查看auth.log日志,差点吓一跳,好多攻击记录。

vim  /var/log/auth.log

才两天的功夫,900多万条记录,

一些解决应对的办法:

43down voteaccepted

It is very common. Many botnets try to spread that way, so this is a wide scale mindless attack. Mitigation measures include:

  • Use passwords with high entropy which are very unlikely to be brute-forced.
  • Disable SSH login for root.
  • Use an "unlikely" user name, which botnets will not use.
  • Disable password-based authentication altogether.
  • Run the SSH server on another port than 22.
  • Use fail2ban to reject attackers' IP automatically or slow them down.
  • Allow SSH connections only from a whitelist of IP (beware not to lock yourself out if your home IP is nominally dynamic !).

标注黄色背景的是解决的办法!

stack-overflow上面,搜索了一下这方面的攻击,看到一个提问和我遇到的情况类似:

Is it normal to get hundreds of break-in attempts per day?

I just checked my server's /var/log/auth.log and found that I'm getting over 500 failed password/break-in attempt notifications per day! My site is small, and its URL is obscure. Is this normal? Should I be taking any measures?

下面是回答:

2  
Until we locked down all unnecessary external ports, I remember not only did we get lots of hack attempts, but one day it was so bad that we were being hacked from two different countries -- at the same time! So yes, 100s of break-in attempts is perfectly normal. – Django Reinhardt Mar 8 '11 at 14:53
91  
We have servers that experience a new attack "sequence" once every 16 seconds. A single sequence is usually a batch of around 100 attempts across various ports. Just for kicks one day I turned on an unpatched server outside our firewall; it tooks less than 10 minutes from the time it was powered on for it to get pwnd. Point is the internet truly is a jungle; try not to get eaten. – NotMe Mar 8 '11 at 18:55
2  
I can see I posted my question to the wrong site: superuser.com/questions/200896/… – Justin C Mar 9 '11 at 22:01
6  
while I agree with others this is normal on common ports required (80, 443) I practically eliminated these attempts against my SSH port by simply changing the default port from 22 to something obscure like 6022 for example. Just doing that, alone, nearly eliminated 99% of that type of attack. – Kilo Mar 11 '11 at 20:32
2  
If you're going to change your SSH port, there are security reasons to keep it below port 1024 (only root can open ports < 1024, so it protects you from other users hijacking SSH). –
accepted

In today's internet this is quite normal sadly. There are hordes of botnets trying to login to each server they find in whole IP networks. Typically, they use simple dictionary attacks on well-known accounts (like root or certain applications accounts).

The attack targets are not found via Google or DNS entries, but the attackers just try every IP address in a certain subnet (e.g. of known root-server hosting companies). So it doesn't matter that your URL (hence the DNS entry) is rather obscure.

That's why it is so important to:

  • disallow root-login in SSH (howto)
  • use strong passwords everywhere (also in your web applications)
  • for SSH, use public-key authentication if possible and disable password-auth completely (howto)

Additionally, you can install fail2ban which will scan the authlog and if it finds a certain amount of failed login attempts from an IP, it will proceed to add that IP to /etc/hosts.deny or iptables/netfilter in order to lock out the attacker for a few minutes.

In addition to the SSH attacks, it is also becoming common to scan your webserver for vulnerable web-applications (some blogging apps, CMSs, phpmyadmin, etc.). So make sure to keep those up-to-date and securely configured too!

answered Mar 8 '11 at 11:35
Holger Just

3,0751921
 
21  
Applications such as fail2ban can help a lot to 'temporarily' stop those bots from hitting your server at silly times in the morning :-) I have mine set up to ban 3 incorrect attempts for 24hours. – emtunc Mar 8 '11 at 13:06
46  
And move ssh's port from 22 to 222. That works quite well. – Tom O'Connor Mar 8 '11 at 13:47
40  
+1, public-key authentication only :) – 0xC0000022L Mar 8 '11 at 14:09
3  
@STATUS_ACCESS_DENIED: the actions fail2ban takes are just lists of shell commands to run. So it's really flexible and easy to make work properly with any custom config. The best reference is to download it and look at action.d/iptables.conf. – mattdm Mar 8 '11 at 18:01
4  
Blocking attackers like this is a waste of time. If you disable root login, there's a good chance that no one will ever even guess your correct login name, let alone password. SSH itself is already rate limiting password requests, so even if they know your user name (random bots won't), if you have a decent password, they'll never guess it. – Brendan Long Mar 9 '11 at 19:44

服务器遭受 ssh 攻击的更多相关文章

  1. 服务器被ddos攻击?分析如何防止DDOS攻击?

    上周知名博主阮一峰的博客被DDOS攻击,导致网站无法访问而被迫迁移服务器的事情,引起了广大网友的关注及愤慨,包括小编的个人博客也曾接受过DDOS的“洗礼”,对此感同身受.所以,本文我们一起来了解下DD ...

