云服务器被攻击（加固云防御）

参考至鸟哥的私房菜和公司同事的建议：http://linux.vbird.org/linux_...

日志

登陆时提示被人爆破的痕迹

Connecting to 106.12.80.64:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

Last failed login: Thu Jan 10 19:21:09 CST 2019 from 89.46.223.79 on ssh:notty
There were 70 failed login attempts since the last successful login.
Last login: Thu Jan 10 10:10:18 2019 from 116.228.237.226
root@jonathan-pc:~#

查看日志

root@jonathan-pc:~# ls /var/log/
anaconda           cloud-init-output.log  lastlog            messages-20190106  spooler
audit              collectd.log           maillog            qemu-ga            spooler-20181216
boot.log           cron                   maillog-20181216   rhsm               spooler-20181223
boot.log-20181109  cron-20181216          maillog-20181223   sa                 spooler-20181230
boot.log-20181123  cron-20181223          maillog-20181230   samba              spooler-20190106
boot.log-20190109  cron-20181230          maillog-20190106   secure             thttpd.log
btmp               cron-20190106          messages           secure-20181216    tuned
btmp-20190101      dmesg                  messages-20181216  secure-20181223    wtmp
chrony             dmesg.old              messages-20181223  secure-20181230    yum.log
cloud-init.log     grubby                 messages-20181230  secure-20190106    yum.log-20190101

被不同ip不停登陆。

# vi /var/log/secure
Jan  6 03:43:04 localhost sshd[69671]: Invalid user cmf from 121.254.179.140 port 37980                                                                                           
Jan  6 03:43:04 localhost sshd[69671]: input_userauth_request: invalid user cmf [preauth]
Jan  6 03:43:04 localhost sshd[69671]: pam_unix(sshd:auth): check pass; user unknown
Jan  6 03:43:04 localhost sshd[69671]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=121.254.179.140
Jan  6 03:43:06 localhost sshd[69671]: Failed password for invalid user cmf from 121.254.179.140 port 37980 ssh2
Jan  6 03:43:06 localhost sshd[69671]: Received disconnect from 121.254.179.140 port 37980:11: Bye Bye [preauth]
Jan  6 03:43:06 localhost sshd[69671]: Disconnected from 121.254.179.140 port 37980 [preauth]
Jan  6 03:55:17 localhost sshd[70294]: Invalid user admin from 89.46.223.79 port 57882
Jan  6 03:55:17 localhost sshd[70294]: input_userauth_request: invalid user admin [preauth]
Jan  6 03:55:17 localhost sshd[70294]: pam_unix(sshd:auth): check pass; user unknown
Jan  6 03:55:17 localhost sshd[70294]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.46.223.79
Jan  6 03:55:19 localhost sshd[70294]: Failed password for invalid user admin from 89.46.223.79 port 57882 ssh2
Jan  6 03:55:19 localhost sshd[70294]: Received disconnect from 89.46.223.79 port 57882:11: Bye Bye [preauth]
Jan  6 03:55:19 localhost sshd[70294]: Disconnected from 89.46.223.79 port 57882 [preauth]
Jan  6 03:55:21 localhost sshd[70300]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.46.223.79  user=root
Jan  6 03:55:21 localhost sshd[70300]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan  6 03:55:23 localhost sshd[70300]: Failed password for root from 89.46.223.79 port 60408 ssh2
Jan  6 03:55:24 localhost sshd[70300]: Received disconnect from 89.46.223.79 port 60408:11: Bye Bye [preauth]
Jan  6 03:55:24 localhost sshd[70300]: Disconnected from 89.46.223.79 port 60408 [preauth]
Jan  6 03:55:25 localhost sshd[70307]: Did not receive identification string from 204.16.193.162 port 38026
Jan  6 03:55:26 localhost sshd[70305]: Invalid user ubnt from 89.46.223.79 port 35132
Jan  6 03:55:26 localhost sshd[70305]: input_userauth_request: invalid user ubnt [preauth]
Jan  6 03:55:26 localhost sshd[70305]: pam_unix(sshd:auth): check pass; user unknown
Jan  6 03:55:26 localhost sshd[70305]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.46.223.79
Jan  6 03:55:27 localhost sshd[70310]: Invalid user arthur from 106.12.209.7 port 33917
Jan  6 03:55:27 localhost sshd[70310]: input_userauth_request: invalid user arthur [preauth]
Jan  6 03:55:27 localhost sshd[70310]: pam_unix(sshd:auth): check pass; user unknown
Jan  6 03:55:27 localhost sshd[70310]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=106.12.209.7
Jan  6 03:55:28 localhost sshd[70305]: Failed password for invalid user ubnt from 89.46.223.79 port 35132 ssh2
Jan  6 03:55:28 localhost sshd[70305]: Received disconnect from 89.46.223.79 port 35132:11: Bye Bye [preauth]
Jan  6 03:55:28 localhost sshd[70305]: Disconnected from 89.46.223.79 port 35132 [preauth]
Jan  6 03:55:29 localhost sshd[70310]: Failed password for invalid user arthur from 106.12.209.7 port 33917 ssh2
Jan  6 03:55:29 localhost sshd[70310]: Connection closed by 106.12.209.7 port 33917 [preauth]
Jan  6 03:55:30 localhost sshd[70313]: Invalid user user from 89.46.223.79 port 37800

