前几天无意之中发现auth.log体积非常大,打开来看才发现我的服务器SSH正在被暴力破解,部分内容如下:

May  8 03:03:32 mysite sshd[10143]: Failed password for root from 182.100.67.113 port 41988 ssh2
May  8 03:03:35 mysite sshd[10143]: message repeated 2 times: [ Failed password for root from 182.100.67.113 port 41988 ssh2]
May  8 03:03:35 mysite sshd[10143]: Received disconnect from 182.100.67.113: 11:  [preauth]
May  8 03:03:35 mysite sshd[10143]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113  user=root
May  8 03:03:36 mysite sshd[10145]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May  8 03:03:37 mysite sshd[10145]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113  user=root
May  8 03:03:39 mysite sshd[10145]: Failed password for root from 182.100.67.113 port 57935 ssh2
May  8 03:03:43 mysite sshd[10145]: message repeated 2 times: [ Failed password for root from 182.100.67.113 port 57935 ssh2]
May  8 03:03:44 mysite sshd[10145]: Received disconnect from 182.100.67.113: 11:  [preauth]
May  8 03:03:44 mysite sshd[10145]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113  user=root
May  8 03:03:44 mysite sshd[10147]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May  8 03:03:45 mysite sshd[10147]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113  user=root
May  8 03:03:47 mysite sshd[10147]: Failed password for root from 182.100.67.113 port 47047 ssh2
May  8 03:03:51 mysite sshd[10147]: message repeated 2 times: [ Failed password for root from 182.100.67.113 port 47047 ssh2]
May  8 03:03:52 mysite sshd[10147]: Received disconnect from 182.100.67.113: 11:  [preauth]
May  8 03:03:52 mysite sshd[10147]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113  user=root
May  8 03:03:52 mysite sshd[10149]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May  8 03:03:53 mysite sshd[10149]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113  user=root
May  8 03:03:55 mysite sshd[10149]: Failed password for root from 182.100.67.113 port 35690 ssh2
May  8 03:03:59 mysite sshd[10149]: message repeated 2 times: [ Failed password for root from 182.100.67.113 port 35690 ssh2]
May  8 03:03:59 mysite sshd[10149]: Received disconnect from 182.100.67.113: 11:  [preauth]
May  8 03:03:59 mysite sshd[10149]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113  user=root
May  8 03:03:59 mysite sshd[10151]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May  8 03:04:02 mysite sshd[10151]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113  user=root
May  8 03:04:04 mysite sshd[10151]: Failed password for root from 182.100.67.113 port 50994 ssh2
May  8 03:04:08 mysite sshd[10151]: message repeated 2 times: [ Failed password for root from 182.100.67.113 port 50994 ssh2]
May  8 03:04:08 mysite sshd[10151]: Received disconnect from 182.100.67.113: 11:  [preauth]
May  8 03:04:08 mysite sshd[10151]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113  user=root
May  8 03:04:08 mysite sshd[10153]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May  8 03:04:11 mysite sshd[10153]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113  user=root
May  8 03:04:12 mysite sshd[10153]: Failed password for root from 182.100.67.113 port 42771 ssh2
May  8 03:04:17 mysite sshd[10153]: message repeated 2 times: [ Failed password for root from 182.100.67.113 port 42771 ssh2]
May  8 03:04:17 mysite sshd[10153]: Received disconnect from 182.100.67.113: 11:  [preauth]
May  8 03:04:17 mysite sshd[10153]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113  user=root
May  8 03:04:17 mysite sshd[10155]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May  8 03:04:21 mysite sshd[10155]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113  user=root

非常明显是用的程序在恶意登录,所以请出Fail2ban,fail2ban会监视系统日志,发现异常情况后就会执行相应的屏蔽动作,还会发送电子邮件通知系统管理员。

一、安装fail2ban

直接使用apt-get
apt-get install fail2ban

二、配置fail2ban

复制一份本地配置文件:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

1.初始配置

编辑jail.local文件,作如下修改:

ignoreip = 127.0.0.1/8
bantime = 3600  # 屏蔽时长,可自行调整,单位为秒,-1则为永久屏蔽
findtime = 600  #监测时长,在findtime时间内出现maxretry次尝试即执行屏蔽动作,单位为秒
maxretry = 3  # 最大尝试次数

2.邮件通知配置

编辑jail.local文件,作如下修改:

destemail = xxxx@163.com  # 邮件通知的目的邮箱
mta = sendmail  # 使用哪个发送邮件命令,可以选mail或sendmail
action = %(action_mw)s  # 默认只发送屏蔽IP信息,_mw后缀发送IP信息+whois信息

注意:需要配置好mail或sendmail邮件通知才能正常工作,参考:Ubuntu:使用sendmail配置邮件服务,发送邮件

3.SSH配置

编辑jail.local文件,配置如下:

[ssh]

enabled  = true  # 激活SSH监测
port     = ssh  # 端口
filter   = sshd
logpath  = /var/log/auth.log  # SSH日志路径
maxretry = 3  # 最大尝试次数

三、令Fail2ban生效

只需要重启fail2ban服务:
service fail2ban restart


那个丧心病狂的已经开始换IP暴力破解了

fail2ban_email.png