A-A+

阿里云Linux服务器SSH及vsftpd安全加固方案

2014年08月12日 经验分享 暂无评论 阅读 3,682 次

之前说到过本站已迁移到阿里云,使用的是Linux系统。

为了方便远程维护,SSH Server是必不可少的。另外,除了使用SFTP传输文件,我还部署了vsftpd FTP服务备用,但是紧跟着安全问题就来了:从服务器/var/log/secure日志中,发现大量的SSH暴力破解和FTP暴力破解情况。

虽说阿里云的云盾还是蛮强大的,但是为了确保服务器安全,我额外做了SSH及vsftpd安全加固,因为我维护服务器的IP固定,所以没有用fail2ban+iptables智能拦截的方案,直接用/etc/hosts.allow和/etc/hosts.deny限制允许访问SSH及vsftpd的IP,然后其他的全部屏蔽IP,具体操作如下:

一、在/etc/hosts.allow配置允许访问SSH及vsftpd的IP

#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
#添加以下两行
sshd:这里是我的IP你可以换成你的:allow
vsftpd:这里是我的IP你可以换成你的:allow

二、在/etc/hosts.deny配置禁止所有IP访问访问SSH及vsftpd的IP

#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
#添加以下两行,除/etc/hosts.allow中允许的IP可以访问外,其他所有IP都禁止访问。
sshd:ALL
vsftpd:ALL

通过上面两步操作,那些用工具暴力破解的人,门都没有了。

三、扩展:通过/etc/hosts.allow和/etc/hosts.deny限制访问mysql的IP

同理,如果需要限制mysql远程访问IP,除了可以在mysql中通过GRANT ALL PRIVILEGES ON命令限制,也可以用上面的方法。只不过mysql的进程是mysqld,而SSH Server是sshd。

四、来看看最近一些天的战果:

