記一次主機入侵攻防大戰：firewalld指定的IP段埠訪問控制

一、背景

一大早來公司，登錄那台暴露在外網的伺服器，登錄成功的時候，看到160000+次登錄失敗的記錄，看到這個我和我的小夥伴們都驚呆了，是誰那麼執著？小夥伴還開玩笑說是不是誰跟你有世仇啊，這麼搞你！來活了，我的伺服器我做主，搞起，who怕who？

二、具體操作

1、last看一下是否有異常ip及賬戶登錄記錄.

[root@DCGH ~]# last -100

ivandu pts/0 139.130.99.123 Tue Apr 24 20:53 still logged in

ivandu pts/0 139.129.0.194 Tue Apr 24 19:13 - 19:35 (00:21)

ivandu pts/1 139.129.0.194 Tue Apr 24 18:02 - 19:35 (01:33)

ivandu pts/1 139.129.0.194 Tue Apr 24 11:30 - 14:24 (02:53)

ivandu pts/0 139.129.0.194 Tue Apr 24 11:11 - 14:24 (03:13)

reboot system boot 3.10.0-693.17.1. Tue Apr 24 11:10 - 21:45 (10:34)

ivandu pts/2 139.129.0.194 Tue Apr 24 11:04 - 11:04 (00:00)

ivandu pts/1 139.129.0.194 Tue Apr 24 10:26 - 11:10 (00:44)

root pts/0 139.129.0.194 Tue Apr 24 10:19 - down (00:51)

reboot system boot 3.10.0-693.17.1. Tue Apr 24 10:18 - 11:10 (00:51)

.....省略一些

全是熟悉的IP，沒有異常！很好！

2.創建新用戶，用於切換到root來操作，也可以用命令visudo給該用戶配置相關的sudo許可權，本例中就直接用此賬戶su到root了(此處可以參見我之前的加固及sodu相關的文章)。

[root@CLDevOps ~]# useradd -M ivandu

[root@CLDevOps ~]# passwd ivandu

Changing password for user ivandu.

New password:

BAD PASSWORD: The password is shorter than 7 characters

Retype new password:

passwd: all authentication tokens updated successfully.

3.禁止root賬戶通過ssh來遠程登錄，編輯/etc/ssh/sshd_config，禁止root用戶登錄。

[root@CLDevOps ~]# sed -i "/^PermitRootLogin/cPermitRootLogin no" /etc/ssh/sshd_config

[root@CLDevOps ~]# systemctl restart sshd

4.退出root登錄，使用新建用戶ivandu來登錄。此處為了再次還原當時的處置過程新建的用戶ivandu，本人一直有禁止root登錄的習慣，希望大家也養成這樣的習慣。

Could not chdir to home directory /home/ivandu: No such file or directory

-bash-4.2$ su - root

Password:

Last login: Tue Apr 24 21:47:54 CST 2018 on pts/0

Last failed login: Tue Apr 24 22:12:33 CST 2018 from 42.7.26.88 on ssh:notty

There were 403 failed login attempts since the last successful login.

大家看一下，是不是非常瘋狂!一會兒的功夫，又是幾百次登錄嘗試。

5.開始防火牆設置，添加指定網段對ssh所用的埠訪問許可權。

[root@CLDevOps ~]# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="139.130.99.0/24" port protocol="tcp" port="22" accept"

success

[root@CLDevOps ~]# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="139.129.0.0/24" port protocol="tcp" port="22" accept"

success

6.移除原來firewalld中ssh相關規則，重載firewalld。

[root@CLDevOps ~]# firewall-cmd --permanent --remove-service=ssh

success

[root@CLDevOps ~]# firewall-cmd --reload

success

7.現在可以看一下，指定網段外的ip的22埠是否同，我找了另一台阿里雲的機器試了一下，效果如下：

[root@heynick ~]# telnet 106.99.233.115 22

Trying 106.99.233.115...

telnet: connect to address 167.99.233.15: No route to host

8.繼續看戲，看一下日誌。

[root@CLDevOps ~]# journalctl -ex

Apr 24 22:30:29 CLDevOps sshd[20475]: Failed password for root from 42.7.26.88 port 31228 ssh2

Apr 24 22:30:30 CLDevOps unix_chkpwd[20516]: password check failed for user (root)

Apr 24 22:30:30 CLDevOps sshd[20475]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"

Apr 24 22:30:31 CLDevOps unix_chkpwd[20517]: password check failed for user (root)

Apr 24 22:30:31 CLDevOps sshd[20479]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.198.159 user=root

Apr 24 22:30:31 CLDevOps sshd[20479]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"

Apr 24 22:30:32 CLDevOps sshd[20475]: Failed password for root from 42.7.26.88 port 31228 ssh2

Apr 24 22:30:33 CLDevOps unix_chkpwd[20518]: password check failed for user (root)

Apr 24 22:30:33 CLDevOps sshd[20475]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"

Apr 24 22:30:33 CLDevOps sshd[20479]: Failed password for root from 58.218.198.159 port 26800 ssh2

Apr 24 22:30:35 CLDevOps sshd[20475]: Failed password for root from 42.7.26.88 port 31228 ssh2

Apr 24 22:30:35 CLDevOps sshd[20475]: error: maximum authentication attempts exceeded for root from 42.7.26.88 port 31228 ssh2 [preauth]

Apr 24 22:30:35 CLDevOps sshd[20475]: Disconnecting: Too many authentication failures [preauth]

Apr 24 22:30:35 CLDevOps sshd[20475]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.7.26.88 user=root

Apr 24 22:30:35 CLDevOps sshd[20475]: PAM service(sshd) ignoring max retries; 6 > 3

Apr 24 22:30:38 CLDevOps sshd[20479]: Received disconnect from 58.218.198.159 port 26800:11: [preauth]

Apr 24 22:30:38 CLDevOps sshd[20479]: Disconnected from 58.218.198.159 port 26800 [preauth]

依然還是辣么瘋狂！變著ip來搞我呢！早上還換著用戶呢!哈哈！

當然我這台機器上的服務監聽的其他埠我也是開放著的，那些就沒必要怕了，遇到情況另當別論。

9.如果別人只用固定ip來攻擊咱，我們單獨封鎖那個ip就行啦，命令這樣的，下面我們來試一下封鎖ip：58.218.198.159

[root@CLDevOps ~]# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="58.218.198.159" port protocol="tcp" port="22" drop"

success

[root@CLDevOps ~]# firewall-cmd --reload

success

[root@CLDevOps ~]# firewall-cmd --list-rich-rule

rule family="ipv4" source address="139.130.99.0/24" port port="22" protocol="tcp" accept

rule family="ipv4" source address="139.129.0.0/24" port port="22" protocol="tcp" accept

rule family="ipv4" source address="58.218.198.159" port port="22" protocol="tcp" drop

三、總結

1.要養成良好的習慣，不要幹啥只會用root！

2.設置一個複雜度比較高的密碼。

3.安全加固很有必要。

喜歡這篇文章嗎？立刻分享出去讓更多人知道吧！