ssh 로그인 보안 - fail2ban

webalizer 보다가 웬지 불안해서 ssh 로그인 내역을 찾는다고

/var/log/auth.log* 파일을 보는데.. 일단은 5회 실패시 자동 접속 종료니까 그걸 기준으로 검색해보니

하루 한번씩은 꼭 누군가가 시도를 했네 -_-

$ grep "PAM 5 more authentication" /var/log/auth.log*

혹시나 해서 로그인 실패로 뒤져보니.. 헉... -_-

$ grep "Failed password for" /var/log/auth.log*

시도하다 실패한 아이디 목록

123

a1

admin

anthony

dan

db2fenc1

demo

demo2

download

ems

ftltest

ftpadmin

ftpuser

gm

guest

guest2

informix

jboss

jerry

love

ludwig

media

milan

mm

mobile

nagios

office

okamura

oracle

oracle10

peter

pi

postfix

postgres

root

sarah

steam

sugimoto

tanaka

tech

test

test1

testmail

testuser

testuser2

thomas

tmp

tom

tomcat

ts

ubuntu

user

user01

user02

user03

user1

user2

user2

user3

username

usuario

vmail

vnc

weblogic

websvc

www

wwwrun

[링크 : http://serverfault.com/questions/130482/how-to-check-sshd-log]

root 로그인 자체를 막는 방법. 인증에서 거부하지 root 로그인 시도를 거부하진 않는다.

$ sudo vi /etc/ssh/sshd_config

 28 #PermitRootLogin without-password

 29 PermitRootLogin no

 30 DenyUsers root

[링크 : https://mediatemple.net/community/products/dv/204643810/how-do-i-disable-ssh-login-for-the-root-user]

[링크 : http://askubuntu.com/questions/27559/how-do-i-disable-remote-ssh-login-as-root-from-a-server]

[링크 : http://superuser.com/questions/478341/automatically-deny-hacking-attempts-in-centos]

아무튼 검색을 해보니. fail2ban 이라는 패키지가 있나 보다.

[링크 : http://askubuntu.com/questions/178016/how-do-i-keep-track-of-failed-ssh-log-in-attempts]

[링크 : http://superuser.com/questions/476231/ban-ip-on-multiple-faild-ssh-login-attempts]

$ sudo apt-cache search fail2ban fail2ban - ban hosts that cause multiple authentication errors

설치는 항상 그렇듯 아래 복붙하면되고

$ sudo apt-get install fail2ban

차단할 녀석들 찾으려고 로그를 보니

그리고 로그인 시도가 2~3초 간격으로 시도를 하는데 기본 ssh가 5번 까지 허용을 해주는 것 같은데

일부 한두번만 시도하고 도망가는 놈들까지 잡으려다가는 내가 오타내서 로그인 못하다가 잡힐수도 있으니

이거 참 고민이네 -_-

auth.log.1:Jan 23 10:50:45 raspberrypi sshd[2616]: Failed password for invalid user gopher from 106.247.230.226 port 39683 ssh2 auth.log.1:Jan 23 10:50:47 raspberrypi sshd[2616]: Failed password for invalid user gopher from 106.247.230.226 port 39683 ssh2 auth.log.1:Jan 23 10:52:14 raspberrypi sshd[2622]: Failed password for invalid user nfsnobody from 106.247.230.226 port 49373 ssh2 auth.log.1:Jan 23 10:52:16 raspberrypi sshd[2622]: Failed password for invalid user nfsnobody from 106.247.230.226 port 49373 ssh2 auth.log.1:Jan 23 10:52:18 raspberrypi sshd[2622]: Failed password for invalid user nfsnobody from 106.247.230.226 port 49373 ssh2 auth.log.1:Jan 23 10:52:58 raspberrypi sshd[2629]: Failed password for games from 106.247.230.226 port 49461 ssh2 auth.log.1:Jan 23 10:53:00 raspberrypi sshd[2629]: Failed password for games from 106.247.230.226 port 49461 ssh2 auth.log.1:Jan 23 10:53:02 raspberrypi sshd[2629]: Failed password for games from 106.247.230.226 port 49461 ssh2 auth.log.1:Jan 23 10:55:12 raspberrypi sshd[2638]: Failed password for invalid user teamspeak2 from 106.247.230.226 port 52864 ssh2 auth.log.1:Jan 23 10:55:15 raspberrypi sshd[2638]: Failed password for invalid user teamspeak2 from 106.247.230.226 port 52864 ssh2 auth.log.1:Jan 23 10:56:38 raspberrypi sshd[2647]: Failed password for invalid user teamspeak2 from 106.247.230.226 port 50460 ssh2 auth.log.1:Jan 23 10:57:21 raspberrypi sshd[2653]: Failed password for invalid user ts4 from 106.247.230.226 port 60900 ssh2 auth.log.1:Jan 23 11:00:14 raspberrypi sshd[2662]: Failed password for invalid user offline from 106.247.230.226 port 54433 ssh2 auth.log.1:Jan 23 11:00:56 raspberrypi sshd[2668]: Failed password for invalid user webdesign from 106.247.230.226 port 52505 ssh2 auth.log.1:Jan 23 11:02:19 raspberrypi sshd[2673]: Failed password for invalid user reddragon from 106.247.230.226 port 56955 ssh2

