Linux上通过lastb可以查看到登录失败的日志
[root@xxxx ~]# lastb
root ssh:notty 60.173.82.156 Mon Mar 12 06:11 - 06:11 (00:00)
root ssh:notty 60.173.82.156 Mon Mar 12 06:11 - 06:11 (00:00)
root ssh:notty 60.173.82.156 Mon Mar 12 06:11 - 06:11 (00:00)
root ssh:notty 60.173.82.156 Mon Mar 12 06:11 - 06:11 (00:00)
root ssh:notty 60.173.82.156 Mon Mar 12 06:11 - 06:11 (00:00)
root ssh:notty 60.173.82.156 Mon Mar 12 06:10 - 06:10 (00:00)
zhangjun ssh:notty 124.68.10.20 Mon Mar 12 04:50 - 04:50 (00:00)
zhangjun ssh:notty 124.68.10.20 Mon Mar 12 04:50 - 04:50 (00:00)
centos ssh:notty 124.68.10.20 Mon Mar 12 04:50 - 04:50 (00:00)
centos ssh:notty 124.68.10.20 Mon Mar 12 04:50 - 04:50 (00:00)
hadoop ssh:notty 124.68.10.20 Mon Mar 12 04:50 - 04:50 (00:00)
hadoop ssh:notty 124.68.10.20 Mon Mar 12 04:50 - 04:50 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:50 - 04:50 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:50 - 04:50 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:50 - 04:50 (00:00)
centos ssh:notty 124.68.10.20 Mon Mar 12 04:50 - 04:50 (00:00)
centos ssh:notty 124.68.10.20 Mon Mar 12 04:50 - 04:50 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:50 - 04:50 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:50 - 04:50 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:50 - 04:50 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:50 - 04:50 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:50 - 04:50 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:50 - 04:50 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:49 - 04:49 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:49 - 04:49 (00:00)
cgc-admi ssh:notty 124.68.10.20 Mon Mar 12 04:49 - 04:49 (00:00)
cgc-admi ssh:notty 124.68.10.20 Mon Mar 12 04:49 - 04:49 (00:00)
slide ssh:notty 124.68.10.20 Mon Mar 12 04:49 - 04:49 (00:00)
slide ssh:notty 124.68.10.20 Mon Mar 12 04:49 - 04:49 (00:00)
nagios ssh:notty 124.68.10.20 Mon Mar 12 04:49 - 04:49 (00:00)
nagios ssh:notty 124.68.10.20 Mon Mar 12 04:49 - 04:49 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:49 - 04:49 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:49 - 04:49 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:49 - 04:49 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:49 - 04:49 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:49 - 04:49 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:49 - 04:49 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:49 - 04:49 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:49 - 04:49 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:49 - 04:49 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:49 - 04:49 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:49 - 04:49 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:49 - 04:49 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:49 - 04:49 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:48 - 04:48 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:48 - 04:48 (00:00)
sshusr ssh:notty 124.68.10.20 Mon Mar 12 04:48 - 04:48 (00:00)
sshusr ssh:notty 124.68.10.20 Mon Mar 12 04:48 - 04:48 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:48 - 04:48 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:48 - 04:48 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:48 - 04:48 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:48 - 04:48 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:48 - 04:48 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:48 - 04:48 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:48 - 04:48 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:48 - 04:48 (00:00)
root ssh:notty 124.68.10.20 Mon Mar 12 04:48 - 04:48 (00:00)
通过上方显示的结果,有很多机器人在尝试进行登录密码破解.
