sshd服务及防暴力破解 附赠防暴力破解脚本

利用yum源安装sshd服务

客户端安装:openssh-clients.x86_64 
服务端安装:openssh-server.x86_64


Openssh和sshd有区别吗?
两个是不同的概念,软件包名称叫openshh 开机的服务叫sshd

[root@server1 ~]# rpm -ql openssh   ###查看安装的相关信息
/etc/ssh   ###安装的主目录
/etc/ssh/moduli
/usr/bin/ssh-keygen
/usr/libexec/openssh
/usr/libexec/openssh/ctr-cavstest
/usr/libexec/openssh/ssh-keysign


[root@server1 kiosk]# cd /etc/ssh/
[root@server1 ssh]# ll
total 276
-rw-r--r--. 1 root root     242153 9月   7 2016 moduli
-rw-r--r--. 1 root root       2208 9月   7 2016 ssh_config    ##客户端的配置文件
-rw-------. 1 root root       4361 9月   7 2016 sshd_config   ##服务端的配置文件




[root@server1 ssh]# systemctl start sshd  ##开启服务
[root@server1 ssh]# systemctl enable sshd  ##一定设置成开机自启动
注意:在搭建开源服务的时候,一定要把服务设置成开机自启

[root@server1ssh]# systemctl status sshd   ###查看服务状态
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since 四 2019-10-24 11:20:35 CST; 1h 20min ago
     Docs: man:sshd(8)
           man:sshd_config(5)


Linux 7 系统下查看各服务的状态。

[root@server1 ~]# systemctl list-unit-files | grep sshd
sshd-keygen.service                         static  
sshd.service                                enabled ##开机自启动
[email protected]                               static  
sshd.socket                                 disabled

附加: 在6的系统下,查看服务的状态命令是chkconfig --list






实战操作:
环境:server1 (172.25.2.1)为服务端 server2(172.25.2.2)为客户端

[root@server2 ~]# ssh [email protected]   
The authenticity of host '172.25.2.1 (172.25.2.1)' can't be established.
ECDSA key fingerprint is 0a:e9:f9:09:98:14:7c:73:5c:7c:f2:1b:cf:f5:d7:8b.
Are you sure you want to continue connecting (yes/no)?  ##第一次在连接的时候会进行一个密钥指纹的认证,在今后的连接中就不会载此显示了

输入yes然后提示输入密码 
[email protected]'s password: 

Last login: Thu Oct 24 12:28:36 2019 from foundation60.ilt.exmaple.com
[root@server1 ~]#
输入密码之后发现已经成功的登陆server1主机

重点:sshd服务的调优和防暴力破解

在配置文件中,发现很多行开头有#号
但是#开头可配置项中间没有空格的表示默认值 生效
但是#开头可配置项中间有空格的表示注释 不生效


[root@server1 ~]# vim /etc/ssh/sshd_config  ##查看服务器端的配置文件




 17 #Port 22   ##ssd服务默认22端口

[root@server1 ~]# netstat -antlp | grep sshd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      882/sshd            
tcp6       0      0 :::22                   :::*                    LISTEN      882/sshd 

在线上的服务中,通常情况下都要修改端口

 17 Port 3389  ##修改为陌生端口3389
[root@server1 ~]# netstat -antlp | grep sshd
tcp        0      0 0.0.0.0:3389            0.0.0.0:*               LISTEN      2598/sshd  
tcp6       0      0 :::3389                 :::* 

此时在可客户端,如果你不知道端口,就无法进行远程连接了,需要使用-p参数指定端口进行连接
[root@server2 ~]# ssh [email protected]
ssh: connect to host 172.25.2.1 port 22: Connection refused
[root@server2 ~]# ssh [email protected] -p 3389
[email protected]'s password: 
Last login: Thu Oct 24 13:05:19 2019 from foundation60.ilt.exmaple.com
[root@server1 ~]# 




#ListenAddress 0.0.0.0

ListenAddress 0.0.0.0
设置sshd服务器绑定的IP 地址,0.0.0.0 表示侦听所有地址
一般公司的服务器至少有两张网卡,一张外网的,一张内网的
如果我只想让内网的服务器通过sshd服务连接者太服务器,那么我就见该网段指定成内网网段



