關於這個問題,Bob 給出了很棒的說明: Saying "don't login as root" is h******t. It stems from the days when people sniffed the first packets of sessions so logging in as yourself and su-ing decreased the chance an attacker would see the root pw, and decreast the chance you got spoofed as to your telnet host target, You'd get your password spoofed but not root's pw. Gimme a break. this is 2005 - We have ssh, used properly it's secure. used improperly none of this 1989 will make a damn bit of difference. -Bob #8: 啟用警告的 Banner 可以在 sshd_config 中通過如下配置來啟用通過 ssh 登錄后的警告信息:
[*] DenyHosts 是Python語言寫的一個程序,它會分析SSHD的日誌文件,當發現重複的攻擊時就會記錄IP到/etc/hosts.deny文 件,從而達到自動屏蔽IP的功能。 [*] 解釋如何在 RHEL、Fedora 和 CentOS 系統下安裝 DenyHosts [*] Fail2ban 是一個 IP 自動屏蔽工具 [*] security/sshguard-pf 在 pf 中防止暴力破解 [*] security/sshguard-ipfw 在 ipfw 中防止暴力破解 [*] security/sshguard-ipfilter 在 ipfilter 中防止暴力破解 [*] security/sshblock block abusive SSH login attempts. [*] security/sshit checks for SSH/FTP bruteforce and blocks given IPs. [*] BlockHosts Automatic blocking of abusive IP hosts. [*] Blacklist Get rid of those bruteforce attempts. [*] Brute Force Detection A modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format. [*] IPQ BDB filter May be considered as a fail2ban lite. #17: 限制 22 埠連接的速率 netfilter 和 pf 都提供了連接速率限制選項 Iptables 示例 下面配置禁止在一分鐘內 22 埠超過 5 個連接:
1#!/bin/bash
2inet_if=eth1
3ssh_port=22
4$IPT -I INPUT -p tcp --dport ${ssh_port} -i ${inet_if} -m state --state NEW -m recent --set
5$IPT -I INPUT -p tcp --dport ${ssh_port} -i ${inet_if} -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP
另外的配置選項:
1$IPT -A INPUT -i ${inet_if} -p tcp --dport ${ssh_port} -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT
2$IPT -A INPUT -i ${inet_if} -p tcp --dport ${ssh_port} -m state --state ESTABLISHED -j ACCEPT
3$IPT -A OUTPUT -o ${inet_if} -p tcp --sport ${ssh_port} -m state --state ESTABLISHED -j ACCEPT
更多的配置詳情請看 iptables 的 man 頁。 *BSD PF 示例 以下將限制的最大連接數到20,每個源速率限制連接數,在一個5秒的跨度15。如果有人打破我們的規則將它們添加到我們的阻止的ip表和阻止他們做任何進一步的連接。
1sshd_server_ip="202.54.1.5"
2table <abusive_ips> persist
3block in quick from <abusive_ips>
4pass in on $ext_if proto tcp to $sshd_server_ip port ssh flags S/SA keep state (max-src-conn 20, max-src-conn-rate 15/5, overload <abusive_ips> flush)