因为最近老有人攻击我的网站和服务器,所以花了点时间给服务器做了一些安全措施。
目前我看到的威胁主要是两个,一个是暴力SSH密码破解,另一个是80以及443端口的威胁。
80和443是提供web访问的端口,我用的nginx服务器软件。在日志中可以看到大量的爬虫访问记录,经分析是用于查找漏洞的。
SSH暴力破解
ssh的暴力密码破解可以在登入日志里找到(/var/log/auth.log)
116.31.116.9和58.57.65.112这2个ip一直在尝试登入,虽然失败几次后被系统拒绝再次登入,但默认的黑名单是有时限的,过了这个时间还是可以尝试登入。
还好我的密码够复杂。
对于这个问题最简单的解决办法是安装denyhosts这个小软件,它是基于python.会在后台监控ssh日志,如果发现有人在暴力破解那么直接把对应的IP屏蔽掉。
该IP的所有连接都会被直接拒绝。
May 22 07:42:13 jdu4e00u53f7 sshd[29510]: Failed password for root from 58.57.65.112 port 60227 ssh2 May 22 07:42:15 jdu4e00u53f7 sshd[29510]: Failed password for root from 58.57.65.112 port 60227 ssh2 May 22 07:42:15 jdu4e00u53f7 sshd[29510]: error: maximum authentication attempts exceeded for root from 58.57.65.112 port 60227 ssh2 [preauth] May 22 07:42:15 jdu4e00u53f7 sshd[29510]: Disconnecting: Too many authentication failures [preauth] May 22 07:42:15 jdu4e00u53f7 sshd[29510]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.57.65.112 user=root May 22 07:42:47 jdu4e00u53f7 sshd[29530]: refused connect from 58.57.65.112 (58.57.65.112) May 22 07:42:52 jdu4e00u53f7 sshd[29531]: refused connect from 116.31.116.9 (116.31.116.9) May 22 07:43:38 jdu4e00u53f7 sshd[29532]: refused connect from 116.31.116.9 (116.31.116.9) May 22 07:44:24 jdu4e00u53f7 sshd[29533]: refused connect from 116.31.116.9 (116.31.116.9) May 22 07:44:43 jdu4e00u53f7 sshd[29534]: Invalid user support from 201.254.151.186 May 22 07:44:43 jdu4e00u53f7 sshd[29534]: input_userauth_request: invalid user support [preauth] May 22 07:44:43 jdu4e00u53f7 sshd[29534]: pam_unix(sshd:auth): check pass; user unknown May 22 07:44:43 jdu4e00u53f7 sshd[29534]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.254.151.186 May 22 07:44:45 jdu4e00u53f7 sshd[29534]: Failed password for invalid user support from 201.254.151.186 port 60787 ssh2 May 22 07:44:46 jdu4e00u53f7 sshd[29534]: pam_unix(sshd:auth): check pass; user unknown May 22 07:44:46 jdu4e00u53f7 sshd[29544]: refused connect from 58.57.65.112 (58.57.65.112)
漏洞爬虫
Nginx的日志里可以看到大量爬虫的访问日志,直接把这几个IP配置到nginx中写一句deny 113.209.16.177;就直接屏蔽掉这个ip了。如果他再次访问直接返回403
113.209.16.177 - - [23/May/2017:05:03:41 +0800] "POST /struts2-blank/example/HelloWorld.action HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-" 113.209.16.177 - - [23/May/2017:05:03:41 +0800] "POST /struts2-blank/example/HelloWorld.action HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-" 113.209.16.177 - - [23/May/2017:05:03:41 +0800] "POST /struts2-blank/example/index.action HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-" 113.209.16.177 - - [23/May/2017:05:03:42 +0800] "POST /struts2-blank/example/index.action HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-" 113.209.16.177 - - [23/May/2017:05:03:42 +0800] "POST /struts2-blank/example/index.action HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-" 113.209.16.177 - - [23/May/2017:05:03:42 +0800] "POST /struts2-blank/example/index.do HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-" 113.209.16.177 - - [23/May/2017:05:03:43 +0800] "POST /struts2-blank/example/index.do HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-" 113.209.16.177 - - [23/May/2017:05:03:43 +0800] "POST /struts2-blank/example/index.do HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-" 113.209.16.177 - - [23/May/2017:05:03:43 +0800] "POST /struts2-blank/example/index.aspx HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-" 113.209.16.177 - - [23/May/2017:05:03:44 +0800] "POST /struts2-blank/example/index.aspx HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-" 113.209.16.177 - - [23/May/2017:05:03:44 +0800] "POST /struts2-blank/example/index.aspx HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-" 113.209.16.177 - - [23/May/2017:05:03:45 +0800] "POST //static.coderstory.cn/struts2-blank/example/index.json HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-" 113.209.16.177 - - [23/May/2017:05:03:46 +0800] "POST //static.coderstory.cn/struts2-blank/example/index.json HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-" 113.209.16.177 - - [23/May/2017:05:03:46 +0800] "POST //static.coderstory.cn/struts2-blank/example/index.json HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-" 113.209.16.177 - - [23/May/2017:05:03:47 +0800] "POST /struts2-blank/example/index.html HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-" 113.209.16.177 - - [23/May/2017:05:03:47 +0800] "POST /struts2-blank/example/index.html HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-" 113.209.16.177 - - [23/May/2017:05:03:49 +0800] "POST /struts2-blank/example/index.html HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-"
服务器加固
升级nginx到最新的1.13版本,设置nginx的server_tokens关闭返回http头中的nginx版本信息。
安装uwf防火墙,仅对外开放了80 443 以及ssh端口。
sudo apt install ufw sudo ufw enable sudo ufw default deny sudo ufw allow 80/tcp sudo ufw allow 443/tcp sudo ufw allow 22/tcp sudo ufw status
如果可以的话 , 确保自己安装的nginx mysql php-fpm是最新的版本,然后检查相关的配置是否正确。
mysql是否禁止了远程登入,phpmyadmin之类的软件有没有安装(对我没啥用,设置不当还危险),php-fpm是否禁用危险的命令。
网站目录的权限设置是否妥当。
SSH加固
SSH的加固一般是使用key和密码双重验证登入,修改默认的ssh端口。
修改ssh的端口很简单 ,直接编辑sudo nano /etc/ssh/sshd_config
在文本的开头
# Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2
直接把Port 22 中的22改成你想要的端口号保存
然后重启sshd服务就OK了
sudo service sshd restart
开启Key登入的话,需要先生成一对key
ssh-keygen -t rsa
然后会出现如下提示
Generating public/private rsa key pair. Enter file in which to save the key (/home/coderstory/.ssh/id_rsa):
就是问你这个生成的key你想放哪里,一般用默认的即可,回车即可。
Enter passphrase (empty for no passphrase):
接下来问你这个key要不要密码。如果使用密码,那么你登入的时候需要提供这个key,还额外需要输入这个key的密码。直接回车的话就是无密码。
cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys
导入公钥。
修改SSH的配置文件/etc/ssh/sshd_config,找到下面1行,把yes改成no 关闭使用密码登入功能增强安全性
PasswordAuthentication yes
找到如下的代码 去掉前面的#
#RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys
最后重启服务
sudo service sshd restart
在 ~/.ssh下找到id_rsa这个文件,复制到你的电脑上,
以后登入服务器使用这个key文件即可。
开启key登入后,最好重新创建一个账户,禁用root账户登入。想要用root的权限话,加一句sudo即可。