Linux

如何保護 SSH?

  • July 12, 2021

我檢查 /var/log/secure 我有這些日誌:

Jul  9 13:02:56 localhost sshd[30624]: Invalid user admin from 223.196.172.1 port 37566
Jul  9 13:02:57 localhost sshd[30624]: Connection closed by invalid user admin 223.196.172.1    port 37566 [preauth]
Jul  9 13:03:05 localhost sshd[30626]: Invalid user admin from 223.196.174.150 port 61445
Jul  9 13:03:05 localhost sshd[30626]: Connection closed by invalid user admin 223.196.174.150 port 61445 [preauth]
Jul  9 13:03:16 localhost sshd[30628]: Invalid user admin from 223.196.169.37 port 62329
Jul  9 13:03:24 localhost sshd[30628]: Connection closed by invalid user admin 223.196.169.37 port 62329 [preauth]
Jul  9 13:03:29 localhost sshd[30630]: Invalid user admin from 223.196.169.37 port 64099
Jul  9 13:03:30 localhost sshd[30630]: Connection closed by invalid user admin 223.196.169.37 port 64099 [preauth]
Jul  9 13:03:45 localhost sshd[30632]: Invalid user admin from 223.196.174.150 port 22816
Jul  9 13:03:46 localhost sshd[30632]: Connection closed by invalid user admin 223.196.174.150 port 22816 [preauth]
Jul  9 13:06:17 localhost sshd[30637]: Invalid user admin from 223.196.168.33 port 33176
Jul  9 13:06:17 localhost sshd[30637]: Connection closed by invalid user admin 223.196.168.33 port 33176 [preauth]
Jul  9 13:07:09 localhost sshd[30639]: Invalid user admin from 223.196.173.152 port 61780
Jul  9 13:07:25 localhost sshd[30641]: Invalid user admin from 223.196.168.33 port 54200
Jul  9 13:07:26 localhost sshd[30641]: Connection closed by invalid user admin 223.196.168.33 port 54200 [preauth]
...

似乎有人試圖通過 SSH 登錄。我禁用 root 使用者登錄並啟用公鑰/私鑰登錄,但這是 DDoS 攻擊嗎?它是否使用 RAM/CPU?

我該怎麼辦?

這只是人們掃描易受攻擊的伺服器的正常 Internet 背景噪音。

您可以添加一個 iptables 規則來限制傳入連接的速率(例如四分鐘內四次)以進行簡單修復(但如果您打開太多連接或有人偽造源自您地址的 SYN 數據包,這也會將您鎖定):

iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 240 --hitcount 4 --name ssh-v4 --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name ssh-v4 --mask 255.255.255.255 --rsource -j ACCEPT

正確的解決方案是使用像fail2ban這樣的工具來解析失敗登錄的日誌文件並根據需要創建防火牆規則——需要做更多的工作來設置,但它需要建立連接和触發失敗的身份驗證,所以它會不像簡單的方法那樣對偽造的連接嘗試或成功登錄做出反應。

引用自:https://serverfault.com/questions/1069102