通过查看/var/log/secure文件,里面基本都是一下数据记录:
Failed password for root from 124.68.10.20 port 41866 ssh2
Received disconnect from 124.68.10.20 port 41866:11: Bye Bye [preauth]
Disconnected from 124.68.10.20 port 41866 [preauth]
password check failed for user (root)
统计有多少ip进行过访问:
grep "Failed password for invalid" /var/log/secure | awk '{print $13}' | sort | uniq -c | sort -nr | more
1359 114.32.120.181
65 35.200.66.214
36 139.219.109.16
21 124.68.10.20
20 185.165.29.183
18 159.203.36.151
16 41.77.222.57
16 125.234.109.148
15 173.249.29.134
14 58.210.42.4
12 51.15.94.6
10 180.100.217.214
6 218.154.96.152
6 211.229.133.133
6 14.116.254.48
6 104.192.1.30
5 5.101.40.10
4 220.191.194.22
3 111.7.177.239
2 5.101.0.51
2 42.200.170.177
2 213.219.154.68
2 188.6.164.245
2 173.249.15.111
1 77.49.135.119
1 58.56.161.30
1 46.246.39.197
1 42.82.183.121
1 41.236.241.147
1 222.187.225.194
1 178.151.27.227
1 175.33.195.179
1 159.226.169.49
1 14.231.241.207
1 116.231.36.138
1 113.163.198.137
统计有多少用户名尝试登录(root用户名统计方式不一样,此处未做统计):
grep "Failed password for invalid" /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr | more
141 admin
42 test
40 oracle
37 user
29 postgres
29 joe
27 webuser
27 webadmin
27 web
27 userftp
27 user2
27 tsserver
27 ts3server
27 ts3
27 ts
27 testuser
27 teste
27 teamspeak3
27 teamspeak
27 system
27 sys
27 student
27 search
27 scott
27 rustserver
27 reporter
27 packer
27 mcserver
27 matrix
27 jenkins
27 itadmin
27 gpadmin
27 exploit
27 elasticsearch
27 elastic
27 csgoserver
26 wp-user
26 wp-admin
26 wp
26 user3
26 user1
26 tomcat
26 sshvpn
26 sinusbot
26 python
26 bot
26 bash
26 apache
25 sentry
24 test1
14 mod
9 centos
9 butter
7 pi
6 SP35
6 guest
5 vbox
5 ubnt
4 transfer
4 testing
4 support
4 grid
4 ec2-user
3 zabbix
3 ubuntu
3 temp
3 telnet
安全防范:
- 修改ssh端口,禁止root登录,使用ssh_key登录,禁止空密码等设置如下
编辑/etc/ssh/sshd_config文件,修改以下配置
Port 6666 #随意修改一个端口
PermitRootLogin no #禁止root登录
RSAAuthentication yes #RSA认证
PubkeyAuthentication yes #开启公钥验证
AuthorizedKeysFile .ssh/authorized_keys #验证文件路径
PasswordAuthentication no #禁止密码认证
PermitEmptyPasswords no #禁止空密码
UsePAM no #禁用PAM
/etc/init.d/ssh restart # 重启ssh服务
- 使用denyhosts
DenyHosts是针对SSH服务器的一个基于日志的入侵预防安全工具,是用Python编写的。其通过监测身份验证登录日志中失败的登录尝试,屏蔽这些登录者的IP地址,从而预防对SSH服务器的暴力破解。
通过各个系统的包管理器就可以安装:
$ yum install denyhosts
denyhosts的相关配置项(/etc/denyhosts.conf),如下:
SECURE_LOG = /var/log/secure #ssh 日志文件,系统不同,文件不相同
HOSTS_DENY = /etc/hosts.deny #控制用户登陆的文件
PURGE_DENY = #过多久后清除已经禁止的,空表示永远不解禁
BLOCK_SERVICE = sshd #禁止的服务名,如还要添加其他服务,只需添加逗号跟上相应的服务即可
DENY_THRESHOLD_INVALID = 5 #允许无效用户失败的次数
DENY_THRESHOLD_VALID = 10 #允许普通用户登陆失败的次数
DENY_THRESHOLD_ROOT = 1 #允许root登陆失败的次数
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /var/lib/denyhosts #运行目录
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES #是否进行域名反解析
LOCK_FILE = /var/run/denyhosts.pid #程序的进程ID
ADMIN_EMAIL = root@localhost #管理员邮件地址,它会给管理员发邮件
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts
SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID=5d #用户的登录失败计数会在多久以后重置为0,(h表示小时,d表示天,m表示月,w表示周,y表示年)
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
RESET_ON_SUCCESS = yes #如果一个ip登陆成功后,失败的登陆计数是否重置为0
DAEMON_LOG = /var/log/denyhosts #自己的日志文件
DAEMON_SLEEP = 30s #当以后台方式运行时,每读一次日志文件的时间间隔。
启动命令(yum安装,已默认配好)
service denyhosts start
service denyhosts stop
service denyhosts status
加入自启动
chkconfig denyhosts on
黑名单白名单位置:
vim /etc/hosts.deny
vim /etc/hosts.allow
hosts.allow(hosts.deny同规则),手工添加:
sshd:*.*.*.*