加固云防御

禁止使用root登陆

#useradd david
#passwd david

#visudo
david    ALL=(ALL)   NOPASSWD: ALL

#vi /etc/ssh/sshd_config
    #PermitRootLogin yes
    PermitRootLogin no

更改sshd端口

# vi /etc/ssh/sshd_config
    #Port 22
    Port 65214

# systemctl restart sshd

iptables开启黑名单

使用RSA8192密钥+密码登陆

服务端的authorized_keys文件注意可读权限，不同环境可能权限不一样，我的权限是004

vi /etc/ssh/sshd_config
    PasswordAuthentication no

减少网络服务端口

netstat查看网络端口，主要关闭0.0.0.0:XX，并且是LISTEN状态的端口

0.0.0.0:XX，针对全部界面放行

127.0.0.1，仅在本机内部放行

192.168.122.1，针对虚拟设备的服务器

[root@cloud ~]# netstat -tulnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1594/dnsmasq
tcp 0 0 0.0.0.0:22         0.0.0.0:* LISTEN 1243/sshd
tcp 0 0 127.0.0.1:25       0.0.0.0:* LISTEN 1526/master
tcp6 0 0 :::111 :::* LISTEN 1/systemd
tcp6 0 0 :::22              :::* LISTEN 1243/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1526/master
udp 0 0 0.0.0.0:59036 0.0.0.0:* 30996/dhclient
udp 0 0 192.168.122.1:53 0.0.0.0:* 1594/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 1594/dnsmasq
udp 0 0 0.0.0.0:68 0.0.0.0:* 30996/dhclient
udp 0 0 127.0.0.1:323 0.0.0.0:* 862/chronyd
udp6 0 0 :::22527 :::* 30996/dhclient
udp6 0 0 ::1:323 :::* 862/chronyd

将以上不用的服务端口关闭，例如关闭111端口的服务

#1. 通过/etc/services查找端口对应的服务
[root@cloud ~]# grep ' 111/' /etc/services
sunrpc 111/tcp portmapper rpcbind # RPC 4.0 portmapper TCP
sunrpc 111/udp portmapper rpcbind # RPC 4.0 portmapper UDP
#2. 查看端口对应的服务，哪个在运行
[root@cloud ~]# systemctl list-unit-files --all | grep portmap 
[root@cloud ~]# systemctl list-unit-files --all | grep rpcbind
rpcbind.service                                 enabled
rpcbind.socket                                 enabled
rpcbind.target static
#3. 关闭服务，关闭开机自启
[root@cloud ~]# systemctl stop rpcbind.socket     <==立刻关闭该服务
[root@cloud ~]# systemctl stop rpcbind              <==立刻关闭该服务
[root@cloud ~]# systemctl disable rpcbind.socket  <==下次开机不会启用
[root@cloud ~]# systemctl disable rpcbind           <==下次开机不会启用

让系统软件保持在最新状态

# yum -y update
# vim /etc/crontab
0 3 * * * root /bin/yum -y update

用logwatch 分析登录档

[root@cloud ~]# yum install logwatch 
[root@cloud ~]# sh /etc/cron.daily/0logwatch 
[root@cloud ~]# mail

firewall

http://linux.vbird.org/linux_...

网络服务的权限

对外开放的服务的权限不要随便设置

selinux管理服务权限

http://linux.vbird.org/linux_...

网络攻防 - 云服务器被攻击（加固云防御）

云服务器被攻击（加固云防御）

日志

加固云防御

禁止使用root登陆

更改sshd端口

iptables开启黑名单

使用RSA8192密钥+密码登陆

减少网络服务端口

让系统软件保持在最新状态

用logwatch 分析登录档

firewall

网络服务的权限

selinux管理服务权限

你可能感兴趣的:(网络攻击)

网络攻防 - 云服务器被攻击（加固云防御）

云服务器被攻击（加固云防御）

日志

加固云防御

禁止使用root登陆

更改sshd端口

iptables开启黑名单

使用RSA8192密钥+密码 登陆

减少网络服务端口

让系统软件保持在最新状态

用logwatch 分析登录档

firewall

网络服务的权限

selinux管理服务权限

你可能感兴趣的:(网络攻击)

使用RSA8192密钥+密码登陆