sshd服务防止暴力破解

一、sshd服务防止暴力破解

1)使用强密码

8位以上，大小写，特殊符号

2修改默认端口号（22）

[root@lszlab01 ~]# vi /etc/ssh/sshd_config
#Port 22
port 801 #默认为22

3）不使用root账号登陆

有两种方法实现

a) 修改/etc/passwd 文件

[root@lszlab01 ~]# vi /etc/passwd
root:x:0:0:root:/root:/bin/bash
修改为：
root:x:0:0:root:/root:/sbin/nologin

b)修改/etc/ssh/sshd_config文件

[root@lszlab01 ~]# vi /etc/ssh/sshd_config
#PermitRootLogin yes
PermitRootLogin no

将普通用户，设置成系统管理员，因为有些程序需要使用root权限

[root@lszlab01 ~]# vi /etc/passwd
gzns:x:500:500::/home/gzns:/bin/bash
改为：
gzns:x:0:0::/home/gzns:/bin/bash

判断用户是否是超级管理员，就看它的 UID=0

测试一下，使用root账号登陆

[root@lszlab01 ~]# ssh 192.168.198.137
root@192.168.198.137's password: 
Last login: Thu May 25 23:38:18 2017 from 192.168.198.137
This account is currently not available.
Connection to 192.168.198.137 closed.

使用gzns登陆

[root@lszlab01 ~]# ssh gzns@192.168.198.137
gzns@192.168.198.137's password: 
Last login: Thu May 25 23:54:27 2017 from 192.168.198.137
[root@lszlab01 ~]# pwd
/home/gzns

4)暴力破解问题严重，使用fail2ban,把暴力破解的ip地址直接禁掉

如果公网网站被暴力破解时，虽然破解不成功，会导致系统负载很高，暴力破解时，系统要不断地去验证用户，这时系统的开销会增加，导致网站速度变慢。

a)下载fail2ban源码包，上传服务器（www.fail2ban.org）

解压代码包

[root@lszlab01 ~]# tar -zxvf fail2ban-0.8.14.tar.gz 

cd到fail2ban-0.9.4目录下

[root@lszlab01 ~]# cd fail2ban-0.8.14

可以查看一下fail2ban-0.8.14目录下的README.md文件，里面有安装的说明

[root@lszlab01 fail2ban-0.8.14]# cat README.md


 Installation:
 -------------

 **It is possible that Fail2ban is already packaged for your distribution.  In
this case, you should use it instead.**

Required:
- [Python2 >= 2.6 or Python >= 3.2](http://www.python.org) or [PyPy](http://pypy.org)

Optional:
- [pyinotify >= 0.8.3](https://github.com/seb-m/pyinotify)
- Linux >= 2.6.13
- [gamin >= 0.0.21](http://www.gnome.org/~veillard/gamin)
- [systemd >= 204](http://www.freedesktop.org/wiki/Software/systemd)
- [dnspython](http://www.dnspython.org/)

 To install, just do:

tar xvfj fail2ban-0.8.14.tar.bz2
cd fail2ban-0.8.14
python setup.py install

查看python的版本

[root@lszlab01 fail2ban-0.8.14]#python -V
Python 2.6.6

安装：

[root@lszlab01 fail2ban-0.8.14]# python setup.py install

生成服务启动的脚本

[root@lszlab01 fail2ban-0.8.14]# grep chkconfig ./* -R --color
./files/redhat-initd:# chkconfig: - 92 08
[root@lszlab01 fail2ban-0.8.14]# cp files/redhat-initd /etc/init.d/fail2ban
[root@lszlab01 fail2ban-0.8.14]# chkconfig  --add fail2ban
[root@lszlab01 fail2ban-0.8.14]# chkconfig --list fail2ban
fail2ban           0:off    1:off    2:off    3:on    4:on    5:on    6:off

配置文件

/etc/fail2ban/fail2ban.conf #定义fail2ban 日志级别，日志位置及sock文件位置

/etc/fail2ban/jail.conf     #主配置文件

/etc/fail2ban/action.d      #动作文件夹，包含默认文件，，iptables以及mail动作

/etc/fail2ban/filter.d      #条件文件夹，包含默认文件，过滤日志关键内容位置

案例：ssh远程5分钟3次密码验证失败，禁止用户iP访问主机5小时，5小时限制自动解除，用户重新登陆

修改主配置文件

[root@lszlab01 fail2ban-0.8.14]# vi /etc/fail2ban/jail.conf 
[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
       sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
logpath  = /var/log/secure
maxretry = 3
findtime = 500
bantime  =18000