这些都是密钥存储的文件,不要进行修改
HostKey /etc/ssh/ssh_host_rsa_key  
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key



#LoginGraceTime 2m   ##最长等待登陆时间,默认2分钟
[root@server2 ~]# ssh [email protected] 
[email protected]'s password:    ##没有输入密码,此时就算等待登陆了时间,超过两分钟没有输入密码,则会退出 


 49 #PermitRootLogin yes   ###是否使用运行root帐户进行登陆
PermitRootLogin no   此时表示不允许root帐户进行登陆



 59 AuthorizedKeysFile      .ssh/authorized_keys  ##认证的key文件



78 PasswordAuthentication yes  ###是否运用密码进行认证
登陆分为两种:密码登陆 密钥登陆
注意:一定要在做完密钥认证之后才能改为no,否则机器就失联了,无法连接上了。



118 #PrintMotd yes  ##打印一个登陆信息
[root@server1 ~]# vim /etc/motd   ###编辑文件
[root@server1 ~]# cat /etc/motd  
WELCOME 

此时在客户端进行远程连接时:
[root@server2 ~]# ssh [email protected]
[email protected]'s password: 
Last login: Thu Oct 24 19:17:41 2019 from foundation60.ilt.exmaple.com
WELCOME    ###登陆提示信息
[root@server1 ~]# 




119 #PrintLastLog yes  ##打印最后一次登陆的日志
Last login: Thu Oct 24 13:14:08 2019 from server2   ##最后一次登陆来自server2主机
在真实的生产环境下,有一天,在远程通过ssh远程登陆服务器的时候,发现最后一次登陆显示的ip来自你不认识的ip地址,一查发现是来自非洲的 美国的等等,那么有可能你的服务器就被黑了





使用密钥进行登陆
实验环境:server2免密登陆server1

1:在客户端使用ssh-keygen生成密钥
 
[root@server2 ~]# ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):    ###密钥保存的路径,一般默认不进行修改
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.    ###认证私钥存放的文件
Your public key has been saved in /root/.ssh/id_rsa.pub.  ###认证公钥存放的文件
The key fingerprint is:
51:26:29:6e:88:b6:9f:0d:21:86:e7:7c:7b:c5:a9:10 root@server2
The key's randomart image is:
+--[ RSA 2048]----+
|        ..o      |
|      . .+       |
| . . o ..        |
|. * E o  .       |
| * o + .S.       |
|  + +   +        |
|   o * o         |
|    + +          |
|     .           |
+-----------------+

[root@server2 ~]# cd /root/.ssh/
id_rsa       id_rsa.pub   known_hosts 

注意:在今后的生产环境中,设计到密钥的文件,尽量都设置称隐藏文件


2:将公钥传到服务器端
[root@server2 .ssh]# ssh-copy-id -i 172.25.2.1
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '172.25.2.1'"
and check to make sure that only the key(s) you wanted were added.



3:服务起端进行查看
[root@server1 ~]# cd /root/.ssh/
[root@server1 .ssh]# ls
authorized_keys    ###该文件下的内容就是id_rsa.pub的内容,如果不使用ssh-copy-id -i 172.25.2.1命令,那么就直接将id_rsa.pub的内容复制粘贴到服务器端的authorized_keys文件下
注意:拷贝过来时一定要注意authorized_keys文件的权限,只能为600或700
[root@server1 .ssh]# ll
total 4
-rw------- 1 root root 394 10月 24 19:44 authorized_keys


4:此时发现可以进行免密登陆
[root@server2 ~]# ssh [email protected]
Last login: Thu Oct 24 19:24:37 2019 from server2
WELCOME 




使用开源防护软件(fail2ban)保护sshd服务


官网地址:www.fail2ban.org
也可以直接使用yum源进行安装

1:取官网获取软件包
[root@server1 ~]# ls
docker  fail2ban-0.8.14.tar.gz


2:解压压缩包到/usr/local/目录下
[root@server1 ~]# tar zxf fail2ban-0.8.14.tar.gz -C /usr/local/ 
[root@server1 ~]# cd /usr/local/
[root@server1 local]# ls
bin  fail2ban-0.8.14  include  lib64    sbin   src
etc  games            lib      libexec  share

