linux 防远程暴力登录

登录相关日志文件

1. /var/run/utmp 当前用户信息 用 who 或者 w 命令查看

who
root@vultr:~# who
root     tty1         2022-03-17 09:55
root     pts/0        2022-03-26 11:57 (120.232.161.186)
root@vultr:~#

2./var/log/wtmp 登录信息(历史登录,正在登录的)

last
root     pts/0        120.232.193.252  Mon Jul  5 18:06 - crash  (00:15)
reboot   system boot  5.11.0-22-generi Mon Jul  5 17:57   still running
root     pts/0        120.232.193.252  Mon Jul  5 14:49 - 17:20  (02:30)
root     pts/1        120.238.242.7    Fri Jul  2 16:07 - 23:23 (1+07:16)
root     pts/0        120.232.193.252  Fri Jul  2 14:37 - 17:49  (03:12)
reboot   system boot  5.11.0-17-generi Fri Jul  2 14:33   still running
reboot   system boot  5.11.0-17-generi Wed May 19 18:55   still running

3./var/log/btmp 登录失败信息

lastb
root@vultr:~# lastb
root     ssh:notty    222.239.248.170  Sat Mar 26 12:02 - 12:02  (00:00)
root     ssh:notty    96.27.143.109    Sat Mar 26 12:02 - 12:02  (00:00)
root     ssh:notty    43.132.156.229   Sat Mar 26 12:02 - 12:02  (00:00)
root     ssh:notty    162.243.158.185  Sat Mar 26 12:01 - 12:01  (00:00)
root     ssh:notty    49.233.128.239   Sat Mar 26 12:01 - 12:01  (00:00)
root     ssh:notty    43.129.237.178   Sat Mar 26 12:01 - 12:01  (00:00)
root     ssh:notty    34.94.63.92      Sat Mar 26 12:00 - 12:00  (00:00)
root     ssh:notty    43.132.156.229   Sat Mar 26 12:00 - 12:00  (00:00)
root     ssh:notty    222.239.248.170  Sat Mar 26 11:59 - 11:59  (00:00)
root     ssh:notty    96.27.143.109    Sat Mar 26 11:59 - 11:59  (00:00)
root     ssh:notty    43.129.237.178   Sat Mar 26 11:59 - 11:59  (00:00)
  • 登录失败 的ip ,按出现次数分类显示
sudo lastb |awk '{print $3}' |sort |uniq -c 

其中的 $ 代表是第几列数据,print 是打印出来

  • 打印出失败次数 大于3的ip
sudo lastb |awk '{print $3}' |sort |uniq -c |awk 'if($1>3) print $2'

允许/拒绝 相关文件

1./etc/hosts.deny 黑名单列表
Ubuntu格式为 ALL: IP  的方式添加有效

root@vultr:~# cat /etc/hosts.deny
# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
#                  See the manual pages hosts_access(5) and hosts_options(5).
#
# Example:    ALL: some.host.name, .some.domain
#             ALL EXCEPT in.fingerd: other.host.name, .other.domain
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#
# The PARANOID wildcard matches any host whose name does not match its
# address.
#
# You may wish to enable this to ensure any programs that don't
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
ALL: 45.9.20.73
ALL: 49.88.112.116
ALL: 103.124.93.74
ALL: 43.154.44.146
ALL: 43.129.237.178

2./etc/hosts.allow 白名单列表

其中 白名单文件优先级高于黑名单文件

可以在白名单配置IP,从黑名单中排除

防暴力登录破解

思路:

1. 登录时,密码错误超过2,直接将该用户锁定(即时锁定,可以ssh远程,但是进不去)
2.写定时脚本,将登录失败超过3次的IP,直接列入黑名单,拒绝服务(ssh直接连不上)

SSH限制登录

打开 sshd 远程登录文件

sudo vim /etc/pam.d/sshd

写入限制逻辑

auth required pam_tally2.so deny=3 unlock_time=300 event_deny_root root_unlock_time=600
  • deny=3 表示 错误超过3次则拒绝
  • unlock_time /root_unlock_time 都是限制的时间,单位为秒 一个针对普通用户,一个针对root
  • event_deny_root root用户也限制

注意:限制登录,我们自己也登录不了,但是我们可以本地 tty登录,比如云控制台登录

定时任务添加IP黑名单

1. 创建shell文件 ,ssh_deny.sh

list=$(sudo lastb |awk '{print $3}' |sort |uniq -c |awk '{if($1>2) print $2}')
for ip in ${list}
do
        echo ALL: ${ip} >> /etc/hosts.deny
        echo > /var/log/btmp
done

2.加个定时任务,每小时执行一次,且将btmp文件内容置空,重置

crontab -e 

再打开的交互式添加页面中,增加一行内容

* */1 * * * sudo bash /root/ssh_deny.sh