今天下午,打开博客的时候很卡,页面提示数据库错误或者服务器负载过高。
打开VPS后台,发现CPU和磁盘负载很高。
然后使用Xshell登录查看,提示:
Last failed login: Fri Dec 11 23:14:56 CST 2020 from 221.131.165.85 on ssh:notty
There were 26 failed login attempts since the last successful login.
意识到可能遭到攻击,查看ssh登录日志
cat /var/log/secure |more
第一步,先使用封IP的方法,将可疑的IP添加到 /etc/hosts.deny 中
第二步,安装 Fail2ban 辅助封IP。
yum install epel-release
yum install fail2ban -y
# 安装fail2ban 完成后
systemctl enable fail2ban # 设置fail2ban开机启动
systemctl start fail2ban # 启动fail2ban
systemctl status fail2ban # 查看fail2ban的运行状态
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vim /etc/fail2ban/jail.local
[sshd]
enabled = true
filter = sshd
action = iptables[name=sshd,port=22,protocol=tcp]
maxretry = 3
findtime = 60
bantime = 7200
logpath = /var/log/secure
安装和配置完成后,使用命令查看,一会儿不到一个小时的时间,又被尝试了这么多次,还有这么多不同的IP,是被谁盯上了吗?
>> fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 10
| |- Total failed: 157
| - Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd - Actions
|- Currently banned: 12
|- Total banned: 12
`- Banned IP list: 112.85.42.194 40.124.5.76 46.101.164.33 117.50.36.137 221.181.185.19 119.28.178.61 222.187.232.73 221.131.165.124 218.92.0.223 221.181.185.200 221.181.185.199 190.171.133.10
今天时间比较紧,当初也没有想到被经常SSH暴力破解攻击的问题,从根源上还是应该更换ssh端口,关闭账号密码登录等来实现更安全的ssh。
参考
- Linux入*侵分析(二)分析SSH登录日志
- Linux VPS禁止某个IP访问
- CentOS安装Fail2ban之小白攻略
- 自动IP拦截工具fail2ban使用教程
