查看auth.log日志,差点吓一跳,好多攻击记录。

vim  /var/log/auth.log

才两天的功夫,900多万条记录,

一些解决应对的办法:

43down voteaccepted

It is very common. Many botnets try to spread that way, so this is a wide scale mindless attack. Mitigation measures include:

  • Use passwords with high entropy which are very unlikely to be brute-forced.
  • Disable SSH login for root.
  • Use an "unlikely" user name, which botnets will not use.
  • Disable password-based authentication altogether.
  • Run the SSH server on another port than 22.
  • Use fail2ban to reject attackers' IP automatically or slow them down.
  • Allow SSH connections only from a whitelist of IP (beware not to lock yourself out if your home IP is nominally dynamic !).

标注黄色背景的是解决的办法!

stack-overflow上面,搜索了一下这方面的攻击,看到一个提问和我遇到的情况类似:

Is it normal to get hundreds of break-in attempts per day?

I just checked my server's /var/log/auth.log and found that I'm getting over 500 failed password/break-in attempt notifications per day! My site is small, and its URL is obscure. Is this normal? Should I be taking any measures?

下面是回答:

2  
Until we locked down all unnecessary external ports, I remember not only did we get lots of hack attempts, but one day it was so bad that we were being hacked from two different countries -- at the same time! So yes, 100s of break-in attempts is perfectly normal. – Django Reinhardt Mar 8 '11 at 14:53
91  
We have servers that experience a new attack "sequence" once every 16 seconds. A single sequence is usually a batch of around 100 attempts across various ports. Just for kicks one day I turned on an unpatched server outside our firewall; it tooks less than 10 minutes from the time it was powered on for it to get pwnd. Point is the internet truly is a jungle; try not to get eaten. – NotMe Mar 8 '11 at 18:55
2  
I can see I posted my question to the wrong site: superuser.com/questions/200896/… – Justin C Mar 9 '11 at 22:01
6  
while I agree with others this is normal on common ports required (80, 443) I practically eliminated these attempts against my SSH port by simply changing the default port from 22 to something obscure like 6022 for example. Just doing that, alone, nearly eliminated 99% of that type of attack. – Kilo Mar 11 '11 at 20:32
2  
If you're going to change your SSH port, there are security reasons to keep it below port 1024 (only root can open ports < 1024, so it protects you from other users hijacking SSH). –
accepted

In today's internet this is quite normal sadly. There are hordes of botnets trying to login to each server they find in whole IP networks. Typically, they use simple dictionary attacks on well-known accounts (like root or certain applications accounts).

The attack targets are not found via Google or DNS entries, but the attackers just try every IP address in a certain subnet (e.g. of known root-server hosting companies). So it doesn't matter that your URL (hence the DNS entry) is rather obscure.

That's why it is so important to:

  • disallow root-login in SSH (howto)
  • use strong passwords everywhere (also in your web applications)
  • for SSH, use public-key authentication if possible and disable password-auth completely (howto)

Additionally, you can install fail2ban which will scan the authlog and if it finds a certain amount of failed login attempts from an IP, it will proceed to add that IP to /etc/hosts.deny or iptables/netfilter in order to lock out the attacker for a few minutes.

In addition to the SSH attacks, it is also becoming common to scan your webserver for vulnerable web-applications (some blogging apps, CMSs, phpmyadmin, etc.). So make sure to keep those up-to-date and securely configured too!

answered Mar 8 '11 at 11:35
Holger Just

3,0751921
 
21  
Applications such as fail2ban can help a lot to 'temporarily' stop those bots from hitting your server at silly times in the morning :-) I have mine set up to ban 3 incorrect attempts for 24hours. – emtunc Mar 8 '11 at 13:06
46  
And move ssh's port from 22 to 222. That works quite well. – Tom O'Connor Mar 8 '11 at 13:47
40  
+1, public-key authentication only :) – 0xC0000022L Mar 8 '11 at 14:09
3  
@STATUS_ACCESS_DENIED: the actions fail2ban takes are just lists of shell commands to run. So it's really flexible and easy to make work properly with any custom config. The best reference is to download it and look at action.d/iptables.conf. – mattdm Mar 8 '11 at 18:01
4  
Blocking attackers like this is a waste of time. If you disable root login, there's a good chance that no one will ever even guess your correct login name, let alone password. SSH itself is already rate limiting password requests, so even if they know your user name (random bots won't), if you have a decent password, they'll never guess it. – Brendan Long Mar 9 '11 at 19:44

服务器遭受 ssh 攻击的更多相关文章

  1. 服务器被ddos攻击?分析如何防止DDOS攻击?

    上周知名博主阮一峰的博客被DDOS攻击,导致网站无法访问而被迫迁移服务器的事情,引起了广大网友的关注及愤慨,包括小编的个人博客也曾接受过DDOS的“洗礼”,对此感同身受.所以,本文我们一起来了解下DD ...

