打造坚固的安全的Linux服务器(ssh登录篇)

Nov 3 01:22:06 server sshd[11879]: Failed password for root from 123.127.5.131 port 38917 ssh2
Nov 3 01:22:17 server sshd[11880]: Received disconnect from 123.127.5.131: 13: The user canceled authentication.

Nov 3 03:15:08 server sshd[17524]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=2
4.238.47.93.res-cmts.tv13.ptd.net user=root
Nov 3 03:15:11 server sshd[17524]: Failed password for root from 24.238.47.93 port 3033 ssh2
Nov 3 03:15:11 server sshd[17525]: Received disconnect from 24.238.47.93: 11: Bye Bye
Nov 3 05:14:12 server sshd[20460]: Invalid user a from 218.28.4.61
Nov 3 05:14:12 server sshd[20460]: Address 218.28.4.61 maps to pc0.zz.ha.cn, but this does not map back to the address - POS
SIBLE BREAK-IN ATTEMPT!
Nov 3 05:14:12 server sshd[20461]: input_userauth_request: invalid user a
Nov 3 05:14:12 server sshd[20460]: pam_unix(sshd:auth): check pass; user unknown
Nov 3 05:14:12 server sshd[20460]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=2
18.28.4.61
Nov 3 05:14:14 server sshd[20460]: Failed password for invalid user a from 218.28.4.61 port 15683 ssh2
Nov 3 05:14:14 server sshd[20461]: Received disconnect from 218.28.4.61: 11: Bye Bye
Nov 3 05:14:16 server sshd[20467]: Invalid user 1 from 218.28.4.61
Nov 3 05:14:16 server sshd[20467]: Address 218.28.4.61 maps to pc0.zz.ha.cn, but this does not map back to the address - POS
SIBLE BREAK-IN ATTEMPT!
Nov 3 05:14:16 server sshd[20468]: input_userauth_request: invalid user 1
Nov 3 05:14:16 server sshd[20467]: pam_unix(sshd:auth): check pass; user unknown
Nov 3 05:14:16 server sshd[20467]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=2
18.28.4.61
Nov 3 05:14:18 server sshd[20467]: Failed password for invalid user 1 from 218.28.4.61 port 15817 ssh2
Nov 3 05:14:18 server sshd[20468]: Received disconnect from 218.28.4.61: 11: Bye Bye
Nov 3 05:14:20 server sshd[20473]: Address 218.28.4.61 maps to pc0.zz.ha.cn, but this does not map back to the address - POS
SIBLE BREAK-IN ATTEMPT!
Nov 3 05:14:20 server sshd[20473]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=2
18.28.4.61 user=root
Nov 3 05:14:22 server sshd[20473]: Failed password for root from 218.28.4.61 port 15940 ssh2
Nov 3 05:14:22 server sshd[20475]: Received disconnect from 218.28.4.61: 11: Bye Bye
Nov 3 05:14:24 server sshd[21504]: Address 218.28.4.61 maps to pc0.zz.ha.cn, but this does not map back to the address - POS
SIBLE BREAK-IN ATTEMPT!

更多的是类似这样的：

Nov 4 13:09:44 server sshd[9319]: Did not receive identification string from 66.197.176.130
Nov 4 13:15:24 server sshd[10015]: Did not receive identification string from UNKNOWN
Nov 4 13:16:25 server sshd[10200]: Did not receive identification string from UNKNOWN
Nov 4 13:18:28 server sshd[11524]: Did not receive identification string from UNKNOWN
Nov 4 13:19:24 server sshd[11579]: Did not receive identification string from UNKNOWN
Nov 4 13:20:24 server sshd[11707]: Did not receive identification string from UNKNOWN
Nov 4 13:21:24 server sshd[11782]: Did not receive identification string from UNKNOWN
Nov 4 13:22:24 server sshd[11854]: Did not receive identification string from UNKNOWN
Nov 4 13:24:26 server sshd[12036]: Did not receive identification string from UNKNOWN
Nov 4 13:25:26 server sshd[12201]: Did not receive identification string from UNKNOWN
Nov 4 13:26:26 server sshd[13312]: Did not receive identification string from UNKNOWN
Nov 4 13:27:26 server sshd[13400]: Did not receive identification string from UNKNOWN
Nov 4 13:28:26 server sshd[13542]: Did not receive identification string from UNKNOWN

