メールでレポートを送信するようにシステムを設定しています。ログレポートを公開しています(下記参照)。このログには、何千もの侵入試行が表示されます。
質問:
- すでに
denyhosts
インストールしているのにfail2ban
IPをブロックしないのはなぜですか? - 次のようにログに表示されるIPをブロック/ブラックリストに追加する方法はありますか?
この種の攻撃に対抗するためにどのような措置を講じることができますか?
メモ:
sshd
ログには、何千ものログインを試みたいくつかのIPアドレスがあります。- 「最大再試行を無視」と表示されたのはなぜですか? 「最大再試行回数」を無視しないように設定できますか?
メモ:私のシステムはFedora 20です。
ログサンプル
################### Logwatch 7.4.0 (03/01/11) ####################
Processing Initiated: Tue Sep 16 03:35:07 2014
Date Range Processed: yesterday
( 2014-Sep-15 )
Period is day.
Detail Level of Output: 0
Type of Output/Format: mail / text
Logfiles for Host: Hostname
##################################################################
--------------------- Kernel Begin ------------------------
WARNING: Segmentation Faults in these executables
polkitd : 2 Time(s)
WARNING: General Protection Faults in these executables
traps: polkitd : 6 Time(s)
WARNING: Kernel Errors Present
INFO: recovery required on readonly filesyste ...: 1 Time(s)
ata2.00: failed to IDENTIFY (I/O error, err_mask=0x100) ...: 14 Time(s)
ata2.00: failed to IDENTIFY (I/O error, err_mask=0x4) ...: 8 Time(s)
ata2.00: irq_stat 0x08000000, interface fatal error ...: 10 Time(s)
ata2: SError: { CommWake DevE ...: 52 Time(s)
ata2: SError: { LinkSeq } ...: 8 Time(s)
ata2: SError: { UnrecovData L ...: 2 Time(s)
res 50/00:03:00:08:00/00:00:00:00:00/a0 Emask 0x10 (ATA bus error) ...: 5 Time(s)
---------------------- Kernel End -------------------------
--------------------- pam_unix Begin ------------------------
sshd:
Authentication Failures:
root (219.138.135.64): 3850 Time(s)
root (122.225.103.125): 1016 Time(s)
root (122.225.109.106): 256 Time(s)
root (122.225.109.205): 194 Time(s)
root (122.225.109.208): 183 Time(s)
root (122.225.109.216): 178 Time(s)
unknown (122.225.109.208): 63 Time(s)
unknown (122.225.109.106): 57 Time(s)
unknown (122.225.109.216): 54 Time(s)
unknown (122.225.109.205): 22 Time(s)
unknown (113.106.88.235): 14 Time(s)
bin (113.106.88.235): 1 Time(s)
nagios (113.106.88.235): 1 Time(s)
tomcat (113.106.88.235): 1 Time(s)
Invalid Users:
Unknown Account: 210 Time(s)
Unknown Entries:
service(sshd) ignoring max retries; 6 > 3: 945 Time(s)
service(sshd) ignoring max retries; 5 > 3: 29 Time(s)
service(sshd) ignoring max retries; 4 > 3: 6 Time(s)
su:
Authentication Failures:
UserName(1000) -> root: 1 Time(s)
Sessions Opened:
UserName -> root: 6 Time(s)
systemd-user:
Unknown Entries:
session opened for user UserName by (uid=0): 1 Time(s)
---------------------- pam_unix End -------------------------
--------------------- Connections (secure-log) Begin ------------------------
**Unmatched Entries**
polkitd: <no filename>:0: uncaught exception: Terminating runaway script: 1 Time(s)
polkitd: Acquired the name org.freedesktop.PolicyKit1 on the system bus: 3 Time(s)
polkitd: Error evaluating authorization rules: 1 Time(s)
polkitd: Finished loading, compiling and executing 6 rules: 3 Time(s)
polkitd: Loading rules from directory /etc/polkit-1/rules.d: 3 Time(s)
polkitd: Loading rules from directory /usr/share/polkit-1/rules.d: 3 Time(s)
polkitd: Operator of unix-session:1 successfully authenticated as unix-user:root to gain TEMPORARY authorization for action org.freedesktop.problems.getall for system-bus-name::1.66 [/usr/bin/abrt-applet] (owned by unix-user:UserName): 2 Time(s)
polkitd: Registered Authentication Agent for unix-session:1 (system bus name :1.70 [/usr/libexec/kde4/polkit-kde-authentication-agent-1], object path /org/kde/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8): 2 Time(s)
polkitd: Registered Authentication Agent for unix-session:13 (system bus name :1.92 [/usr/libexec/kde4/polkit-kde-authentication-agent-1], object path /org/kde/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8): 2 Time(s)
polkitd: Terminating runaway script: 1 Time(s)
---------------------- Connections (secure-log) End -------------------------
--------------------- SSHD Begin ------------------------
Disconnecting after too many authentication failures for user:
admin : 30 Time(s)
root : 937 Time(s)
Failed logins from:
113.106.88.235: 2 times
122.225.103.125: 1016 times
122.225.109.106: 256 times
122.225.109.205: 194 times
122.225.109.208: 183 times
122.225.109.216: 178 times
219.138.135.64: 3850 times
Illegal users from:
undef: 14 times
113.106.88.235: 15 times
122.225.109.106: 57 times
122.225.109.205: 22 times
122.225.109.208: 63 times
122.225.109.216: 54 times
Login attempted when shell does not exist:
tomcat : 1 Time(s)
Received disconnect:
11: Bye Bye [preauth] : 16 Time(s)
**Unmatched Entries**
PAM service(sshd) ignoring max retries; 6 > 3 : 945 time(s)
ecryptfs: pam_sm_authenticate: pam_ecryptfs: Error getting passwd info for user; rc = [0] : 210 time(s)
PAM service(sshd) ignoring max retries; 4 > 3 : 6 time(s)
pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "nagios" : 1 time(s)
PAM service(sshd) ignoring max retries; 5 > 3 : 29 time(s)
pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "bin" : 1 time(s)
pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" : 5677 time(s)
fatal: Write failed: Connection reset by peer [preauth] : 17 time(s)
pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "tomcat" : 1 time(s)
---------------------- SSHD End -------------------------
--------------------- Sudo (secure-log) Begin ------------------------
UserName => root
----------------
/bin/yum - 2 Time(s).
