Security

在 logwatch 的這個日誌中,我是否有數千次嘗試破壞我的系統?

  • September 16, 2014

我正在設置我的系統以通過電子郵件向我發送報告。我正在發布一份日誌報告(見下文)。該日誌顯示有數千次企圖闖入。

問題:

  1. 我已經安裝了denyhostsfail2ban為什麼他們不阻止IP?
  2. 有沒有辦法禁止/黑名單顯示在日誌中的 IP,比如這裡?
  3. 我可以採取哪些措施來應對此類攻擊?

注意: sshd在日誌中,請注意有數千次登錄嘗試的 IP 地址。 4. 為什麼它說:“忽略最大重試次數”,我可以設置它使其不忽略“最大重試次數”嗎?

**注意:**我的系統是 Fedora 20

樣本日誌

################### Logwatch 7.4.0 (03/01/11) ####################
       Processing Initiated: Tue Sep 16 03:35:07 2014
       Date Range Processed: yesterday
                             ( 2014-Sep-15 )
                             Period is day.
       Detail Level of Output: 0
       Type of Output/Format: mail / text
       Logfiles for Host: Hostname
##################################################################

--------------------- Kernel Begin ------------------------

WARNING:  Segmentation Faults in these executables
   polkitd :  2 Time(s)

WARNING:  General Protection Faults in these executables
   traps: polkitd :  6 Time(s)

WARNING:  Kernel Errors Present
   INFO: recovery required on readonly filesyste ...:  1 Time(s)
   ata2.00: failed to IDENTIFY (I/O error, err_mask=0x100) ...:  14 Time(s)
   ata2.00: failed to IDENTIFY (I/O error, err_mask=0x4) ...:  8 Time(s)
   ata2.00: irq_stat 0x08000000, interface fatal error ...:  10 Time(s)
   ata2: SError: { CommWake DevE ...:  52 Time(s)
   ata2: SError: { LinkSeq } ...:  8 Time(s)
   ata2: SError: { UnrecovData L ...:  2 Time(s)
   res 50/00:03:00:08:00/00:00:00:00:00/a0 Emask 0x10 (ATA bus error) ...:  5 Time(s)

---------------------- Kernel End -------------------------


--------------------- pam_unix Begin ------------------------

sshd:
   Authentication Failures:
      root (219.138.135.64): 3850 Time(s)
      root (122.225.103.125): 1016 Time(s)
      root (122.225.109.106): 256 Time(s)
      root (122.225.109.205): 194 Time(s)
      root (122.225.109.208): 183 Time(s)
      root (122.225.109.216): 178 Time(s)
      unknown (122.225.109.208): 63 Time(s)
      unknown (122.225.109.106): 57 Time(s)
      unknown (122.225.109.216): 54 Time(s)
      unknown (122.225.109.205): 22 Time(s)
      unknown (113.106.88.235): 14 Time(s)
      bin (113.106.88.235): 1 Time(s)
      nagios (113.106.88.235): 1 Time(s)
      tomcat (113.106.88.235): 1 Time(s)
   Invalid Users:
      Unknown Account: 210 Time(s)
   Unknown Entries:
      service(sshd) ignoring max retries; 6 > 3: 945 Time(s)
      service(sshd) ignoring max retries; 5 > 3: 29 Time(s)
      service(sshd) ignoring max retries; 4 > 3: 6 Time(s)

su:
   Authentication Failures:
      UserName(1000) -> root: 1 Time(s)
   Sessions Opened:
      UserName -> root: 6 Time(s)

systemd-user:
   Unknown Entries:
      session opened for user UserName by (uid=0): 1 Time(s)


---------------------- pam_unix End -------------------------


--------------------- Connections (secure-log) Begin ------------------------


**Unmatched Entries**
   polkitd: <no filename>:0: uncaught exception: Terminating runaway script: 1 Time(s)
   polkitd: Acquired the name org.freedesktop.PolicyKit1 on the system bus: 3 Time(s)
   polkitd: Error evaluating authorization rules: 1 Time(s)
   polkitd: Finished loading, compiling and executing 6 rules: 3 Time(s)
   polkitd: Loading rules from directory /etc/polkit-1/rules.d: 3 Time(s)
   polkitd: Loading rules from directory /usr/share/polkit-1/rules.d: 3 Time(s)
   polkitd: Operator of unix-session:1 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.freedesktop.problems.getall for system-bus-name::1.66 [/usr/bin/abrt-applet] (owned by unix-user:UserName): 2 Time(s)
   polkitd: Registered Authentication Agent for unix-session:1 (system bus name :1.70 [/usr/libexec/kde4/polkit-kde-authentication-agent-1], object path /org/kde/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8): 2 Time(s)
   polkitd: Registered Authentication Agent for unix-session:13 (system bus name :1.92 [/usr/libexec/kde4/polkit-kde-authentication-agent-1], object path /org/kde/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8): 2 Time(s)
   polkitd: Terminating runaway script: 1 Time(s)

---------------------- Connections (secure-log) End -------------------------


--------------------- SSHD Begin ------------------------


Disconnecting after too many authentication failures for user:
   admin : 30 Time(s)
   root : 937 Time(s)

Failed logins from:
   113.106.88.235: 2 times
   122.225.103.125: 1016 times
   122.225.109.106: 256 times
   122.225.109.205: 194 times
   122.225.109.208: 183 times
   122.225.109.216: 178 times
   219.138.135.64: 3850 times

Illegal users from:
   undef: 14 times
   113.106.88.235: 15 times
   122.225.109.106: 57 times
   122.225.109.205: 22 times
   122.225.109.208: 63 times
   122.225.109.216: 54 times

Login attempted when shell does not exist:
   tomcat : 1 Time(s)


