安全
默认Linux系统带有配置良好的防火墙,比如
- iptables
- Uncomplicated Firewall(UFW)
- ConfigServer Security Firewall (CSF) 等,可以防止多种攻击。
检测
查看入侵记录
# 暴力猜密码
sudo grep "Failed password for root" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -nr | more
# 暴力猜用户
sudo grep "Failed password for invalid user" /var/log/auth.log | awk '{print $13}' | sort | uniq -c | sort -nr | more
# 基本防御
## 修改 ssh port 22 (0 – 65535, > 10000)
nano /etc/ssh/sshd_config
Port 22 => Port 47832
## 禁止使用密码登陆,使用RSA私钥登陆
vi /etc/ssh/sshd_config
RSAAuthentication yes # RSA认证
PubkeyAuthentication yes # 开启公钥验证
AuthorizedKeysFile .ssh/authorized_keys # 验证文件路径
PasswordAuthentication no # 禁止密码认证
PermitEmptyPasswords no # 禁止空密码
PermitRootLogin no # 禁止 root 登录
sudo service sshd restart
f2b
python程序,扫描日志。Ban IP,防止暴力攻击。 结构 定义jail 开启jail
install for Ubuntu/Debian
apt install fail2ban
功能 程序化设置iptables规则
iptables -L # 显示当前ip规则
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-sshd (1 references)
target prot opt source destination
REJECT all -- mbl-65-136-170.dsl.net.pk anywhere reject-with icmp-port-unreachable
REJECT all -- 67.205.161.52 anywhere reject-with icmp-port-unreachable
REJECT all -- 81.70.99.146 anywhere reject-with icmp-port-unreachable
REJECT all -- 81.68.169.2 anywhere reject-with icmp-port-unreachable
REJECT all -- 119.29.183.138 anywhere reject-with icmp-port-unreachable
REJECT all -- 119.29.62.131 anywhere reject-with icmp-port-unreachable
REJECT all -- 119.45.13.194 anywhere reject-with icmp-port-unreachable
REJECT all -- 221.231.125.146 anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere
fail2ban-client status # 查看启用模块
Status
|- Number of jail: 1
`- Jail list: sshd
fail2ban-client status sshd # 查看模块状态
Status for the jail: sshd
|- Filter
| |- Currently failed: 11
| |- Total failed: 1551703
| `- File list: /var/log/auth.log
`- Actions
|- Currently banned: 8
|- Total banned: 175987
`- Banned IP list: 119.29.62.131 119.29.183.138 81.68.169.2 81.70.99.146 67.205.161.52 58.65.136.170 58.213.84.234 51.103.81.155
# 解绑 ip
fail2ban-client set sshd unbanip 119.29.62.131
配置目录
/etc/fail2ban/
- jail.conf # 默认过滤器,更新后会重置
# 增加自定义配置
cd /etc/fail2ban/
cp jail.conf jail.local
- [DEFAULT]
[DEFAULT] 区块- ignoreip
白名单IP列表 空格分隔 - bantime
主机被禁止的秒数 - findtim
如果在最近 findtime 秒期间已经发生了 maxretry 次重试,则主机会被禁止 - maxretry
是主机被禁止之前的失败次数
- ignoreip
- [sshd]
模块规则- enabled = true
开启规则
- enabled = true
iptables 配置
# 清除已有iptables规则
iptables -F
# 允许本地回环接口(即运行本机访问本机)
iptables -A INPUT -i lo -j ACCEPT
# 允许已建立的或相关连的通行
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#允许所有本机向外的访问
iptables -A OUTPUT -j ACCEPT
# 允许访问22端口,以下几条相同,分别是22,80,443端口的访问
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
#如果有其他端口的话,规则也类似,稍微修改上述语句就行
#允许ping
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
#禁止其他未允许的规则访问(注意:如果22端口未加入允许规则,SSH链接会直接断开。)
iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT
fail2ban 规则编写
#设置nginx防护ddos攻击
[xxx-get-dos]
enabled=true
port=http,https
filter=nginx-bansniffer
action=iptables[name=xxx, port=http, protocol=tcp]
logpath=/opt/nginx/logs/xxx_access.log
maxretry=100
findtime=60
bantime=300
...
vim /etc/fail2ban/filter.d/nginx-bansniffer.conf
[Definition]
failregex = <HOST> -.*- .*HTTP/1.* .* .*$
ignoreregex =
