原本的文章來自於
這裡.
小弟的主機最近一直持續的遭受來自中國大陸那邊對台灣網路的攻擊, 利用ssh服務, 加上針對RedHat系系統各項服務帳號所進行的攻擊. 日前我所整理出來的攻擊IP如下:
220.194.0.0
211.34.0.0
63.170.0.0
67.18.0.0
221.253.0.0
.
.
族繁不及備載
現在這種攻擊有幾種特點, 1是會利用帳號列表展開攻擊, 利用一系列的英文常用ID (別懷疑, 你看歐美影片時常出現的名字幾乎都包括在內, 像Abel, alin 等等)
2. 還有會利用系統服務程式帳號的, 例如小弟以下的secure log這種:
Jul 29 15:18:39 alpha sshd[26431]: Failed password for bin from 220.194.55.126 port 59711 ssh2
Jul 29 15:18:43 alpha sshd[26433]: Failed password for daemon from 220.194.55.126 port 60574 ssh2
Jul 29 15:18:47 alpha sshd[26435]: Failed password for adm from 220.194.55.126 port 60979 ssh2
Jul 29 15:18:50 alpha sshd[26437]: Failed password for lp from 220.194.55.126 port 33309 ssh2
Jul 29 15:18:54 alpha sshd[26439]: Failed password for sync from 220.194.55.126 port 34090 ssh2
Jul 29 15:18:58 alpha sshd[26441]: Failed password for shutdown from 220.194.55.126 port 34899 ssh2
Jul 29 15:19:02 alpha sshd[26443]: Failed password for halt from 220.194.55.126 port 35290 ssh2
Jul 29 15:19:05 alpha sshd[26445]: Failed password for mail from 220.194.55.126 port 35795 ssh2
Jul 29 15:19:09 alpha sshd[26447]: Failed password for news from 220.194.55.126 port 36567 ssh2
Jul 29 15:19:13 alpha sshd[26449]: Failed password for uucp from 220.194.55.126 port 37375 ssh2
Jul 29 15:19:16 alpha sshd[26451]: Failed password for operator from 220.194.55.126 port 37462 ssh2
Jul 29 15:19:20 alpha sshd[26453]: Failed password for games from 220.194.55.126 port 38272 ssh2
Jul 29 15:19:24 alpha sshd[26455]: Failed password for gopher from 220.194.55.126 port 39041 ssh2
Jul 29 15:19:28 alpha sshd[26457]: Failed password for ftp from 220.194.55.126 port 39849 ssh2
Jul 29 15:19:32 alpha sshd[26459]: Failed password for nobody from 220.194.55.126 port 40237 ssh2
Jul 29 15:19:36 alpha sshd[26461]: Failed password for vcsa from 220.194.55.126 port 40747 ssh2
Jul 29 15:19:39 alpha sshd[26463]: Failed password for apache from 220.194.55.126 port 41525 ssh2
Jul 29 15:19:41 alpha sshd[26465]: Invalid user webadmin from 220.194.55.126
Jul 29 15:19:43 alpha sshd[26465]: Failed password for invalid user webadmin from 220.194.55.126 port 42377 ssh2
Jul 29 15:19:44 alpha sshd[26467]: Invalid user popa3d from 220.194.55.126
Jul 29 15:19:47 alpha sshd[26467]: Failed password for invalid user popa3d from 220.194.55.126 port 42780 ssh2
Jul 29 15:19:50 alpha sshd[26469]: Failed password for sshd from 220.194.55.126 port 43314 ssh2
Jul 29 15:19:54 alpha sshd[26471]: Failed password for mailnull from 220.194.55.126 port 44112 ssh2
Jul 29 15:19:58 alpha sshd[26473]: Failed password for smmsp from 220.194.55.126 port 44952 ssh2
Jul 29 15:20:01 alpha sshd[26475]: Failed password for named from 220.194.55.126 port 45045 ssh2
Jul 29 15:20:05 alpha sshd[26479]: Failed password for rpc from 220.194.55.126 port 45891 ssh2
Jul 29 15:20:09 alpha sshd[26481]: Failed password for rpm from 220.194.55.126 port 46692 ssh2
Jul 29 15:20:12 alpha sshd[26483]: Failed password for pcap from 220.194.55.126 port 47121 ssh2
Jul 29 15:20:16 alpha sshd[26485]: Failed password for mysql from 220.194.55.126 port 47648 ssh2
可以很明顯的看得出來, 這是針對大約在去年年底, RedHat公司所附加的sshd版本漏洞所展開的系統攻擊.
為了加強管制, 除了限制root帳號登入這種必備的手段之外, 還參照了前輩們的做法, 從三部分來著手:
1. sshd_config 部分這是一個很簡單的設定手段, 除了限制root之外, 還順便限制連線數, 如下:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
MaxAuthTries 2
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication yes
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes
這些設定所使用的英文都很簡單, 小弟就不多加介紹.
[/list]
2. 利用hosts.deny與hosts.allow 設定可以連線的ip:先在 /etc/hosts.allow 裡面, 設定哪些ip是可以連線的, 例如前輩們所舉例的:
sshd:140.128.1.123
, 接著, 再到 /etc/hosts.deny 裡面設定拒絕所有ip連線:
sshd:all
於是, 就只有在 /etc/hosts.allow 列表裡面的IP, 才可以使用ssh 來主機連線, 其餘都會被拒絕掉.[/list]
3. 利用pam機制:最上面那文章裡面提到, 利用pam機制, 讓sshd接到連線時, 先檢查是否在黑名單之中的做法. 方法很簡單, 就是在/etc/pam.d/ssh裡面增加下面的設定:
auth required pam_stack.so service=system-auth
auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/sshd_user_deny_list onerr=succeed account required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_loginuid.so
[/list]
(特別注意, 上面設定都是同一行, 並無斷行)
特別新增的是紅色字的部分. 當你的名字在該檔案(
/etc/sshd_user_deny_list )之中時, 就無法利用ssh來登入系統.
[/list]
利用以上三個方法, 可以讓你的主機在提供sshd連線的時候, 安全度提升不少. 但切記, 經常的檢查與更新, 減少不必要的服務, 增加許多的安全限制, 才是主機管理的最佳策略! :wink: