이메일을 통해 보고서를 보내도록 시스템을 설정하고 있습니다. 로그 보고서를 게시 중입니다(아래 참조). 이 로그에는 수천 번의 침입 시도가 표시됩니다.
질문:
- 이미
denyhosts설치했는데fail2banIP를 차단하지 않는 이유는 무엇입니까? - 아래와 같이 로그에 나타나는 IP를 차단/블랙리스트에 추가할 수 있는 방법이 있나요?
이러한 유형의 공격에 맞서기 위해 어떤 조치를 취할 수 있습니까?
노트:
sshd로그에는 수천 번의 로그인 시도를 한 일부 IP 주소가 있습니다.- "최대 재시도 무시"라고 표시된 이유는 무엇입니까? "최대 재시도 횟수"를 무시하지 않도록 설정할 수 있습니까?
노트:내 시스템은 Fedora 20입니다.
로그 샘플
################### Logwatch 7.4.0 (03/01/11) ####################
Processing Initiated: Tue Sep 16 03:35:07 2014
Date Range Processed: yesterday
( 2014-Sep-15 )
Period is day.
Detail Level of Output: 0
Type of Output/Format: mail / text
Logfiles for Host: Hostname
##################################################################
--------------------- Kernel Begin ------------------------
WARNING: Segmentation Faults in these executables
polkitd : 2 Time(s)
WARNING: General Protection Faults in these executables
traps: polkitd : 6 Time(s)
WARNING: Kernel Errors Present
INFO: recovery required on readonly filesyste ...: 1 Time(s)
ata2.00: failed to IDENTIFY (I/O error, err_mask=0x100) ...: 14 Time(s)
ata2.00: failed to IDENTIFY (I/O error, err_mask=0x4) ...: 8 Time(s)
ata2.00: irq_stat 0x08000000, interface fatal error ...: 10 Time(s)
ata2: SError: { CommWake DevE ...: 52 Time(s)
ata2: SError: { LinkSeq } ...: 8 Time(s)
ata2: SError: { UnrecovData L ...: 2 Time(s)
res 50/00:03:00:08:00/00:00:00:00:00/a0 Emask 0x10 (ATA bus error) ...: 5 Time(s)
---------------------- Kernel End -------------------------
--------------------- pam_unix Begin ------------------------
sshd:
Authentication Failures:
root (219.138.135.64): 3850 Time(s)
root (122.225.103.125): 1016 Time(s)
root (122.225.109.106): 256 Time(s)
root (122.225.109.205): 194 Time(s)
root (122.225.109.208): 183 Time(s)
root (122.225.109.216): 178 Time(s)
unknown (122.225.109.208): 63 Time(s)
unknown (122.225.109.106): 57 Time(s)
unknown (122.225.109.216): 54 Time(s)
unknown (122.225.109.205): 22 Time(s)
unknown (113.106.88.235): 14 Time(s)
bin (113.106.88.235): 1 Time(s)
nagios (113.106.88.235): 1 Time(s)
tomcat (113.106.88.235): 1 Time(s)
Invalid Users:
Unknown Account: 210 Time(s)
Unknown Entries:
service(sshd) ignoring max retries; 6 > 3: 945 Time(s)
service(sshd) ignoring max retries; 5 > 3: 29 Time(s)
service(sshd) ignoring max retries; 4 > 3: 6 Time(s)
su:
Authentication Failures:
UserName(1000) -> root: 1 Time(s)
Sessions Opened:
UserName -> root: 6 Time(s)
systemd-user:
Unknown Entries:
session opened for user UserName by (uid=0): 1 Time(s)
---------------------- pam_unix End -------------------------
--------------------- Connections (secure-log) Begin ------------------------
**Unmatched Entries**
polkitd: <no filename>:0: uncaught exception: Terminating runaway script: 1 Time(s)
polkitd: Acquired the name org.freedesktop.PolicyKit1 on the system bus: 3 Time(s)
polkitd: Error evaluating authorization rules: 1 Time(s)
polkitd: Finished loading, compiling and executing 6 rules: 3 Time(s)
polkitd: Loading rules from directory /etc/polkit-1/rules.d: 3 Time(s)
polkitd: Loading rules from directory /usr/share/polkit-1/rules.d: 3 Time(s)
polkitd: Operator of unix-session:1 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.freedesktop.problems.getall for system-bus-name::1.66 [/usr/bin/abrt-applet] (owned by unix-user:UserName): 2 Time(s)
polkitd: Registered Authentication Agent for unix-session:1 (system bus name :1.70 [/usr/libexec/kde4/polkit-kde-authentication-agent-1], object path /org/kde/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8): 2 Time(s)
polkitd: Registered Authentication Agent for unix-session:13 (system bus name :1.92 [/usr/libexec/kde4/polkit-kde-authentication-agent-1], object path /org/kde/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8): 2 Time(s)
polkitd: Terminating runaway script: 1 Time(s)
---------------------- Connections (secure-log) End -------------------------
--------------------- SSHD Begin ------------------------
Disconnecting after too many authentication failures for user:
admin : 30 Time(s)
root : 937 Time(s)
Failed logins from:
113.106.88.235: 2 times
122.225.103.125: 1016 times
122.225.109.106: 256 times
122.225.109.205: 194 times
122.225.109.208: 183 times
122.225.109.216: 178 times
219.138.135.64: 3850 times
Illegal users from:
undef: 14 times
113.106.88.235: 15 times
122.225.109.106: 57 times
122.225.109.205: 22 times
122.225.109.208: 63 times
122.225.109.216: 54 times
Login attempted when shell does not exist:
tomcat : 1 Time(s)
Received disconnect:
11: Bye Bye [preauth] : 16 Time(s)
**Unmatched Entries**
PAM service(sshd) ignoring max retries; 6 > 3 : 945 time(s)
ecryptfs: pam_sm_authenticate: pam_ecryptfs: Error getting passwd info for user; rc = [0] : 210 time(s)
PAM service(sshd) ignoring max retries; 4 > 3 : 6 time(s)
pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "nagios" : 1 time(s)
PAM service(sshd) ignoring max retries; 5 > 3 : 29 time(s)
pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "bin" : 1 time(s)
pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" : 5677 time(s)
fatal: Write failed: Connection reset by peer [preauth] : 17 time(s)
pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "tomcat" : 1 time(s)
---------------------- SSHD End -------------------------
--------------------- Sudo (secure-log) Begin ------------------------
UserName => root
----------------
/bin/yum - 2 Time(s).
