Board logo

标题: [分享] 这两天被暴力扫描SSH致系统服务挂掉的解决办法 [打印本页]
作者: dre5m    时间: 2013-9-12 14:59     标题: 这两天被暴力扫描SSH致系统服务挂掉的解决办法

本帖最后由 dre5m 于 2013-9-12 15:07 编辑

@yishunguang @jiahuajie @w17630
这两天被恶意扫描SSH,导致磁盘IO负荷猛增,最终影响系统服务,比如httpd nginxd mysqld wdapached sshed这些服务宕掉,让网站无法正常运行。(起初似乎是在扫mysql? 但今天发现是在暴力扫SSH)

部分系统安全日志

  1. Sep 11 17:00:56 MyServer sshd[27664]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.36.0.44  user=root
  2. Sep 11 17:00:58 MyServer sshd[27664]: Failed password for root from 222.36.0.44 port 40348 ssh2
  3. Sep 11 17:00:58 MyServer sshd[27665]: Received disconnect from 222.36.0.44: 11: Bye Bye
  4. Sep 11 17:00:59 MyServer sshd[27666]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.36.0.44  user=root
  5. Sep 11 17:01:01 MyServer sshd[27666]: Failed password for root from 222.36.0.44 port 43997 ssh2
  6. Sep 11 17:01:01 MyServer sshd[27667]: Received disconnect from 222.36.0.44: 11: Bye Bye
  7. Sep 11 17:01:02 MyServer sshd[27669]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.36.0.44  user=root
  8. Sep 11 17:01:03 MyServer sshd[27669]: Failed password for root from 222.36.0.44 port 47379 ssh2
  9. Sep 11 17:01:03 MyServer sshd[27680]: Received disconnect from 222.36.0.44: 11: Bye Bye
  10. Sep 11 17:01:04 MyServer sshd[27681]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.36.0.44  user=root
  11. Sep 11 17:01:06 MyServer sshd[27681]: Failed password for root from 222.36.0.44 port 50415 ssh2
  12. Sep 11 17:01:06 MyServer sshd[27682]: Received disconnect from 222.36.0.44: 11: Bye Bye
  13. Sep 11 17:01:07 MyServer sshd[27683]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.36.0.44  user=root
  14. Sep 11 17:01:10 MyServer sshd[27683]: Failed password for root from 222.36.0.44 port 53824 ssh2
  15. Sep 11 17:01:10 MyServer sshd[27684]: Received disconnect from 222.36.0.44: 11: Bye Bye
  16. Sep 11 17:01:11 MyServer sshd[27685]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.36.0.44  user=root
  17. Sep 11 17:01:13 MyServer sshd[27685]: Failed password for root from 222.36.0.44 port 58087 ssh2
  18. Sep 11 17:01:13 MyServer sshd[27686]: Received disconnect from 222.36.0.44: 11: Bye Bye
  19. Sep 11 17:01:14 MyServer sshd[27687]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.36.0.44  user=root
  20. Sep 11 17:01:16 MyServer sshd[27687]: Failed password for root from 222.36.0.44 port 33608 ssh2
  21. Sep 11 17:01:16 MyServer sshd[27688]: Received disconnect from 222.36.0.44: 11: Bye Bye
  22. Sep 11 17:01:17 MyServer sshd[27689]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.36.0.44  user=root
  23. Sep 11 17:01:19 MyServer sshd[27689]: Failed password for root from 222.36.0.44 port 37081 ssh2
  24. Sep 11 17:01:19 MyServer sshd[27690]: Received disconnect from 222.36.0.44: 11: Bye Bye
  25. Sep 11 17:01:20 MyServer sshd[27691]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.36.0.44  user=root
  26. Sep 11 17:01:21 MyServer sshd[27691]: Failed password for root from 222.36.0.44 port 40586 ssh2
复制代码



磁盘IO

IO.jpg


解决办法是安装一个自动屏蔽软件denyhosts,并设为随VPS启动,我参考的是 http://itzzz.com/server/065248.html ,写的很详细,就不赘述了

denyhosts的日志,看这几个哪个软件扫来扫去的贱人在搞神马啊。。:

  1. 2013-09-12 14:13:03,125 - denyhosts   : INFO     Processing log file (/var/log/secure) from offset (0)
  2. 2013-09-12 14:13:35,902 - denyhosts   : INFO     new denied hosts: ['103.31.80.46', '218.95.37.206', '211.139.127.228', '195.88.62.132', '61.164.110.115', '88.208.222.32', '60.165.167.2', '76.74.201.147', '123.103.12.34', '212.227.89.88', '137.175.46.104', '190.11.160.179', '60.173.11.253', '82.165.133.118', '222.36.0.44', '117.141.96.7', '210.21.90.38', '221.176.53.109', '61.164.118.195', '182.18.31.165', '123.103.12.35']
  3. 2013-09-12 14:13:35,903 - denyhosts   : INFO     launching DenyHosts daemon (version 2.6)..
复制代码

被攻击以后可能你的服务都被关掉了,start一下即可
service httpd start
service mysqld start
service nginxd start
service wdapache start

图片附件: IO.jpg (2013-9-12 14:55, 23.71 KB) / 下载次数 6710
http://wdlinux.cn/bbs/attachment.php?aid=3609&k=cdf2f5d56f5a17d500babfb02f8c40dd&t=1734074668&sid=mR27b4

作者: admin    时间: 2013-9-13 16:09

最简单的办法,修改下SSH的端口,而不是用默认的22
作者: w263756314    时间: 2014-2-6 22:55

http://centoshelp.org/security/denyhosts/
有更简单的安装办法



欢迎光临 WDlinux官方论坛 (http://wdlinux.cn/bbs/) Powered by Discuz! 7.2