3:查看README.md文件 ,一般的开源软件都会有相关的说明文件
[root@server1 fail2ban-0.8.14]# vim README.md 

To install, just do:

    tar xvfj fail2ban-0.8.12.tar.bz2
    cd fail2ban-0.8.12
python setup.py install


4:安装(基于python语言开发,要求python版本高于2.4)

[root@server1 fail2ban-0.8.14]# python -V   ###查看python版本
Python 2.7.5
[root@server1 fail2ban-0.8.14]# python setup.py install
They are in /etc/fail2ban/.  ###软件安装的主目录


5:进入目录,查看服务启动文件
[root@server1 fail2ban]# cd -
/usr/local/fail2ban-0.8.14
[root@server1 fail2ban-0.8.14]# ls
build      DEVELOP             fail2ban-testcases-all  README.md       THANKS
ChangeLog  doc                 files                   README.Solaris  TODO
client     fail2ban-client     FILTERS                 server
common     fail2ban-regex      kill-server             setup.cfg
config     fail2ban-server     man                     setup.py
COPYING    fail2ban-testcases  MANIFEST                testcases
[root@server1 fail2ban-0.8.14]# cd files/
[root@server1 files]# ls
bash-completion         gen_badbots                 nagios
cacti                   gentoo-confd                redhat-initd
fail2ban-logrotate      gentoo-initd                solaris-fail2ban.xml
fail2ban.service        ipmasq-ZZZzzz_fail2ban.rul  solaris-svc-fail2ban
fail2ban-tmpfiles.conf  macosx-initd                suse-initd




6:将启动脚本拷贝到系统启动的目录下面
[root@server1 files]# cp redhat-initd /etc/rc.d/init.d/fail2ban

拓展:目录下那么多文件,我怎么就知道 redhat-initd就是启动脚本呢
[root@server1 fail2ban-0.8.14]# grep chkconfig ./* -R --color  ###服务的启动文件下一般都含有chkconfig 启动级别定义这样一个字段
./files/redhat-initd:# chkconfig: - 92 08

7:设置成开机自启
[root@server1 files]# chkconfig --add fail2ban


应用实例:ssh远程登陆5分钟内3次密码验证失败,禁止用户ip访问主机1小时,一小时后自动解除,用户可以重新登陆


sshd服务的日志文件:/var/log/secure


修改配置文件

 96 enabled  = true   ###启用模块修改为true
 97 filter   = sshd
 98 action   = iptables[name=SSH, port=ssh, protocol=tcp]
 99            sendmail-whois[name=SSH, [email protected], sender=fail2ban@ex    ample.com, sendername="Fail2Ban"]

如果你想让服务器在被暴力破解时给你发邮件,就将这个改为自己的邮件[email protected],并且服务器上安装了sendmail服务,并且已经开启了。


100 logpath  = /var/log/secure   ###指定sshd服务的日子,因为该服务也是通过检测日志来进行判断的
101 maxretry = 3  ##最多连接次数
findtime = 3600   ##要求5分钟之内
bantime = 3600   ##禁止1个小时




8:重新启动服务
[root@server1 fail2ban]# systemctl restart fail2ban
[root@server1 fail2ban]# systemctl status fail2ban
● fail2ban.service - LSB: Start/Stop fail2ban
   Loaded: loaded (/etc/rc.d/init.d/fail2ban; bad; vendor preset: disabled)
   Active: active (running) since 四 2019-10-24 20:28:34 CST; 26min ago
     Docs: man:systemd-sysv-generator(8)
[root@server1 fail2ban]# systemctl enable fail2ban
fail2ban.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig fail2ban on  ###已经加入到开机自启动列表中了


9:加了一个防火墙链
[root@server1 fail2ban]# iptables -nvL
Chain INPUT (policy ACCEPT 30 packets, 2100 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   30  2100 fail2ban-SSH  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 17 packets, 1482 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain fail2ban-SSH (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   30  2100 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0 


