看好自家的后门,给SSH加把锁

  • 2017-05-25
  • 699
  • 1

因为最近老有人攻击我的网站和服务器,所以花了点时间给服务器做了一些安全措施。
目前我看到的威胁主要是两个,一个是暴力SSH密码破解,另一个是80以及443端口的威胁。

80和443是提供web访问的端口,我用的nginx服务器软件。在日志中可以看到大量的爬虫访问记录,经分析是用于查找漏洞的。

 


 

SSH暴力破解

ssh的暴力密码破解可以在登入日志里找到(/var/log/auth.log)
116.31.116.9和58.57.65.112这2个ip一直在尝试登入,虽然失败几次后被系统拒绝再次登入,但默认的黑名单是有时限的,过了这个时间还是可以尝试登入。
还好我的密码够复杂。
对于这个问题最简单的解决办法是安装denyhosts这个小软件,它是基于python.会在后台监控ssh日志,如果发现有人在暴力破解那么直接把对应的IP屏蔽掉。
该IP的所有连接都会被直接拒绝。

May 22 07:42:13 jdu4e00u53f7 sshd[29510]: Failed password for root from 58.57.65.112 port 60227 ssh2
May 22 07:42:15 jdu4e00u53f7 sshd[29510]: Failed password for root from 58.57.65.112 port 60227 ssh2
May 22 07:42:15 jdu4e00u53f7 sshd[29510]: error: maximum authentication attempts exceeded for root from 58.57.65.112 port 60227 ssh2 [preauth]
May 22 07:42:15 jdu4e00u53f7 sshd[29510]: Disconnecting: Too many authentication failures [preauth]
May 22 07:42:15 jdu4e00u53f7 sshd[29510]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.57.65.112  user=root
May 22 07:42:47 jdu4e00u53f7 sshd[29530]: refused connect from 58.57.65.112 (58.57.65.112)
May 22 07:42:52 jdu4e00u53f7 sshd[29531]: refused connect from 116.31.116.9 (116.31.116.9)
May 22 07:43:38 jdu4e00u53f7 sshd[29532]: refused connect from 116.31.116.9 (116.31.116.9)
May 22 07:44:24 jdu4e00u53f7 sshd[29533]: refused connect from 116.31.116.9 (116.31.116.9)
May 22 07:44:43 jdu4e00u53f7 sshd[29534]: Invalid user support from 201.254.151.186
May 22 07:44:43 jdu4e00u53f7 sshd[29534]: input_userauth_request: invalid user support [preauth]
May 22 07:44:43 jdu4e00u53f7 sshd[29534]: pam_unix(sshd:auth): check pass; user unknown
May 22 07:44:43 jdu4e00u53f7 sshd[29534]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=201.254.151.186
May 22 07:44:45 jdu4e00u53f7 sshd[29534]: Failed password for invalid user support from 201.254.151.186 port 60787 ssh2
May 22 07:44:46 jdu4e00u53f7 sshd[29534]: pam_unix(sshd:auth): check pass; user unknown
May 22 07:44:46 jdu4e00u53f7 sshd[29544]: refused connect from 58.57.65.112 (58.57.65.112)


 

漏洞爬虫

Nginx的日志里可以看到大量爬虫的访问日志,直接把这几个IP配置到nginx中写一句deny 113.209.16.177;就直接屏蔽掉这个ip了。如果他再次访问直接返回403

