07T10:01
By Agnes
at 2011-08-11T16:52
at 2011-08-11T16:52
By Hedwig
at 2011-08-12T18:37
at 2011-08-12T18:37
By Tristan Cohan
at 2011-08-16T14:42
at 2011-08-16T14:42
By Zora
at 2011-08-19T17:08
at 2011-08-19T17:08
By Elizabeth
at 2011-08-21T12:02
at 2011-08-21T12:02
By Delia
at 2011-08-25T06:17
at 2011-08-25T06:17
By Connor
at 2011-08-28T09:30
at 2011-08-28T09:30
By Lily
at 2011-09-02T08:38
at 2011-09-02T08:38
By Sarah
at 2011-09-02T13:46
at 2011-09-02T13:46
Related Posts
apt-build CPU最佳化參數?
By Hazel
at 2011-06-13T00:13
at 2011-06-13T00:13
LXDE ppa更新後垃圾桶看不到任何檔案
By Mia
at 2011-06-12T16:12
at 2011-06-12T16:12
在linux底下影音編輯(WandererM大大推薦的OPENSHOT很好用!)
By Regina
at 2011-06-12T13:45
at 2011-06-12T13:45
請教該如何安裝行列輸入法
By Mason
at 2011-06-12T10:41
at 2011-06-12T10:41
顯示卡驅動問題
By Necoo
at 2011-06-12T02:34
at 2011-06-12T02:34