Wal*_*mra 8 security ubuntu ssh phishing fail2ban
我注意到我的 Ubuntu Xenial 服务器上有一些奇怪的东西。
它在默认端口上有 SSH,并且有 fail2ban。
Fail2ban 正在检测服务器上的蛮力尝试并相应地记录:
2017-01-12 10:58:19,927 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x
2017-01-12 11:03:27,808 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x
2017-01-12 11:08:37,936 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x
2017-01-12 11:13:51,538 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x
2017-01-12 11:18:57,939 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x
2017-01-12 11:24:10,399 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x
2017-01-12 11:29:23,161 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x
2017-01-12 11:34:34,064 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x
2017-01-12 11:39:44,540 fail2ban.filter [23119]: INFO [sshd] Found x.x.x.x
xxxx 在所有情况下都是相同的 IP,这家伙只是在钓鱼随机用户名,如 auth.log 所示:
Jan 12 12:05:46 MYSERVER sshd[23579]: Invalid user journalist from x.x.x.x
Jan 12 12:05:46 MYSERVER sshd[23579]: input_userauth_request: invalid user journalist [preauth]
Jan 12 12:05:46 MYSERVER sshd[23579]: Received disconnect from x.x.x.x port 47995:11: Normal Shutdown, Thank you for playing [preauth]
Jan 12 12:05:46 MYSERVER sshd[23579]: Disconnected from x.x.x.x port 47995 [preauth]
Fail2ban 看到它们,他将它们列为“已找到”,但并未禁止。有任何想法吗?
编辑:
cat /etc/fail2ban/jail.d/myjails.local
[apache-auth]
enabled = true
[sshd-ddos]
enabled = true
[recidive]
enabled = true
[dovecot]
enabled = true
[postfix]
enabled=true
其余的配置文件根据 Ubuntu 的合理默认值保留原样,即/etc/fail2ban/jail.conf:
[sshd]
port = ssh
logpath = %(sshd_log)s
[sshd-ddos]
# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
port = ssh
logpath = %(sshd_log)s
我们有:
cat /etc/fail2ban/jail.d/defaults-debian.conf
[sshd]
enabled = true
Fail2ban 似乎没有禁止任何人 - 您提供的日志没有显示任何人超过 Ubuntu xenial 附带的 fail2ban 的默认限制。
查看您的/etc/fail2ban/jail.conf,在该[DEFAULT]部分中有参数findtime(默认为 600秒,所以为 10 分钟)和maxretry(默认为 5次,在该查找窗口内)。这意味着一个小时只尝试几个密码的人根本不会触发它。
请注意,您不需要更改此文件(也不应该更改,以便能够干净地升级它)。您也可以将 [DEFAULT] 块放入您的 中/etc/fail2ban/jail.d/myjails.local:
[DEFAULT]
findtime = 3600
bantime = 3600
maxretry = 4
jail.conf它实际上给出了一些关于如何以及为什么的提示。| 归档时间: |
|
| 查看次数: |
6530 次 |
| 最近记录: |