설정은 집에서는 차단 안되도록 사용하는 아이피 대역을 추가해 주었고(lg u+ 공유기라 그런가?)

한번 걸리면 차단 시간 30일(60초*60분*24시간*30일)로 일단 설정해 주었다.

그리고 차단할 녀석을 찾는 시간은 1분내 5번 실패하는 녀석! 너무 좁혀놨을려나?

$ sudo vi /etc/fail2ban/jail.conf [DEFAULT] ignoreip = 127.0.0.1/8 192.168.219.1/24 ignorecommand = bantime  = 2592000 findtime = 60 maxretry = 5 [ssh] enabled  = true port     = ssh filter   = sshd logpath  = /var/log/auth.log maxretry = 5 [apache] enabled  = false port     = http,https filter   = apache-auth logpath  = /var/log/apache*/*error.log maxretry = 5

[링크 : https://blog.lael.be/post/1209]

[링크 : https://www.conory.com/note_linux/11720]

일단 자고 나면 내일 한마리(!) 정도는 낚여 있을려나?

+

175.224.0.0/11 대역은 KT wibro 일려나?

+

2017.02.09

아싸 하나 낚았고 ㅋㅋㅋ

$ sudo iptables -L Chain INPUT (policy ACCEPT) target     prot opt source               destination fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh Chain FORWARD (policy ACCEPT) target     prot opt source               destination Chain OUTPUT (policy ACCEPT) target     prot opt source               destination Chain fail2ban-ssh (1 references) target     prot opt source               destination REJECT     all  --  221.194.44.252       anywhere             reject-with icmp-port-unreachable RETURN     all  --  anywhere             anywhere

Feb  9 04:48:52 raspberrypi sshd[3342]: Invalid user admin from 221.194.44.252 Feb  9 04:48:52 raspberrypi sshd[3342]: input_userauth_request: invalid user admin [preauth] Feb  9 04:48:52 raspberrypi sshd[3342]: pam_unix(sshd:auth): check pass; user unknown Feb  9 04:48:52 raspberrypi sshd[3342]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.194.44.252 Feb  9 04:48:53 raspberrypi sshd[3342]: Failed password for invalid user admin from 221.194.44.252 port 2815 ssh2 Feb  9 04:48:53 raspberrypi sshd[3342]: pam_unix(sshd:auth): check pass; user unknown Feb  9 04:48:55 raspberrypi sshd[3342]: Failed password for invalid user admin from 221.194.44.252 port 2815 ssh2 Feb  9 04:48:55 raspberrypi sshd[3342]: pam_unix(sshd:auth): check pass; user unknown Feb  9 04:48:57 raspberrypi sshd[3342]: Failed password for invalid user admin from 221.194.44.252 port 2815 ssh2 Feb  9 04:48:57 raspberrypi sshd[3342]: pam_unix(sshd:auth): check pass; user unknown Feb  9 04:48:59 raspberrypi sshd[3342]: Failed password for invalid user admin from 221.194.44.252 port 2815 ssh2 Feb  9 04:48:59 raspberrypi sshd[3342]: pam_unix(sshd:auth): check pass; user unknown Feb  9 04:49:01 raspberrypi sshd[3342]: Failed password for invalid user admin from 221.194.44.252 port 2815 ssh2 Feb  9 04:49:01 raspberrypi sshd[3342]: fatal: Read from socket failed: Connection reset by peer [preauth] Feb  9 04:49:01 raspberrypi sshd[3342]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.194.44.252 Feb  9 04:49:01 raspberrypi sshd[3342]: PAM service(sshd) ignoring max retries; 5 > 3

아파치 까지 적용하고 서비스 재시작했더니 밴이 풀려버리네?!?!

2017-02-09 04:49:01,756 fail2ban.actions[31809]: WARNING [ssh] Ban 221.194.44.252 2017-02-09 08:50:18,961 fail2ban.server [31809]: INFO    Stopping all jails 2017-02-09 08:50:19,255 fail2ban.actions[31809]: WARNING [ssh] Unban 221.194.44.252