保存退出后重启服务：

[root@lszlab01 fail2ban-0.8.14]# service fail2ban start

测试：

先查看一下防火墙的列表：

[root@lszlab01 fail2ban-0.8.14]#ptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

列表里面增加了一条关于fail2ban的策略

先清空一下登陆的日志

[root@lszlab01 fail2ban-0.8.14]# > /var/log/secure

然后连续登录输错密码3次

[root@lszlab02 ~]# ssh 192.168.198.140
root@192.168.198.140's password: 
Permission denied, please try again.
root@192.168.198.140's password: 
Permission denied, please try again.
root@192.168.198.140's password: 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
[root@lszlab01 ~]# ssh 192.168.198.140
ssh: connect to host 192.168.198.140 port 22: Connection refused

三次输入密码后，直接把ip地址禁掉

在查看一下日志

[root@lszlab01 fail2ban-0.8.14]# cat /var/log/secure
Jul 29 14:31:33 slave_mysql sshd[3813]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.198.102  user=root
Jul 29 14:31:36 slave_mysql sshd[3813]: Failed password for root from 192.168.198.102 port 48165 ssh2
Jul 29 14:31:41 slave_mysql sshd[3813]: Failed password for root from 192.168.198.102 port 48165 ssh2
Jul 29 14:31:45 slave_mysql sshd[3813]: Failed password for root from 192.168.198.102 port 48165 ssh2
Jul 29 14:31:45 slave_mysql sshd[3814]: Connection closed by 192.168.198.102
Jul 29 14:31:45 slave_mysql sshd[3813]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.198.102  user=root

在查看一下防火墙

[root@lszlab01 fail2ban-0.8.14]#ptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain fail2ban-SSH (1 references)
target     prot opt source               destination         
REJECT     all  --  192.168.198.102      anywhere            reject-with icmp-port-unreachable 

RETURN     all  --  anywhere             anywhere 

查看fail2ban工作状态

[root@lszlab01 fail2ban-0.8.14]# fail2ban-client status
Status
|- Number of jail:    1
`- Jail list:        ssh-iptables

查看ssh-iptables这一项

[root@lszlab01 fail2ban-0.8.14]# fail2ban-client status ssh-iptables
Status for the jail: ssh-iptables
|- filter
|  |- File list:    /var/log/secure 
|  |- Currently failed:    0
|  `- Total failed:    6
`- action
|- Currently banned:    2
|  `- IP list:    192.168.198.137 192.168.198.102 
`- Total banned:    2

如果想要禁用的ip重连，我们可以清空fail2ban的日志或者清空防火墙规则

[root@lszlab01 fail2ban-0.8.14]# cat /var/log/fail2ban.log
2017-07-29 14:13:50,260 fail2ban.server [2035]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.14
2017-07-29 14:13:50,262 fail2ban.jail   [2035]: INFO    Creating new jail 'ssh-iptables'
2017-07-29 14:13:50,264 fail2ban.jail   [2035]: INFO    Jail 'ssh-iptables' uses poller
2017-07-29 14:13:50,342 fail2ban.jail   [2035]: INFO    Initiated 'polling' backend
2017-07-29 14:13:50,346 fail2ban.filter [2035]: INFO    Added logfile = /var/log/secure
2017-07-29 14:13:50,349 fail2ban.filter [2035]: INFO    Set maxRetry = 3
2017-07-29 14:13:50,353 fail2ban.filter [2035]: INFO    Set findtime = 500
2017-07-29 14:13:50,355 fail2ban.actions[2035]: INFO    Set banTime = 3600
2017-07-29 14:13:50,857 fail2ban.jail   [2035]: INFO    Jail 'ssh-iptables' started
2017-07-29 14:14:27,181 fail2ban.actions[2035]: WARNING [ssh-iptables] Ban 192.168.198.137
2017-07-29 14:31:46,515 fail2ban.actions[2035]: WARNING [ssh-iptables] Ban 192.168.198.102
[root@lszlab01 fail2ban-0.8.14]# > /var/log/fail2ban.log

[root@lszlab01 fail2ban-0.8.14]# service fail2ban restart
Stopping fail2ban:                                         [  OK  ]
Starting fail2ban:                                         [  OK  ]

重新远程

[root@lszlab02 ~]# ssh 192.168.198.140
ssh: connect to host 192.168.198.140 port 22: Connection refused
[root@lszlab02 ~]# ssh 192.168.198.140
root@192.168.198.140's password: 
Last login: Sat Jul 29 14:07:50 2017 from 192.168.198.1
[root@lszlab01 ~]# 

或者直接情况防火墙策略

[root@lszlab01 ~]# iptables -F