Admin
Centos7 ssh加固
2020年11月16日 22:46 9 0 0 0

Centos7 ssh加固

一直以来,服务器安装完 centos7 后,都是简单的使用 sshd 默认端口 22 进行连接

同时,也打开默认防火墙 firewalld

直到有一天,发现服务器负载奇高,被vps供应商降频

登录服务器,发现大量 sshd 进程:

  1. top - 09:26:56 up 31 min,  2 users,  load average: 2.00, 10.01, 12.16
  2. Tasks: 159 total,   4 running, 117 sleeping,   0 stopped,   0 zombie
  3. %Cpu(s): 54.5 us, 43.4 sy,  0.0 ni,  0.0 id,  0.0 wa,  0.0 hi,  2.0 si,  0.0 st
  4. KiB Mem :   507904 total,    85888 free,   228488 used,   193528 buff/cache
  5. KiB Swap:   135164 total,   126204 free,     8960 used.   235864 avail Mem 
  7.   PID USER      PR  NI    VIRT    RES    SHR S %CPU %MEM     TIME+ COMMAND                                                                                                                                           
  8. 16687 root      20   0  156752   8964   7668 S  9.3  1.8   0:00.28 sshd                                                                                                                                              
  9.   441 root      20   0   35408   3700   3480 S  8.3  0.7   1:38.54 systemd-journal                                                                                                                                   
  10. 16713 root      20   0  112928   7900   6868 S  6.6  1.6   0:00.20 sshd                                                                                                                                              
  11. 16675 root      20   0  112928   7936   6912 S  5.0  1.6   0:00.28 sshd                                                                                                                                              
  12. 16688 root      20   0  154724   8724   7436 S  5.0  1.7   0:00.15 sshd                                                                                                                                              
  13. 16703 root      20   0  112928   7832   6808 S  4.3  1.5   0:00.13 sshd                                                                                                                                              
  14. 16679 root      20   0  156752   8884   7584 S  3.7  1.7   0:00.11 sshd                                                                                                                                              
  15. 16665 root      20   0  156752   8736   7436 S  3.0  1.7   0:00.28 sshd                                                                                                                                              
  16. 16671 root      20   0  156752   8696   7396 S  3.0  1.7   0:00.16 sshd                                                                                                                                              
  17.  1097 root      20   0  239036   8596   7384 S  2.7  1.7   0:29.20 rsyslogd                                                                                                                                          
  18. 16653 root      20   0  156752   8840   7544 S  2.7  1.7   0:00.10 sshd                                                                                                                                              
  19. 16699 root      20   0  112928   7908   6888 S  2.7  1.6   0:00.08 sshd                                                                                                                                              
  20. 16705 root      20   0  112928   7772   6748 S  2.7  1.5   0:00.08 sshd                                                                                                                                              
  21. 16648 root      20   0  156752   8708   7408 S  2.3  1.7   0:00.35 sshd                                                                                                                                              
  22. 16666 root      20   0  156752   8812   7516 S  2.3  1.7   0:00.14 sshd                                                                                                                                              
  23. 16677 root      20   0  156752   8904   7608 S  2.3  1.8   0:00.08 sshd                                                                                                                                              
  24. 16700 sshd      20   0  112928   6156   5096 S  2.3  1.2   0:00.07 sshd

同时,使用命令 tail -f /var/log/secure 查看日志,一直有大量失败的ssh验证尝试:

  1. [root@band ~]# tail -f /var/log/secure
  2. Nov 16 09:29:23 band sshd[17971]: Disconnected from 14.141.115.10 port 28382 [preauth]
  3. Nov 16 09:29:24 band sshd[17851]: Invalid user arizona from 176.122.141.223 port 54602
  4. Nov 16 09:29:24 band sshd[17851]: input_userauth_request: invalid user arizona [preauth]
  5. Nov 16 09:29:24 band sshd[17851]: pam_unix(sshd:auth): check pass; user unknown
  6. Nov 16 09:29:24 band sshd[17851]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=176.122.141.223.16clouds.com
  7. Nov 16 09:29:25 band sshd[17940]: reverse mapping checking getaddrinfo for 189.38.187.61.user.ajato.com.br [189.38.187.61] failed - POSSIBLE BREAK-IN ATTEMPT!
  8. Nov 16 09:29:25 band sshd[17940]: Invalid user Pa55w0rd.0987 from 189.38.187.61 port 53005
  9. Nov 16 09:29:25 band sshd[17940]: input_userauth_request: invalid user Pa55w0rd.0987 [preauth]
  10. Nov 16 09:29:25 band sshd[17940]: pam_unix(sshd:auth): check pass; user unknown
  11. Nov 16 09:29:25 band sshd[17940]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=189.38.187.61
  12. Nov 16 09:29:25 band sshd[17851]: Failed password for invalid user arizona from 176.122.141.223 port 54602 ssh2
  13. Nov 16 09:29:27 band sshd[17940]: Failed password for invalid user Pa55w0rd.0987 from 189.38.187.61 port 53005 ssh2
  14. Nov 16 09:29:27 band sshd[17851]: Received disconnect from 176.122.141.223 port 54602:11: Bye Bye [preauth]
  15. Nov 16 09:29:27 band sshd[17851]: Disconnected from 176.122.141.223 port 54602 [preauth]
  16. Nov 16 09:29:27 band sshd[17940]: Received disconnect from 189.38.187.61 port 53005:11: Bye Bye [preauth]
  17. Nov 16 09:29:27 band sshd[17940]: Disconnected from 189.38.187.61 port 53005 [preauth]

Denyhosts

关于这类工具,原理都是通过实时分析 sshd 日志文件,找出可疑ip,然后添加到黑名单

实际使用下来,发现意义并不大,原因如下:

  • 判断可疑ip的逻辑,是通过登录失败计数,超过阈值判断为可疑
  • 通过查看日志,攻击者都不是固定的ip,加入黑名单也没用

弃之

端口

最简单直接的办法,就是修改 sshd 监听端口

编辑文件 /etc/ssh/sshd_config,将 #Port 22 取消注释并改为较大端口:

  1. 省略
  2. Port 22222
  3. 省略

如果有防火墙,也一并放行端口(例如22222):

  1. firewall-cmd --zone=public --add-port=22222/tcp --permanent
  2. firewall-cmd --reload

重新启动 sshd 服务:

  1. systemctl restart sshd

禁用密码

更进一步,可以直接禁用密码登陆,改为密钥登陆:

  • 操作前确保密钥登陆正常
  • 操作前确保密钥登陆正常
  • 操作前确保密钥登陆正常

编辑文件 /etc/ssh/sshd_config,将 PasswordAuthentication 值改为 no:

  1. 省略
  2. PasswordAuthentication no
  3. 省略

重新启动 sshd 服务:

  1. systemctl restart sshd
发布内容,请遵守相关法律法规。
评论