看来安全问题不少，呵呵。于是开始行动，加固安全防线，打造一个安全的服务器，让老美黑客们也歇菜，哈哈。

首先，禁用root 远程登录，改ssh端口

vi /etc/ssh/sshd_config

PermitRootLogin no #禁用root 登录，创建一个普通用户用作远程登录，然后通过su -转为root 用户

#Port 22
Port 36301 #改到一般扫描器扫到累死才能找到的端口（从20 扫到 36301 … 哈哈）

重启 /etc/init.d/sshd restart

上述更改后，安全日志好几天没有动静，除了我自己登录的日志外，成果初现。不过好景不长，过几天后又发现有一试探登录日志：

Nov 9 15:57:02 server sshd[13948]: Did not receive identification string from 66.197.176.130
Nov 9 15:57:02 server sshd[13916]: Did not receive identification string from 66.197.176.130
Nov 9 15:57:02 server sshd[13949]: Did not receive identification string from 66.197.176.130
Nov 9 15:57:02 server sshd[13944]: Did not receive identification string from 66.197.176.130
Nov 9 22:58:17 server sshd[15736]: Did not receive identification string from UNKNOWN

Nov 9 22:59:17 server sshd[15972]: Did not receive identification string from UNKNOWN
Nov 9 23:00:18 server sshd[16163]: Did not receive identification string from UNKNOWN
Nov 9 23:01:18 server sshd[16309]: Did not receive identification string from UNKNOWN
Nov 9 23:02:18 server sshd[17579]: Did not receive identification string from UNKNOWN
Nov 9 23:03:18 server sshd[17736]: Did not receive identification string from UNKNOWN
Nov 9 23:04:17 server sshd[17846]: Did not receive identification string from UNKNOWN
Nov 9 23:05:17 server sshd[18021]: Did not receive identification string from UNKNOWN
Nov 9 23:06:20 server sshd[18103]: Did not receive identification string from UNKNOWN
Nov 9 23:07:20 server sshd[18166]: Did not receive identification string from UNKNOWN
Nov 9 23:08:20 server sshd[18307]: Did not receive identification string from UNKNOWN

嗯，看来这是一位执着的黑客，他的执着没有白费，终于找到我的ssh新端口。（my god,从22 扫描到36301需要多长时间？？？），看来我只能使出我的杀手剪了。封IPvi /etc/hosts.deny

sshd : ALL EXCEPT xxx.xxx.xxx.0/255.255.255.0 zzz.zzz.zzz.zz yyy.yyy.yyy.0/255.255.255.0

上面的意思是拒绝所有的IP ssh 登录除了我列出的IP 外。我上网是用的ADSL，通常在两个IP池中取得，所以上面的xxx.xxx.xxx.0 和 yyy.yyy.yyy.0 是我的动态ADSL ip 段。另外一个 zzz.zzz.zzz.zz 是我在单位的固定的IP，这个以防万一，万一我的ADSL网段变了，岂不是服务器也拒绝我的登录了？所以做IP拒绝时要慎重小心，不要把自己也锁在门外， 哈哈。

安全上述加固后，再查看日志 tail -fn100 secure

Nov 9 23:48:17 server sshd[30249]: refused connect from ::ffff:66.197.176.130 (::ffff:66.197.176.130)
Nov 9 23:49:17 server sshd[30319]: refused connect from ::ffff:66.197.176.130 (::ffff:66.197.176.130)
Nov 9 23:50:17 server sshd[30475]: refused connect from ::ffff:66.197.176.130 (::ffff:66.197.176.130)
Nov 9 23:51:18 server sshd[30539]: refused connect from ::ffff:66.197.176.130 (::ffff:66.197.176.130)
Nov 9 23:52:17 server sshd[30609]: refused connect from ::ffff:66.197.176.130 (::ffff:66.197.176.130)
Nov 9 23:53:17 server sshd[31752]: refused connect from ::ffff:66.197.176.130 (::ffff:66.197.176.130)
Nov 9 23:54:17 server sshd[31833]: refused connect from ::ffff:66.197.176.130 (::ffff:66.197.176.130)
Nov 9 23:55:17 server sshd[31978]: refused connect from ::ffff:66.197.176.130 (::ffff:66.197.176.130)
Nov 9 23:56:22 server sshd[32045]: refused connect from ::ffff:66.197.176.130 (::ffff:66.197.176.130)
Nov 9 23:57:18 server sshd[32105]: refused connect from ::ffff:66.197.176.130 (::ffff:66.197.176.130)
Nov 9 23:58:18 server sshd[32171]: refused connect from ::ffff:66.197.176.130 (::ffff:66.197.176.130)
Nov 9 23:59:17 server sshd[32238]: refused connect from ::ffff:66.197.176.130 (::ffff:66.197.176.130)
Nov 10 00:00:20 server sshd[32378]: refused connect from ::ffff:66.197.176.130 (::ffff:66.197.176.130)
Nov 10 00:01:20 server sshd[32450]: refused connect from ::ffff:66.197.176.130 (::ffff:66.197.176.130)
Nov 10 00:02:19 server sshd[32484]: refused connect fro