这两天被暴力扫描SSH致系统服务挂掉的解决办法
[i=s] 本帖最后由 dre5m 于 2013-9-12 15:07 编辑 [/i]@[url=http://www.wdlinux.cn/bbs/space-uid-3188.html]yishunguang[/url] @jiahuajie @w17630
这两天被恶意扫描SSH,导致磁盘IO负荷猛增,最终影响系统服务,比如httpd nginxd mysqld wdapached sshed这些服务宕掉,让网站无法正常运行。(起初似乎是在扫mysql? 但今天发现是在暴力扫SSH)
部分系统安全日志[size=12px]:[/size]
[code]Sep 11 17:00:56 MyServer sshd[27664]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.36.0.44 user=root
Sep 11 17:00:58 MyServer sshd[27664]: Failed password for root from 222.36.0.44 port 40348 ssh2
Sep 11 17:00:58 MyServer sshd[27665]: Received disconnect from 222.36.0.44: 11: Bye Bye
Sep 11 17:00:59 MyServer sshd[27666]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.36.0.44 user=root
Sep 11 17:01:01 MyServer sshd[27666]: Failed password for root from 222.36.0.44 port 43997 ssh2
Sep 11 17:01:01 MyServer sshd[27667]: Received disconnect from 222.36.0.44: 11: Bye Bye
Sep 11 17:01:02 MyServer sshd[27669]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.36.0.44 user=root
Sep 11 17:01:03 MyServer sshd[27669]: Failed password for root from 222.36.0.44 port 47379 ssh2
Sep 11 17:01:03 MyServer sshd[27680]: Received disconnect from 222.36.0.44: 11: Bye Bye
Sep 11 17:01:04 MyServer sshd[27681]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.36.0.44 user=root
Sep 11 17:01:06 MyServer sshd[27681]: Failed password for root from 222.36.0.44 port 50415 ssh2
Sep 11 17:01:06 MyServer sshd[27682]: Received disconnect from 222.36.0.44: 11: Bye Bye
Sep 11 17:01:07 MyServer sshd[27683]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.36.0.44 user=root
Sep 11 17:01:10 MyServer sshd[27683]: Failed password for root from 222.36.0.44 port 53824 ssh2
Sep 11 17:01:10 MyServer sshd[27684]: Received disconnect from 222.36.0.44: 11: Bye Bye
Sep 11 17:01:11 MyServer sshd[27685]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.36.0.44 user=root
Sep 11 17:01:13 MyServer sshd[27685]: Failed password for root from 222.36.0.44 port 58087 ssh2
Sep 11 17:01:13 MyServer sshd[27686]: Received disconnect from 222.36.0.44: 11: Bye Bye
Sep 11 17:01:14 MyServer sshd[27687]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.36.0.44 user=root
Sep 11 17:01:16 MyServer sshd[27687]: Failed password for root from 222.36.0.44 port 33608 ssh2
Sep 11 17:01:16 MyServer sshd[27688]: Received disconnect from 222.36.0.44: 11: Bye Bye
Sep 11 17:01:17 MyServer sshd[27689]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.36.0.44 user=root
Sep 11 17:01:19 MyServer sshd[27689]: Failed password for root from 222.36.0.44 port 37081 ssh2
Sep 11 17:01:19 MyServer sshd[27690]: Received disconnect from 222.36.0.44: 11: Bye Bye
Sep 11 17:01:20 MyServer sshd[27691]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.36.0.44 user=root
Sep 11 17:01:21 MyServer sshd[27691]: Failed password for root from 222.36.0.44 port 40586 ssh2
[/code]
磁盘IO
[attach]3609[/attach]
解决办法是安装一个自动屏蔽软件denyhosts,并设为随VPS启动,我参考的是 http://itzzz.com/server/065248.html ,写的很详细,就不赘述了
denyhosts的日志,看这几个哪个软件扫来扫去的贱人在搞神马啊。。:
[code]
2013-09-12 14:13:03,125 - denyhosts : INFO Processing log file (/var/log/secure) from offset (0)
2013-09-12 14:13:35,902 - denyhosts : INFO new denied hosts: ['103.31.80.46', '218.95.37.206', '211.139.127.228', '195.88.62.132', '61.164.110.115', '88.208.222.32', '60.165.167.2', '76.74.201.147', '123.103.12.34', '212.227.89.88', '137.175.46.104', '190.11.160.179', '60.173.11.253', '82.165.133.118', '222.36.0.44', '117.141.96.7', '210.21.90.38', '221.176.53.109', '61.164.118.195', '182.18.31.165', '123.103.12.35']
2013-09-12 14:13:35,903 - denyhosts : INFO launching DenyHosts daemon (version 2.6)..[/code]
被攻击以后可能你的服务都被关掉了,start一下即可
service httpd start
service mysqld start
service nginxd start
service wdapache start 最简单的办法,修改下SSH的端口,而不是用默认的22 http://centoshelp.org/security/denyhosts/
有更简单的安装办法
页:
[1]