Received disconnect:
   11: Bye Bye [preauth] : 16 Time(s)

**Unmatched Entries**
PAM service(sshd) ignoring max retries; 6 > 3 : 945 time(s)
ecryptfs: pam_sm_authenticate: pam_ecryptfs: Error getting passwd info for user; rc = [0] : 210 time(s)
PAM service(sshd) ignoring max retries; 4 > 3 : 6 time(s)
pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "nagios" : 1 time(s)
PAM service(sshd) ignoring max retries; 5 > 3 : 29 time(s)
pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "bin" : 1 time(s)
pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" : 5677 time(s)
fatal: Write failed: Connection reset by peer [preauth] : 17 time(s)
pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "tomcat" : 1 time(s)

---------------------- SSHD End -------------------------


--------------------- Sudo (secure-log) Begin ------------------------


UserName => root
----------------
/bin/yum                       -   2 Time(s).

---------------------- Sudo (secure-log) End -------------------------


--------------------- yum Begin ------------------------


Packages Installed:
   binutils-2.23.88.0.1-13.fc20.x86_64
   libgomp-4.8.3-1.fc20.x86_64
   perl-Sys-CPU-0.54-5.fc20.x86_64
   VirtualBox-4.3.16-1.fc20.x86_64
   1:make-3.82-19.fc20.x86_64
   glibc-devel-2.18-14.fc20.x86_64
   logwatch-7.4.0-33.20140704svn198.fc20.noarch
   kernel-headers-3.16.2-200.fc20.x86_64
   glibc-headers-2.18-14.fc20.x86_64
   epylog-1.0.7-6.fc20.noarch
   perl-Sys-MemInfo-0.91-8.fc20.x86_64
   akmod-VirtualBox-4.3.16-1.fc20.x86_64
   gcc-4.8.3-1.fc20.x86_64
   dkms-2.2.0.3-25.fc20.noarch
   libgomp-4.8.3-1.fc20.i686
   patch-2.7.1-7.fc20.x86_64

Packages Erased:
   kmod-VirtualBox-3.15.10-200.fc20.x86_64-4.3.14-1.fc20.6.x86_64
   kmod-VirtualBox-3.16.2-200.fc20.x86_64-4.3.16-1.fc20.x86_64
   kmod-VirtualBox-3.15.10-201.fc20.x86_64-4.3.14-1.fc20.7.x86_64

---------------------- yum End -------------------------


--------------------- Disk Space Begin ------------------------

Filesystem                                             Size  Used Avail Use% Mounted on
/dev/mapper/luks-                                      59G   55G  1.3G  98% /
devtmpfs                                               5.8G     0  5.8G   0% /dev
/dev/sda2                                              477M  131M  317M  30% /boot
/dev/sda1                                              200M  9.5M  191M   5% /boot/efi
/dev/mapper/fedora_Hostname-home                        395G  236G  156G  61% /home

/dev/mapper/luks- => 98% Used. Warning. Disk Filling up.

---------------------- Disk Space End -------------------------


--------------------- Fortune Begin ------------------------

One man's brain plus one other will produce one half as many ideas as one
man would have produced alone.  These two plus two more will produce half
again as many ideas.  These four plus four more begin to represent a
creative meeting, and the ratio changes to one quarter as many ...
               -- Anthony Chevins


---------------------- Fortune End -------------------------


--------------------- lm_sensors output Begin ------------------------

coretemp-isa-0000
Adapter: ISA adapter
Physical id 0:  +52.0 C  (high = +100.0 C, crit = +100.0 C)
Core 0:         +52.0 C  (high = +100.0 C, crit = +100.0 C)
Core 1:         +51.0 C  (high = +100.0 C, crit = +100.0 C)


---------------------- lm_sensors output End -------------------------


###################### Logwatch End #########################

編輯#1

顯然fail2ban沒有執行,我認為它與denyhosts安裝時自動設置的相同。

這是輸出fail2ban-client

root ~ # fail2ban-client status
ERROR  Unable to contact server. Is it running?
root ~ # systemctl start fail2ban
root ~ # fail2ban-client status sshd
ERROR  NOK: ('sshd',)
Sorry but the jail 'sshd' does not exist
root ~ # fail2ban-client status
Status
|- Number of jail:      0
`- Jail list:

我將嘗試在這裡專門回答問題 3,因為您似乎已經找到了回答問題 1 和 2 的 fail2ban 的配置部分。如果想加強 SSH 的安全性,我推薦以下內容。

  1. 確保嚴格模式設置為 true
  2. 禁用 root 登錄
  3. 更改您的 SSH 埠
  4. 禁用密碼登錄
  5. 使用埠敲門

要回答您的編輯,您需要在 /etc/fail2ban/filter.d/ssh.conf 中創建一個 ssh 配置並粘貼以下內容…

[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 6

如果您已經按照我的建議更改了埠,則可以在此處設置埠號。重啟fail2ban並測試。

引用自:https://unix.stackexchange.com/questions/155849

相關問答

Centos

如何從埠或應用程序中查找失敗的登錄?

  • August 8, 2021
檢視問答
Shell-Script

檢查root使用者的登錄歷史

  • June 10, 2021
檢視問答
Centos

ClamTK 掃描結果位置 CentOS 7

  • June 3, 2021
檢視問答
Ssh

如何跟踪誰 SSH 進入我的 linux 機器?

  • April 23, 2021
檢視問答
Security

在 /var/log/auth.log 中記錄錯誤的密碼

  • January 1, 2021
檢視問答
Linux-Kernel

在 Linux 上記錄 SSH 命令 - 自定義核心是唯一的方法嗎?

  • September 15, 2020
檢視問答