10:为了方便实验,我们删除服务端的免密认证文件
[root@server1 fail2ban]# cd /root/.ssh/
[root@server1 .ssh]# ls
authorized_keys
[root@server1 .ssh]# rm -rf authorized_keys 

11:开始实验
[root@server2 ~]# ssh [email protected]   ###发现在输入三次密码错误之后,就没有机会在进行登陆了
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
[root@server2 ~]# ssh [email protected]
ssh: connect to host 172.25.2.1 port 22: Connection refused
[root@server2 ~]# 





12:服务端查看信息
[root@server1 .ssh]# fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables
|- filter
|  |- File list:	/var/log/secure 
|  |- Currently failed:	0
|  `- Total failed:	3
`- action
   |- Currently banned:	1
   |  `- IP list:	172.25.2.2 
   `- Total banned:	1

[root@server1 log]# cat /var/log/secure  ###查看日志
Oct 24 21:01:10 server1 sshd[3491]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Oct 24 21:01:11 server1 sshd[3491]: Failed password for root from 172.25.2.2 port 35200 ssh2
Oct 24 21:01:14 server1 sshd[3491]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Oct 24 21:01:16 server1 sshd[3491]: Failed password for root from 172.25.2.2 port 35200 ssh2
Oct 24 21:01:18 server1 sshd[3491]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Oct 24 21:01:20 server1 sshd[3491]: Failed password for root from 172.25.2.2 port 35200 ssh2
Oct 24 21:01:20 server1 sshd[3491]: Connection closed by 172.25.2.2 [preauth]


场景1:如果此时我想提前被ban的主机解除
因为该服务时通过检测/var/log/secure该日志来进行检测的,此时我们在只需要将该日志清空就可以了
[root@server1 log]# > /var/log/secure   ###清空日志
[root@server1 log]# cat /var/log/secure   
[root@server1 log]# systemctl restart fail2ban  ##重起服务


[root@server2 ~]# ssh [email protected]   ###此时被ban的主机就哟可以进行远程ssh连接了
[email protected]'s password: 
Last failed login: Thu Oct 24 21:01:20 CST 2019 from server2 on ssh:notty
There were 3 failed login attempts since the last successful login.
Last login: Thu Oct 24 19:55:36 2019 from server2
WELCOME 



场景2:fail2ban默认的是22,如果我们在之前的实验中将sshdfuwu的端口修改了,应该怎么办?

[root@server1 action.d]# cd /etc/fail2ban/
[root@server1 fail2ban]# vim jail.conf

 98 action   = iptables[name=SSH, port=ssh, protocol=tcp]

此处使用了服务代替默认的端口,如果我的服务为2222,那么我就指定port = 2222

[root@server1 action.d]# cd /etc/fail2ban/action.d
[root@server1 action.d]# vim iptables.conf 


61 port = ssh

两处配置文件都要修改,新的端口才会生效




denyhosts 软件:

DenyHost是使用Python开发的,它通过监控系统日志文件(/var/log/secure),来分析是否存在对OpenSSH的暴力破解行为,如果发现暴力破解,则其从系统安全日志分析出来源IP地址,然后通过在/etc/hosts.deny文件中加入相应的条目来使TCP Warappers禁止该IP地址的后续连接尝试



pam 模块: linux系统自带的防止暴力破解sshd服务的模块   ###防护的安全性不是特别高,毕竟是张读用户的
2、通过pam 模块来防止暴力破解ssh
[root@server1 ~]# vim /etc/pam.d/sshd
在第一行下面添加一行:
auth    required    pam_tally2.so    deny=3    unlock_time=600 even_deny_root root_unlock_time=1200

说明:尝试登陆失败超过3次,普通用户600秒解锁,root用户1200秒解锁

手动解除锁定:
查看某一用户错误登陆次数:
pam_tally –-user
例如,查看work用户的错误登陆次数:
pam_tally –-user work
清空某一用户错误登陆次数:
pam_tally –-user –-reset
例如,清空 work 用户的错误登陆次数,
pam_tally –-user work –-reset 




  

 

sshd服务防暴力破解脚本

sshd服务及防暴力破解 附赠防暴力破解脚本_第1张图片

你可能感兴趣的:(linux)