---------------------- Sudo (secure-log) End -------------------------
--------------------- yum Begin ------------------------
Packages Installed:
binutils-2.23.88.0.1-13.fc20.x86_64
libgomp-4.8.3-1.fc20.x86_64
perl-Sys-CPU-0.54-5.fc20.x86_64
VirtualBox-4.3.16-1.fc20.x86_64
1:make-3.82-19.fc20.x86_64
glibc-devel-2.18-14.fc20.x86_64
logwatch-7.4.0-33.20140704svn198.fc20.noarch
kernel-headers-3.16.2-200.fc20.x86_64
glibc-headers-2.18-14.fc20.x86_64
epylog-1.0.7-6.fc20.noarch
perl-Sys-MemInfo-0.91-8.fc20.x86_64
akmod-VirtualBox-4.3.16-1.fc20.x86_64
gcc-4.8.3-1.fc20.x86_64
dkms-2.2.0.3-25.fc20.noarch
libgomp-4.8.3-1.fc20.i686
patch-2.7.1-7.fc20.x86_64
Packages Erased:
kmod-VirtualBox-3.15.10-200.fc20.x86_64-4.3.14-1.fc20.6.x86_64
kmod-VirtualBox-3.16.2-200.fc20.x86_64-4.3.16-1.fc20.x86_64
kmod-VirtualBox-3.15.10-201.fc20.x86_64-4.3.14-1.fc20.7.x86_64
---------------------- yum End -------------------------
--------------------- Disk Space Begin ------------------------
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/luks- 59G 55G 1.3G 98% /
devtmpfs 5.8G 0 5.8G 0% /dev
/dev/sda2 477M 131M 317M 30% /boot
/dev/sda1 200M 9.5M 191M 5% /boot/efi
/dev/mapper/fedora_Hostname-home 395G 236G 156G 61% /home
/dev/mapper/luks- => 98% Used. Warning. Disk Filling up.
---------------------- Disk Space End -------------------------
--------------------- Fortune Begin ------------------------
One man's brain plus one other will produce one half as many ideas as one
man would have produced alone. These two plus two more will produce half
again as many ideas. These four plus four more begin to represent a
creative meeting, and the ratio changes to one quarter as many ...
-- Anthony Chevins
---------------------- Fortune End -------------------------
--------------------- lm_sensors output Begin ------------------------
coretemp-isa-0000
Adapter: ISA adapter
Physical id 0: +52.0 C (high = +100.0 C, crit = +100.0 C)
Core 0: +52.0 C (high = +100.0 C, crit = +100.0 C)
Core 1: +51.0 C (high = +100.0 C, crit = +100.0 C)
---------------------- lm_sensors output End -------------------------
###################### Logwatch End #########################
編集#1
実行されていないようです。インストール時に自動的に設定されたものと同じであるとしますfail2ban
。denyhosts
出力は次のとおりですfail2ban-client
。
root ~ # fail2ban-client status
ERROR Unable to contact server. Is it running?
root ~ # systemctl start fail2ban
root ~ # fail2ban-client status sshd
ERROR NOK: ('sshd',)
Sorry but the jail 'sshd' does not exist
root ~ # fail2ban-client status
Status
|- Number of jail: 0
`- Jail list:
ベストアンサー1
質問1と2に答えるfailed2banの構成部分を見つけたようですので、ここでは質問3に具体的に答えようとしています。 SSHのセキュリティを強化するには、次のアプローチをお勧めします。
- 厳密モードがtrueに設定されていることを確認してください。
- ルートログインを無効にする
- SSHポートの変更
- パスワードログインを無効にする
- ポートノッキングを使用
編集内容に応答するには、/etc/fail2ban/filter.d/ssh.conf に ssh 構成を作成し、以下を貼り付ける必要があります。
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
提案どおりにポートを変更した場合は、ここでポート番号を設定できます。 Fail2banを再起動してテストします。