Shulou(Shulou.com)06/01 Report--

This article mainly explains "VPS how to prevent SSH violent login", the content of the article is simple and clear, easy to learn and understand, the following please follow the editor's ideas slowly in depth, together to study and learn "VPS how to prevent SSH violent login" bar!

Some time ago, I talked about how to block the scanning of the website server, which belongs to the foreground defense. Later, Felix posted a blog article about dropping IP ban that had failed many attempts to log in to SSH, so he remembered to take a look at the log, but the backyard was on fire.

View the log file:

The code is as follows:

$sudo cat / var/log/auth.log

I didn't expect to brush down all over the screen, and it was all:

The code is as follows:

$sudo grep "Failed password for root" / var/log/auth.log | awk'{print $11}'| sort | uniq-c | sort-nr | more

470 222.122.52.150

411 123.15.36.218

139 177.8.168.48

20 74.81.83.226

18 77.108.112.131

2 95.58.255.62

1 218.28.79.228

1 188.132.163.154

Obviously, I disabled root login, and people were not so stupid, so they started to guess the user name violently:

The code is as follows:

$sudo grep "Failed password for invalid user" / var/log/auth.log | awk'{print $13}'| sort | uniq-c | sort-nr | more

3190 218.28.79.228

646 222.122.52.150

172 123.15.36.218

65 177.8.168.48

4 222.76.211.149

Someone tried it more than 3000 times. Well, is the mini blog lovelucy really that valuable? As a precaution, we can make some configurations to make the VPS server more secure.

1. Modify the SSH port to disable root login

Modify / etc/ssh/sshd_config file

The code is as follows:

$sudo vi / etc/ssh/sshd_config

Port 4484 # A port number that others can't guess

PermitRootLogin no

$sudo / etc/init.d/ssh restart

2. Disable password login and log in using RSA private key

The Amazon EC2 server is only allowed to log in with the private key, but if I want to temporarily SSH on another computer without the private key file, it will be very troublesome. So I manually turned on the password authentication login. Anyway, this one should be listed first.

The code is as follows:

# generate a key on the client

$ssh-keygen-t rsa

# copy the public key to the server

$ssh-copy-id-I. ssh / id_rsa.pub server

# you can also manually copy .shh / id_rsa.pub to .ssh in the server user directory. Remember to modify the access permissions.

# $scp .shh / id_rsa.pub server:~/.ssh

# in the server

$cd. / .ssh /

$mv id_rsa.pub authorized_keys

$chmod 400 authorized_keys

$vi / etc/ssh/sshd_config

RSAAuthentication yes # RSA Certification

PubkeyAuthentication yes # enable public key authentication

AuthorizedKeysFile .ssh / authorized_keys # verify the file path

PasswordAuthentication no # prohibits password authentication

PermitEmptyPasswords no # No empty passwords

UsePAM no # disable PAM

# finally save and restart

$sudo / etc/init.d/ssh restart

3. Install denyhosts

This method saves time and effort. Denyhosts is a program written in Python language that analyzes sshd log files and records IP to / etc/hosts.deny files when repeated failed logins are found, thus achieving the function of automatic screen IP. This is the same idea as the script I introduced earlier to automatically block scanning. If you add it manually, you won't be tired to death. Nowadays, denyhosts is available in software repositories of various distributions, and it doesn't require too much configuration, so it's easy to use.

Installation:

The code is as follows:

# Debian/Ubuntu:

$sudo apt-get install denyhosts

# RedHat/CentOS

$yum install denyhosts

# Archlinux

$yaourt denyhosts

# Gentoo

$emerge-av denyhosts

The default configuration works well. If you want to personalize the settings, you can modify / etc/denyhosts.conf:

The code is as follows:

$vi / etc/denyhosts.conf

SECURE_LOG = / var/log/auth.log # ssh log file, which is judged by this file.

HOSTS_DENY = / etc/hosts.deny # controls the file that the user logs in

PURGE_DENY = # how long will it take to clear what has been banned, empty means that the ban will never be lifted

BLOCK_SERVICE = sshd # forbidden service name. If you want to add other services, just add a comma to keep up with the corresponding service.

DENY_THRESHOLD_INVALID = 5 # number of failures to allow invalid users

DENY_THRESHOLD_VALID = 10 # number of failures to allow ordinary users to log in

DENY_THRESHOLD_ROOT = 1 # number of failures to allow root login

DENY_THRESHOLD_RESTRICTED = 1

WORK_DIR = / var/lib/denyhosts # running directory

SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES

HOSTNAME_LOOKUP=YES # whether to perform domain name reverse resolution

LOCK_FILE = / var/run/denyhosts.pid # process ID of the program

ADMIN_EMAIL = root@localhost # administrator email address, which will email the administrator

SMTP_HOST = localhost

SMTP_PORT = 25

SMTP_FROM = DenyHosts

SMTP_SUBJECT = DenyHosts Report

How long will it take for AGE_RESET_VALID=5d # users to reset the login failure count to 0, (h for hours, d for days, m for months, w for weeks, and y for years)

AGE_RESET_ROOT=25d

AGE_RESET_RESTRICTED=25d

AGE_RESET_INVALID=10d

RESET_ON_SUCCESS = yes # if an ip login is successful, whether the failed login count is reset to 0

DAEMON_LOG = / var/log/denyhosts # own log file

DAEMON_SLEEP = 30s # the interval between each log file read when running in the background.

DAEMON_PURGE = 1h # when running in the background, the interval between which the purge mechanism terminates old entries in HOSTS_DENY, which affects the interval of PURGE_DENY.

Check my / etc/hosts.deny file and find that there are already 8 records in it.

Thank you for your reading, the above is the content of "VPS how to prevent SSH violent login". After the study of this article, I believe you have a deeper understanding of how VPS prevents SSH violent login, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.