113.209.16.177 - - [23/May/2017:05:03:41 +0800] "POST /struts2-blank/example/HelloWorld.action HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-"
113.209.16.177 - - [23/May/2017:05:03:41 +0800] "POST /struts2-blank/example/HelloWorld.action HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-"
113.209.16.177 - - [23/May/2017:05:03:41 +0800] "POST /struts2-blank/example/index.action HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-"
113.209.16.177 - - [23/May/2017:05:03:42 +0800] "POST /struts2-blank/example/index.action HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-"
113.209.16.177 - - [23/May/2017:05:03:42 +0800] "POST /struts2-blank/example/index.action HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-"
113.209.16.177 - - [23/May/2017:05:03:42 +0800] "POST /struts2-blank/example/index.do HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-"
113.209.16.177 - - [23/May/2017:05:03:43 +0800] "POST /struts2-blank/example/index.do HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-"
113.209.16.177 - - [23/May/2017:05:03:43 +0800] "POST /struts2-blank/example/index.do HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-"
113.209.16.177 - - [23/May/2017:05:03:43 +0800] "POST /struts2-blank/example/index.aspx HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-"
113.209.16.177 - - [23/May/2017:05:03:44 +0800] "POST /struts2-blank/example/index.aspx HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-"
113.209.16.177 - - [23/May/2017:05:03:44 +0800] "POST /struts2-blank/example/index.aspx HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-"
113.209.16.177 - - [23/May/2017:05:03:45 +0800] "POST /struts2-blank/example/index.json HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-"
113.209.16.177 - - [23/May/2017:05:03:46 +0800] "POST /struts2-blank/example/index.json HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-"
113.209.16.177 - - [23/May/2017:05:03:46 +0800] "POST /struts2-blank/example/index.json HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-"
113.209.16.177 - - [23/May/2017:05:03:47 +0800] "POST /struts2-blank/example/index.html HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-"
113.209.16.177 - - [23/May/2017:05:03:47 +0800] "POST /struts2-blank/example/index.html HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-"
113.209.16.177 - - [23/May/2017:05:03:49 +0800] "POST /struts2-blank/example/index.html HTTP/1.1" 403 169 "-" "python-requests/2.2.1 CPython/2.7.6 Linux/3.19.0-25-generic" "-"

服务器加固

升级nginx到最新的1.13版本,设置nginx的server_tokens关闭返回http头中的nginx版本信息。
安装uwf防火墙,仅对外开放了80 443 以及ssh端口。

sudo apt install ufw
sudo ufw enable
sudo ufw default deny
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 22/tcp
sudo ufw status

如果可以的话 , 确保自己安装的nginx mysql php-fpm是最新的版本,然后检查相关的配置是否正确。
mysql是否禁止了远程登入,phpmyadmin之类的软件有没有安装(对我没啥用,设置不当还危险),php-fpm是否禁用危险的命令。
网站目录的权限设置是否妥当。

SSH加固

SSH的加固一般是使用key和密码双重验证登入,修改默认的ssh端口。

修改ssh的端口很简单 ,直接编辑sudo nano /etc/ssh/sshd_config
在文本的开头

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0

Protocol 2

直接把Port 22 中的22改成你想要的端口号保存

然后重启sshd服务就OK了

sudo service sshd restart

开启Key登入的话,需要先生成一对key

ssh-keygen -t rsa

然后会出现如下提示

Generating public/private rsa key pair.
Enter file in which to save the key (/home/coderstory/.ssh/id_rsa): 

就是问你这个生成的key你想放哪里,一般用默认的即可,回车即可。

Enter passphrase (empty for no passphrase):

接下来问你这个key要不要密码。如果使用密码,那么你登入的时候需要提供这个key,还额外需要输入这个key的密码。直接回车的话就是无密码。

cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys

导入公钥。
修改SSH的配置文件/etc/ssh/sshd_config,找到下面1行,把yes改成no 关闭使用密码登入功能增强安全性

PasswordAuthentication yes

找到如下的代码 去掉前面的#

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

最后重启服务

sudo service sshd restart

在 ~/.ssh下找到id_rsa这个文件,复制到你的电脑上,
以后登入服务器使用这个key文件即可。

开启key登入后,最好重新创建一个账户,禁用root账户登入。想要用root的权限话,加一句sudo即可。

感谢打赏!
微信
支付宝

评论

  • 头像
    我敬佩的大神系列回复

    果然是大神。我从头到尾看完了,虽然不知道里说的什么