Aug 2 15:00:42 yimiju sshd[25670]: refused connect from 116.10.191.230 (116.10.191.230)
Aug 2 18:02:01 yimiju sshd[8954]: refused connect from 116.10.191.182 (116.10.191.182)
Aug 3 20:20:02 yimiju sshd[18552]: refused connect from 116.10.191.233 (116.10.191.233)
Aug 3 21:16:07 yimiju sshd[20614]: refused connect from 116.10.191.168 (116.10.191.168)
Aug 4 01:33:52 yimiju sshd[29335]: refused connect from 116.10.191.187 (116.10.191.187)
Aug 4 01:39:10 yimiju sshd[29554]: refused connect from 61.174.51.219 (61.174.51.219)
Aug 4 06:57:13 yimiju sshd[7761]: refused connect from 116.10.191.165 (116.10.191.165)
Aug 4 08:11:34 yimiju sshd[10176]: refused connect from 116.10.191.175 (116.10.191.175)
Aug 4 20:46:19 yimiju sshd[4098]: refused connect from 116.10.191.235 (116.10.191.235)
Aug 4 20:46:40 yimiju sshd[4107]: refused connect from 116.10.191.235 (116.10.191.235)
Aug 4 20:47:16 yimiju sshd[4131]: refused connect from 116.10.191.235 (116.10.191.235)
Aug 4 20:47:59 yimiju sshd[4156]: refused connect from 116.10.191.235 (116.10.191.235)
Aug 6 10:38:34 yimiju sshd[18696]: refused connect from 116.10.191.194 (116.10.191.194)
Aug 6 16:59:55 yimiju sshd[31464]: refused connect from 116.10.191.178 (116.10.191.178)
Aug 7 04:38:04 yimiju sshd[22901]: refused connect from 61.174.51.198 (61.174.51.198)
Aug 7 20:21:11 yimiju sshd[27703]: refused connect from 71.6.167.142 (71.6.167.142)
Aug 8 04:44:12 yimiju sshd[8939]: refused connect from 61.174.51.220 (61.174.51.220)
Aug 8 04:44:34 yimiju sshd[8977]: refused connect from 61.174.51.220 (61.174.51.220)
Aug 8 04:45:10 yimiju sshd[9055]: refused connect from 61.174.51.220 (61.174.51.220)
Aug 8 04:45:52 yimiju sshd[9133]: refused connect from 61.174.51.220 (61.174.51.220)
Aug 8 13:06:55 yimiju sshd[20672]: refused connect from 62.162.44.130 (62.162.44.130)
Aug 8 18:57:30 yimiju sshd[1545]: refused connect from 116.10.191.194 (116.10.191.194)
Aug 8 18:57:46 yimiju sshd[1561]: refused connect from 116.10.191.194 (116.10.191.194)
Aug 9 14:56:06 yimiju sshd[9303]: refused connect from 186.235.130.42 (186.235.130.42)
Aug 9 14:57:46 yimiju sshd[9360]: refused connect from 186.235.130.42 (186.235.130.42)
Aug 9 21:27:42 yimiju sshd[23091]: refused connect from 218.204.70.29 (218.204.70.29)
Aug 10 02:26:08 yimiju sshd[1487]: refused connect from 121.15.207.221 (121.15.207.221)
Aug 10 06:14:27 yimiju sshd[8938]: refused connect from 116.10.191.221 (116.10.191.221)
Aug 10 13:31:54 yimiju sshd[24670]: refused connect from 61.174.51.215 (61.174.51.215)
Aug 10 15:05:27 yimiju sshd[28438]: refused connect from 199.91.135.158 (199.91.135.158)
Aug 10 23:26:25 yimiju sshd[12400]: refused connect from 116.10.191.208 (116.10.191.208)
Aug 11 02:36:50 yimiju sshd[18514]: refused connect from 116.10.191.227 (116.10.191.227)
Aug 11 10:06:06 yimiju sshd[1136]: refused connect from 218.203.44.174 (218.203.44.174)
Aug 11 15:46:27 yimiju sshd[14090]: refused connect from 116.10.191.204 (116.10.191.204)
Aug 11 18:58:20 yimiju sshd[20664]: refused connect from 222.186.27.3 (222.186.27.3)
Aug 11 18:58:21 yimiju sshd[20665]: refused connect from 222.186.27.3 (222.186.27.3)
Aug 11 18:58:36 yimiju sshd[20673]: refused connect from 222.186.27.3 (222.186.27.3)
Aug 11 18:58:56 yimiju sshd[20683]: refused connect from 222.186.27.3 (222.186.27.3)
Aug 11 21:36:43 yimiju sshd[25695]: refused connect from 115.214.137.226 (115.214.137.226)
Aug 11 21:36:53 yimiju sshd[25702]: refused connect from 115.214.137.226 (115.214.137.226)
Aug 12 00:03:29 yimiju sshd[30958]: refused connect from 61.174.51.213 (61.174.51.213)
Aug 12 04:11:07 yimiju sshd[9996]: refused connect from 116.10.191.230 (116.10.191.230)
Aug 12 07:29:42 yimiju sshd[19054]: refused connect from 211.125.67.181 (211.125.67.181)
Aug 12 09:06:58 yimiju sshd[22164]: refused connect from 116.10.191.234 (116.10.191.234)
Aug 12 17:26:40 yimiju sshd[7478]: refused connect from 61.174.51.224 (61.174.51.224)
Aug 12 17:42:52 yimiju sshd[8056]: refused connect from 116.10.191.206 (116.10.191.206)
Aug 12 17:43:38 yimiju sshd[8084]: refused connect from 116.10.191.206 (116.10.191.206)
Aug 12 20:28:10 yimiju sshd[13902]: refused connect from 116.10.191.218 (116.10.191.218)
Aug 12 20:28:43 yimiju sshd[13933]: refused connect from 116.10.191.218 (116.10.191.218)
Aug 12 20:30:46 yimiju sshd[14034]: refused connect from 116.10.191.218 (116.10.191.218)

上面的IP中,有几个是阿里云的IP,主要是用来检测系统是否有弱口令的,但也被我的系统给阻挡了~~

author avatar

给我留言

icon_question icon_razz icon_sad icon_evil icon_exclaim icon_smile icon_redface icon_biggrin icon_surprised icon_eek icon_confused icon_cool icon_lol icon_mad icon_twisted icon_rolleyes icon_wink icon_idea icon_arrow icon_neutral icon_cry icon_mrgreen

Copyright © 2009 - 2018 一米居 | All Rights Reserved | Powered By WordPress | Theme Designed By 知更鸟 | 赣ICP备09003747号-2

用户登录

分享到: