service sshd status
发现不明ip的“authentication failure”字样
Screen Shot 2020-07-03 at 19.25.06.png
查看登陆记录
cat /var/log/auth.log
Screen Shot 2020-07-03 at 19.27.59.png
有许多 “Failed password for root from ...”记录
查资料确定, 这是在被ssh暴力破解攻击. 简单防范如下:
安装fail2ban
apt install -y fail2ban
配置
nano /etc/fail2ban/jail.conf
找到[ssh]字段, 并在后面加入如下代码:
[ssh]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
bantime = -1
maxretry = 5
重启sshd服务
查看被封记录
fail2ban-client status sshd
Screen Shot 2020-07-03 at 20.16.15.png
一些有用的命令
系统账号情况
1. 除root之外,是否还有其它特权用户(uid 为0)
awk -F: '$3==0{print $1}' /etc/passwd
root
2. 可以远程登录的帐号信息
awk '/$1|$6/{print $1}' /etc/shadow
确认攻击情况:
grep -o "Failed password" /var/log/auth.log | uniq -c
63 Failed password
输出登录爆破的第一行和最后一行,确认爆破时间范围:
grep "Failed password" /var/log/auth.log|head -1
Jul 3 19:36:44 localhost sshd[405]: Failed password for invalid user squid from 222.128.20.226 port 33228 ssh2
grep "Failed password" /var/log/auth.log|tail -1
Jul 3 20:25:23 localhost sshd[1932]: Failed password for invalid user postgres from 81.183.171.195 port 46796 ssh2
进一步定位有哪些IP在爆破?
grep "Failed password" /var/log/auth.log|grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"|uniq -c| sort -nr
爆破用户名字典都有哪些?
grep "Failed password" /var/log/auth.log|perl -e 'while($_=<>){ /for(.*?) from/; print "$1n";}'|uniq -c|sort -nr
管理员最近登录情况:
登录成功的日期、用户名、IP:
grep "Accepted " /var/log/auth.log | awk '{print $1,$2,$3,$9,$11}'
顺便统计一下登录成功的IP有哪些:
grep "Accepted " /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -nr | more
网友评论