Shulou(Shulou.com)06/01 Report--

This article is about how to fight against ssh detection. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Through the log, we often see people trying to unlock our ssh login password. All we have to do now is block this kind of *.

First, restrict the login reply of ssh:

Man 5 sshd_config, you can see the following configuration:

* LoginGraceTime 120

If the user does not log in correctly within the specified time, it is disconnected. If 0, there is no limit; default is 120 seconds

MaxStartups 10

Set the amount of unverified concurrency that occurs at the same time, that is, there can be several login connections at the same time. The default is 10.

You can also use a configuration like start:rate:full, for example, at 15:30:60, 30% will be discarded if the current number of login connections is 15, and if it reaches 60, all will be discarded

Then, use a firewall to restrict multiple failed or invalid ssh logins.

The principle is very simple, by checking auth.log, if an ip login fails to reach or more than 5 times, we think it is disruptive.

Check / etc/syslog.conf first to see if it exists:

Auth.* / var/log/auth.log

No, just add, we need to record the login log to make a judgment.

Then we use the firewall to do what we want to do.

IPFW:

[Copy to clipboard]

CODE:

#! / bin/sh

If ipfw show | awk'{print $1}'| grep-Q 20000; then

Ipfw delete 20000

Fi

For ips in `cat / var/log/auth.log | grep sshd | grep "Illegal" | awk'{print $10}'| uniq-d`; do

Ipfw-Q add 20000 deny tcp from $ips to any

Done

Cat / var/log/auth.log | grep sshd | grep "Failed" | rev | cut-d\-f 4 | rev | sort | uniq-c |\

(while read num ips; do

If [$num-gt 5]; then

If! Ipfw show | grep-Q $ips; then

Ipfw-Q add 20000 deny tcp from $ips to any

Fi

Fi

Done

)

IPF:

[Copy to clipboard]

CODE:

#! / bin/sh

IFS='

'

For rules in `ipfstat-I | grep "group 20000" `; do

Echo "$rules" | ipf-r-f-

Done

For ips in `cat / var/log/auth.log | grep sshd | grep "Illegal" | awk'{print $10}'| uniq-d`; do

Echo "block in quick from $ips to any group 20000" | ipf-f-

Done

Cat / var/log/auth.log | grep sshd | grep "Failed" | rev | cut-d\-f 4 | rev | sort | uniq-c |\

(while read num ips; do

If [$num-gt 5]; then

If! Ipfstat-I | grep $ips; then

Echo "block in quick from $ips to any group 20000" | ipf-f-

Fi

Fi

Done

)

PF:

[Copy to clipboard]

CODE:

#! / bin/sh

Pfctl-t ssh-violations-T flush

For ips in `cat / var/log/authlog | grep sshd | grep "Illegal" | awk'{print $10}'| uniq-d`; do

Pfctl-t ssh-violations-T add $ips

Done

Cat / var/log/authlog | grep sshd | grep "Failed" | rev | cut-d\-f 4 | rev | sort | uniq-c |\

(while read num ips; do

If [$num-gt 5]; then

If! Pfctl-s rules | grep-Q $ips; then

Pfctl-t ssh-violations-T add $ips

Fi

Fi

Done

)

PF also needs the following settings:

/ etc/pf.conf

[Copy to clipboard]

CODE:

Table persist file "/ etc/ssh-violations"

...

Block drop in from to any

Then set the crontab:

[Copy to clipboard]

CODE:

* / 1 * root / operator/sshd-fwscan.sh

All right, now you can test it yourself.

Be careful, don't take care of yourself in the test, hehe!

Pay attention to 2000 of IPFW and IPF, and set the rule number or group number according to your own situation.

Change the port of SSH, then install portsentry, open port 22, as soon as he scans your port 22, let him into the blacklist immediately!

Thank you for reading! This is the end of this article on "how to fight against ssh detection". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.