服务器遭受 ssh 攻击

查看auth.log日志，差点吓一跳，好多攻击记录。

vim  /var/log/auth.log

才两天的功夫，900多万条记录，

一些解决应对的办法：

43down voteaccepted

It is very common. Many botnets try to spread that way, so this is a wide scale mindless attack. Mitigation measures include: Use passwords with high entropy which are very unlikely to be brute-forced. Disable SSH login for root. Use an "unlikely" user name, which botnets will not use. Disable password-based authentication altogether. Run the SSH server on another port than 22. Use fail2ban to reject attackers' IP automatically or slow them down. Allow SSH connections only from a whitelist of IP (beware not to lock yourself out if your home IP is nominally dynamic !).

标注黄色背景的是解决的办法!

stack-overflow上面，搜索了一下这方面的攻击，看到一个提问和我遇到的情况类似：

Is it normal to get hundreds of break-in attempts per day?

I just checked my server's /var/log/auth.log and found that I'm getting over 500 failed password/break-in attempt notifications per day! My site is small, and its URL is obscure. Is this normal? Should I be taking any measures?

下面是回答:

2

Until we locked down all unnecessary external ports, I remember not only did we get lots of hack attempts, but one day it was so bad that we were being hacked from two different countries -- at the same time! So yes, 100s of break-in attempts is perfectly normal. – Django Reinhardt Mar 8 '11 at 14:53

91

We have servers that experience a new attack "sequence" once every 16 seconds. A single sequence is usually a batch of around 100 attempts across various ports. Just for kicks one day I turned on an unpatched server outside our firewall; it tooks less than 10 minutes from the time it was powered on for it to get pwnd. Point is the internet truly is a jungle; try not to get eaten. – NotMe Mar 8 '11 at 18:55

2

I can see I posted my question to the wrong site: superuser.com/questions/200896/… – Justin C Mar 9 '11 at 22:01

6

while I agree with others this is normal on common ports required (80, 443) I practically eliminated these attempts against my SSH port by simply changing the default port from 22 to something obscure like 6022 for example. Just doing that, alone, nearly eliminated 99% of that type of attack. – Kilo Mar 11 '11 at 20:32

2

If you're going to change your SSH port, there are security reasons to keep it below port 1024 (only root can open ports < 1024, so it protects you from other users hijacking SSH). –

accepted

In today's internet this is quite normal sadly. There are hordes of botnets trying to login to each server they find in whole IP networks. Typically, they use simple dictionary attacks on well-known accounts (like root or certain applications accounts).

The attack targets are not found via Google or DNS entries, but the attackers just try every IP address in a certain subnet (e.g. of known root-server hosting companies). So it doesn't matter that your URL (hence the DNS entry) is rather obscure.

That's why it is so important to:

• disallow root-login in SSH (howto)
• use strong passwords everywhere (also in your web applications)
• for SSH, use public-key authentication if possible and disable password-auth completely (howto)

Additionally, you can install fail2ban which will scan the authlog and if it finds a certain amount of failed login attempts from an IP, it will proceed to add that IP to /etc/hosts.deny or iptables/netfilter in order to lock out the attacker for a few minutes.

In addition to the SSH attacks, it is also becoming common to scan your webserver for vulnerable web-applications (some blogging apps, CMSs, phpmyadmin, etc.). So make sure to keep those up-to-date and securely configured too!

share

edited May 22 '12 at 20:26 John Albietz 237

answered Mar 8 '11 at 11:35 Holger Just 3,0751921

21

Applications such as fail2ban can help a lot to 'temporarily' stop those bots from hitting your server at silly times in the morning :-) I have mine set up to ban 3 incorrect attempts for 24hours. – emtunc Mar 8 '11 at 13:06

46

And move ssh's port from 22 to 222. That works quite well. – Tom O'Connor Mar 8 '11 at 13:47

40

+1, public-key authentication only :) – 0xC0000022L Mar 8 '11 at 14:09

3

@STATUS_ACCESS_DENIED: the actions fail2ban takes are just lists of shell commands to run. So it's really flexible and easy to make work properly with any custom config. The best reference is to download it and look at action.d/iptables.conf. – mattdm Mar 8 '11 at 18:01

4

Blocking attackers like this is a waste of time. If you disable root login, there's a good chance that no one will ever even guess your correct login name, let alone password. SSH itself is already rate limiting password requests, so even if they know your user name (random bots won't), if you have a decent password, they'll never guess it. – Brendan Long Mar 9 '11 at 19:44