---------------------- Sudo (secure-log) End -------------------------
--------------------- yum Begin ------------------------
Packages Installed:
binutils-2.23.88.0.1-13.fc20.x86_64
libgomp-4.8.3-1.fc20.x86_64
perl-Sys-CPU-0.54-5.fc20.x86_64
VirtualBox-4.3.16-1.fc20.x86_64
1:make-3.82-19.fc20.x86_64
glibc-devel-2.18-14.fc20.x86_64
logwatch-7.4.0-33.20140704svn198.fc20.noarch
kernel-headers-3.16.2-200.fc20.x86_64
glibc-headers-2.18-14.fc20.x86_64
epylog-1.0.7-6.fc20.noarch
perl-Sys-MemInfo-0.91-8.fc20.x86_64
akmod-VirtualBox-4.3.16-1.fc20.x86_64
gcc-4.8.3-1.fc20.x86_64
dkms-2.2.0.3-25.fc20.noarch
libgomp-4.8.3-1.fc20.i686
patch-2.7.1-7.fc20.x86_64
Packages Erased:
kmod-VirtualBox-3.15.10-200.fc20.x86_64-4.3.14-1.fc20.6.x86_64
kmod-VirtualBox-3.16.2-200.fc20.x86_64-4.3.16-1.fc20.x86_64
kmod-VirtualBox-3.15.10-201.fc20.x86_64-4.3.14-1.fc20.7.x86_64
---------------------- yum End -------------------------
--------------------- Disk Space Begin ------------------------
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/luks- 59G 55G 1.3G 98% /
devtmpfs 5.8G 0 5.8G 0% /dev
/dev/sda2 477M 131M 317M 30% /boot
/dev/sda1 200M 9.5M 191M 5% /boot/efi
/dev/mapper/fedora_Hostname-home 395G 236G 156G 61% /home
/dev/mapper/luks- => 98% Used. Warning. Disk Filling up.
---------------------- Disk Space End -------------------------
--------------------- Fortune Begin ------------------------
One man's brain plus one other will produce one half as many ideas as one
man would have produced alone. These two plus two more will produce half
again as many ideas. These four plus four more begin to represent a
creative meeting, and the ratio changes to one quarter as many ...
-- Anthony Chevins
---------------------- Fortune End -------------------------
--------------------- lm_sensors output Begin ------------------------
coretemp-isa-0000
Adapter: ISA adapter
Physical id 0: +52.0 C (high = +100.0 C, crit = +100.0 C)
Core 0: +52.0 C (high = +100.0 C, crit = +100.0 C)
Core 1: +51.0 C (high = +100.0 C, crit = +100.0 C)
---------------------- lm_sensors output End -------------------------
###################### Logwatch End #########################
편집 #1
실행되지 않는 것 같습니다. 설치 시 자동으로 설정된 것과 동일하다고 가정합니다 fail2ban.denyhosts
출력은 다음과 같습니다 fail2ban-client.
root ~ # fail2ban-client status
ERROR Unable to contact server. Is it running?
root ~ # systemctl start fail2ban
root ~ # fail2ban-client status sshd
ERROR NOK: ('sshd',)
Sorry but the jail 'sshd' does not exist
root ~ # fail2ban-client status
Status
|- Number of jail: 0
`- Jail list:
답변1
질문 1과 2에 답하는 failed2ban의 구성 부분을 찾은 것 같으므로 여기서는 질문 3에 구체적으로 대답하려고 합니다. SSH의 보안을 강화하려면 다음 접근 방식을 권장합니다.
- 엄격 모드가 true로 설정되어 있는지 확인하세요.
- 루트 로그인 비활성화
- SSH 포트 변경
- 비밀번호 로그인 비활성화
- 포트 노킹을 사용하세요
편집 내용에 응답하려면 /etc/fail2ban/filter.d/ssh.conf에 ssh 구성을 생성하고 다음을 붙여넣어야 합니다.
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
제안한 대로 포트를 변경한 경우 여기에서 포트 번호를 설정할 수 있습니다. Fail2ban을 다시 시작하고 테스트하십시오.