  2. 向 Git 服务器添加 SSH 公钥

    . . . . . 在网上很少找到文章有提到如何将自己的 Git 远程仓库配置成可以通过 SSH 公钥方式认证的,而几乎清一色都是告诉你怎么通过 web 界面向 GitHub 添加 SSH 公钥.LZ ...

  3. 发起SSH攻击主机IP地址列表

    发起SSH攻击主机IP地址列表 东北大学 http://antivirus.neu.edu.cn/scan/ssh.php 以下IP地址对SSH服务进行攻击,严重增加主机成为肉鸡的可能性.强烈建议网管 ...

  4. Linux服务器使用SSH的命令(有详细的参数解释)

    前一阵远程维护Linux服务器,使用的是SSH,传说中的secure shell. 登陆:ssh [hostname] -u user 输入密码:***** 登陆以后就可以像控制自己的机器一样控制它了 ...

  5. 批量实现多台服务器之间ssh无密码登录的相互信任关系

    最近IDC上架了一批hadoop大数据业务服务器,由于集群环境需要在这些服务器之间实现ssh无密码登录的相互信任关系.具体的实现思路:在其中的任一台服务器上通过"ssh-keygen -t ...

  6. linux服务器的SSH 配置

    远程连接服务器: 就是通过文字或图形接口的方式来远程登陆另外一台服务器系统,让你在远程的终端前面登陆linux 主机以取得可操作主机的接口 主要的远程连接服务器的主要类型: 1)文字接口明文传输 : ...

  7. Mac下如何连接linux服务器(SSH)-比较好用的SSH工具推荐

    Mac下如何连接linux服务器(SSH) 1.用mac自带终端连接 步骤如下: 打开终端,在顶部shell菜单中选择新建远程连接 在右侧服务器窗口点击+号,添加服务器,输入IP等信息 输入用户名,点 ...

  8. Fail2ban 防止暴力破解centos服务器的SSH或者FTP账户

    次尝试登陆root账户失败的情况.[说明服务器被攻击了]   logtarget = SYSLOG  #我们需要做的就是把这行改成/var/log/fail2ban.log,方便用来记录日志信息 so ...

  9. Linux服务器限制ssh登录,查看登录日志

    网络上的服务器很容易受到攻击,最惨的就是被人登录并拿到root权限.有几个简单的防御措施: 1. 修改ssh服务的默认端口 ssh服务的默认端口是22,一般的恶意用户也往往扫描或尝试连接22端口.所以 ...

随机推荐

  1. sql 查询一段时间内某个时间点数据

     SELECT  CONVERT(VARCHAR(10), dtCreateTime, 120) AS dtStatisticsCreateDate, COUNT(1) AS nStatisticsC ...

  2. HTTP 返回状态值详解

    当用户点击或搜索引擎向网站服务器发出浏览请求时,服务器将返回Http Header Http头信息状态码,常见几种如下: 1.Http/1.1 200 OK 访问正常  表示成功访问,为网站可正常访问 ...

  3. Unity3d之将terrain转化成mesh

    Unity3d中,terrain还是比较耗的,DrawCall数也比较多,为了优化性能,可能需要将terrain转化成mesh. 现提供一工具,思路是根据terrain高度图生成mesh等,可参考:  ...

  4. JS操作select标签

    主要利用这个来实现省市区三级联动的 我利用的是ajax,每一次onchange事件都改变相对应的select中的option,数据全是ajax请求服务器查询数据库而来的,效果还可以,在本地测试的时候速 ...

  5. MySQL安装--ubuntu

    1. 执行命令: $ apt-get install mysql-server 执行上述命令会自动安装mysql-client,mysql-common等包. 2. 安装过程中会让你给root账号设置 ...

  6. 新随笔ps泡泡制作

    http://jingyan.baidu.com/article/4d58d5413568a79dd4e9c016.html

  7. 5.如果第4题中在DOS命令下输入:java Hello 出现以下结果:Bad command or the file name 可能是什么原因?请说明理由。

    1.没有输入javac指定路径,而是直接输入java Hello. 2.前面已经用过一次指令,没有重新输入路径.

  8. find unique values in an array

    Problem: given an array that contains duplicates (except one value), find the one value that does no ...

  9. bind启动时提示953端口被使用

    部署DNS的时候遇到个奇葩的问题,总是提示 couldn't add command channel 0.0.0.0#953: address in use 实际上系统上并没有进程使用953端口.查询 ...

  10. Inno Setup入门(十二)——Pascal脚本(1)

    事件函数(1) Inno Setup支持以下函数和过程. function InitializeSetup(): Boolean; 该函数在安装程序初始化时调用,返回False 将中断安装,True则 ...