被ssh暴力破解

怎么办?

以下是我做的设置，centos7.

 

1. sshd_config禁止root登录，禁止密码验证，只能秘钥验证，并且秘钥加密码
2. 安装了denyhosts工具，加上fail2ban工具；
3. 在sshd_config设置了两个端口：22和其他任意一个；
4. firewall-cmd添加forward-port，将22端口的数据转到23端口，将22端口转发到攻击ip的22端口上；

这样做的好处是，/var/log/secure没有很多日志，攻击者无法连接，会出现一些 Bad protocol version identification ，也不影响。

20180622更新如下

取消denyhosts工具，改用fail2ban工具；

保留denyhosts工具，加上fail2ban工具；

在/etc/fail2ban/filter.d/sshd.conf添加过滤规则

         ^%(__prefix_line)sReceived disconnect from  port .*:11: (Bye Bye)? \[preauth\]$
         ^%(__prefix_line)sDisconnected from  port .* \[preauth\]$
         ^%(__prefix_line)sConnection closed by %(__on_port_opt)s \[preauth\]$

新增/etc/fail2ban/action.d/firewallcmd-forward.conf

[Definition]

actionstart =

actionstop =

actioncheck =

actionban = for p in $(firewall-cmd --list-forward-ports);do firewall-cmd --remove-forward-port="$p" ; done ; firewall-cmd --add-forward-port=port=22:proto=tcp:toport=22:toaddr=

actionunban = for i in $(firewall-cmd --list-forward-ports); do firewall-cmd --remove-forward-port="$i" ; done

[Init]

name = default

zone = public

service = ssh

blocktype = reject type='icmp-port-unreachable'