  2. 向 Git 服务器添加 SSH 公钥

    . . . . . 在网上很少找到文章有提到如何将自己的 Git 远程仓库配置成可以通过 SSH 公钥方式认证的,而几乎清一色都是告诉你怎么通过 web 界面向 GitHub 添加 SSH 公钥.LZ ...

  3. 发起SSH攻击主机IP地址列表

    发起SSH攻击主机IP地址列表 东北大学 http://antivirus.neu.edu.cn/scan/ssh.php 以下IP地址对SSH服务进行攻击,严重增加主机成为肉鸡的可能性.强烈建议网管 ...

  4. Linux服务器使用SSH的命令(有详细的参数解释)

    前一阵远程维护Linux服务器,使用的是SSH,传说中的secure shell. 登陆:ssh [hostname] -u user 输入密码:***** 登陆以后就可以像控制自己的机器一样控制它了 ...

  5. 批量实现多台服务器之间ssh无密码登录的相互信任关系

    最近IDC上架了一批hadoop大数据业务服务器,由于集群环境需要在这些服务器之间实现ssh无密码登录的相互信任关系.具体的实现思路:在其中的任一台服务器上通过"ssh-keygen -t ...

  6. linux服务器的SSH 配置

    远程连接服务器: 就是通过文字或图形接口的方式来远程登陆另外一台服务器系统,让你在远程的终端前面登陆linux 主机以取得可操作主机的接口 主要的远程连接服务器的主要类型: 1)文字接口明文传输 : ...

  7. Mac下如何连接linux服务器(SSH)-比较好用的SSH工具推荐

    Mac下如何连接linux服务器(SSH) 1.用mac自带终端连接 步骤如下: 打开终端,在顶部shell菜单中选择新建远程连接 在右侧服务器窗口点击+号,添加服务器,输入IP等信息 输入用户名,点 ...

  8. Fail2ban 防止暴力破解centos服务器的SSH或者FTP账户

    次尝试登陆root账户失败的情况.[说明服务器被攻击了]   logtarget = SYSLOG  #我们需要做的就是把这行改成/var/log/fail2ban.log,方便用来记录日志信息 so ...

  9. Linux服务器限制ssh登录,查看登录日志

    网络上的服务器很容易受到攻击,最惨的就是被人登录并拿到root权限.有几个简单的防御措施: 1. 修改ssh服务的默认端口 ssh服务的默认端口是22,一般的恶意用户也往往扫描或尝试连接22端口.所以 ...

随机推荐

  1. # Linux Whois3获取 运营商信息

    Linux Whois3获取 运营商信息 APNIC是管理亚太地区IP地址分配的机构,它有着丰富准确的IP地址分配库,同时这些信息也是对外公开的,并提供了一个查询工具,下面就让我们看看如何在Linux ...

  2. hdu_5748_Bellovin(LIS)

    题目链接:hdu_5748_Bellovin 题意: 给你一个数列ai,设f(a1,a2,a3,..an)=(f1,f2,f3,...,fn),其中fi表示以ai结尾的最长递增子序列长度,注意:必须要 ...

  3. [转]php 在各种web服务器的运行模式

    一.php在apache中运行模式 php在apache中一共有三种工作方式:CGI模式.FastCGI模式.Apache 模块DLL) 以下分别比较: 1. CGI模式与模块模式比较: php在ap ...

  4. 07-09 07:28:38.350: E/AndroidRuntime(1437): Caused by: java.lang.ClassNotFoundException: Didn't find class "com.example.googleplay.ui.activity.MainActivity" on path: DexPathList[[zip file "/data/app/c

    一运行,加载mainActivity就报错 布局文件乱写一通,然后急着运行,报莫名其妙的错误: 07-09 07:28:38.350: E/AndroidRuntime(1437): Caused b ...

  5. ASP.NET 会话状态的模式

    ASP.NET 会话状态为会话数据提供了几个不同的存储选项.每个选项都通过一个 SessionStateMode 枚举值进行识别.如下列表中描述了可用的会话状态模式: InProc 模式:把会话状态存 ...

  6. python引入模块时import与from ... import的区别

    import datetime是引入整个datetime包,如果使用datetime包中的datetime类,需要加上模块名的限定. import datetime print datetime.da ...

  7. Inno Setup入门(四)——为程序创建桌面快捷方式

    Icons这一可选段定义所有创建在开始菜单和\或其它位置 (比如桌面) 的快捷方式.一个例子如下: [setup] ;全局设置,本段必须 AppName=Test AppVerName=TEST De ...

  8. 移植Iperf到android 用来学习linux移植到安卓的例子

    Iperf移植记录 1.生成arm编译需要的头文件config.h ./configure --host=arm如果需要make clean make distclean2.增加Android.mk文 ...

  9. java中怎么解决路径中文的问题

    在我遇到精灵线程的问题时,遇到一个中文路径的问题 原来是这样的 URL url=Test8.class.getClassLoader().getResource(""); Stri ...

  10. 【jsp 分页】mysql limit方式进行分页

    项目结构示意图: splitPage |-com.balfish.bean     Goods.java |-com.balfish.dao       GoodsDao.java |-com.bal ...