Ubuntu:使用Fail2ban防止暴力破解SSH等服务
前几天无意之中发现auth.log体积非常大,打开来看才发现我的服务器SSH正在被暴力破解,部分内容如下:
May 8 03:03:32 mysite sshd[10143]: Failed password for root from 182.100.67.113 port 41988 ssh2
May 8 03:03:35 mysite sshd[10143]: message repeated 2 times: [ Failed password for root from 182.100.67.113 port 41988 ssh2]
May 8 03:03:35 mysite sshd[10143]: Received disconnect from 182.100.67.113: 11: [preauth]
May 8 03:03:35 mysite sshd[10143]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113 user=root
May 8 03:03:36 mysite sshd[10145]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May 8 03:03:37 mysite sshd[10145]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113 user=root
May 8 03:03:39 mysite sshd[10145]: Failed password for root from 182.100.67.113 port 57935 ssh2
May 8 03:03:43 mysite sshd[10145]: message repeated 2 times: [ Failed password for root from 182.100.67.113 port 57935 ssh2]
May 8 03:03:44 mysite sshd[10145]: Received disconnect from 182.100.67.113: 11: [preauth]
May 8 03:03:44 mysite sshd[10145]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113 user=root
May 8 03:03:44 mysite sshd[10147]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May 8 03:03:45 mysite sshd[10147]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113 user=root
May 8 03:03:47 mysite sshd[10147]: Failed password for root from 182.100.67.113 port 47047 ssh2
May 8 03:03:51 mysite sshd[10147]: message repeated 2 times: [ Failed password for root from 182.100.67.113 port 47047 ssh2]
May 8 03:03:52 mysite sshd[10147]: Received disconnect from 182.100.67.113: 11: [preauth]
May 8 03:03:52 mysite sshd[10147]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113 user=root
May 8 03:03:52 mysite sshd[10149]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May 8 03:03:53 mysite sshd[10149]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113 user=root
May 8 03:03:55 mysite sshd[10149]: Failed password for root from 182.100.67.113 port 35690 ssh2
May 8 03:03:59 mysite sshd[10149]: message repeated 2 times: [ Failed password for root from 182.100.67.113 port 35690 ssh2]
May 8 03:03:59 mysite sshd[10149]: Received disconnect from 182.100.67.113: 11: [preauth]
May 8 03:03:59 mysite sshd[10149]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113 user=root
May 8 03:03:59 mysite sshd[10151]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May 8 03:04:02 mysite sshd[10151]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113 user=root
May 8 03:04:04 mysite sshd[10151]: Failed password for root from 182.100.67.113 port 50994 ssh2
May 8 03:04:08 mysite sshd[10151]: message repeated 2 times: [ Failed password for root from 182.100.67.113 port 50994 ssh2]
May 8 03:04:08 mysite sshd[10151]: Received disconnect from 182.100.67.113: 11: [preauth]
May 8 03:04:08 mysite sshd[10151]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113 user=root
May 8 03:04:08 mysite sshd[10153]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May 8 03:04:11 mysite sshd[10153]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113 user=root
May 8 03:04:12 mysite sshd[10153]: Failed password for root from 182.100.67.113 port 42771 ssh2
May 8 03:04:17 mysite sshd[10153]: message repeated 2 times: [ Failed password for root from 182.100.67.113 port 42771 ssh2]
May 8 03:04:17 mysite sshd[10153]: Received disconnect from 182.100.67.113: 11: [preauth]
May 8 03:04:17 mysite sshd[10153]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113 user=root
May 8 03:04:17 mysite sshd[10155]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
May 8 03:04:21 mysite sshd[10155]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=182.100.67.113 user=root
非常明显是用的程序在恶意登录,所以请出Fail2ban,fail2ban会监视系统日志,发现异常情况后就会执行相应的屏蔽动作,还会发送电子邮件通知系统管理员。
一、安装fail2ban
直接使用apt-get
:apt-get install fail2ban
二、配置fail2ban
复制一份本地配置文件:cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
1.初始配置
编辑jail.local
文件,作如下修改:
ignoreip = 127.0.0.1/8
bantime = 3600 # 屏蔽时长,可自行调整,单位为秒,-1则为永久屏蔽
findtime = 600 #监测时长,在findtime时间内出现maxretry次尝试即执行屏蔽动作,单位为秒
maxretry = 3 # 最大尝试次数
2.邮件通知配置
编辑jail.local
文件,作如下修改:
destemail = xxxx@163.com # 邮件通知的目的邮箱
mta = sendmail # 使用哪个发送邮件命令,可以选mail或sendmail
action = %(action_mw)s # 默认只发送屏蔽IP信息,_mw后缀发送IP信息+whois信息
注意:需要配置好mail或sendmail邮件通知才能正常工作,参考:Ubuntu:使用sendmail配置邮件服务,发送邮件
3.SSH配置
编辑jail.local
文件,配置如下:
[ssh]
enabled = true # 激活SSH监测
port = ssh # 端口
filter = sshd
logpath = /var/log/auth.log # SSH日志路径
maxretry = 3 # 最大尝试次数
三、令Fail2ban生效
只需要重启fail2ban服务:service fail2ban restart
那个丧心病狂的已经开始换IP暴力破解了