webalizer 보다가 웬지 불안해서 ssh 로그인 내역을 찾는다고

/var/log/auth.log* 파일을 보는데.. 일단은 5회 실패시 자동 접속 종료니까 그걸 기준으로 검색해보니

하루 한번씩은 꼭 누군가가 시도를 했네 -_-

$ grep "PAM 5 more authentication" /var/log/auth.log*


혹시나 해서 로그인 실패로 뒤져보니.. 헉... -_-

$ grep "Failed password for" /var/log/auth.log*  

시도하다 실패한 아이디 목록

[링크 : http://serverfault.com/questions/130482/how-to-check-sshd-log]


root 로그인 자체를 막는 방법. 인증에서 거부하지 root 로그인 시도를 거부하진 않는다.

$ sudo vi /etc/ssh/sshd_config

 28 #PermitRootLogin without-password

 29 PermitRootLogin no

 30 DenyUsers root


[링크 : https://mediatemple.net/community/products/dv/204643810/how-do-i-disable-ssh-login-for-the-root-user]

[링크 : http://askubuntu.com/questions/27559/how-do-i-disable-remote-ssh-login-as-root-from-a-server]

[링크 : http://superuser.com/questions/478341/automatically-deny-hacking-attempts-in-centos]


아무튼 검색을 해보니. fail2ban 이라는 패키지가 있나 보다.

[링크 : http://askubuntu.com/questions/178016/how-do-i-keep-track-of-failed-ssh-log-in-attempts]

[링크 : http://superuser.com/questions/476231/ban-ip-on-multiple-faild-ssh-login-attempts]


$ sudo apt-cache search fail2ban

fail2ban - ban hosts that cause multiple authentication errors 


설치는 항상 그렇듯 아래 복붙하면되고

$ sudo apt-get install fail2ban 


차단할 녀석들 찾으려고 로그를 보니

그리고 로그인 시도가 2~3초 간격으로 시도를 하는데 기본 ssh가 5번 까지 허용을 해주는 것 같은데

일부 한두번만 시도하고 도망가는 놈들까지 잡으려다가는 내가 오타내서 로그인 못하다가 잡힐수도 있으니

이거 참 고민이네 -_-

auth.log.1:Jan 23 10:50:45 raspberrypi sshd[2616]: Failed password for invalid user gopher from 106.247.230.226 port 39683 ssh2

auth.log.1:Jan 23 10:50:47 raspberrypi sshd[2616]: Failed password for invalid user gopher from 106.247.230.226 port 39683 ssh2

auth.log.1:Jan 23 10:52:14 raspberrypi sshd[2622]: Failed password for invalid user nfsnobody from 106.247.230.226 port 49373 ssh2

auth.log.1:Jan 23 10:52:16 raspberrypi sshd[2622]: Failed password for invalid user nfsnobody from 106.247.230.226 port 49373 ssh2

auth.log.1:Jan 23 10:52:18 raspberrypi sshd[2622]: Failed password for invalid user nfsnobody from 106.247.230.226 port 49373 ssh2

auth.log.1:Jan 23 10:52:58 raspberrypi sshd[2629]: Failed password for games from 106.247.230.226 port 49461 ssh2

auth.log.1:Jan 23 10:53:00 raspberrypi sshd[2629]: Failed password for games from 106.247.230.226 port 49461 ssh2

auth.log.1:Jan 23 10:53:02 raspberrypi sshd[2629]: Failed password for games from 106.247.230.226 port 49461 ssh2

auth.log.1:Jan 23 10:55:12 raspberrypi sshd[2638]: Failed password for invalid user teamspeak2 from 106.247.230.226 port 52864 ssh2

auth.log.1:Jan 23 10:55:15 raspberrypi sshd[2638]: Failed password for invalid user teamspeak2 from 106.247.230.226 port 52864 ssh2

auth.log.1:Jan 23 10:56:38 raspberrypi sshd[2647]: Failed password for invalid user teamspeak2 from 106.247.230.226 port 50460 ssh2

auth.log.1:Jan 23 10:57:21 raspberrypi sshd[2653]: Failed password for invalid user ts4 from 106.247.230.226 port 60900 ssh2

auth.log.1:Jan 23 11:00:14 raspberrypi sshd[2662]: Failed password for invalid user offline from 106.247.230.226 port 54433 ssh2

auth.log.1:Jan 23 11:00:56 raspberrypi sshd[2668]: Failed password for invalid user webdesign from 106.247.230.226 port 52505 ssh2

auth.log.1:Jan 23 11:02:19 raspberrypi sshd[2673]: Failed password for invalid user reddragon from 106.247.230.226 port 56955 ssh2 


설정은 집에서는 차단 안되도록 사용하는 아이피 대역을 추가해 주었고(lg u+ 공유기라 그런가?)

한번 걸리면 차단 시간 30일(60초*60분*24시간*30일)로 일단 설정해 주었다.

그리고 차단할 녀석을 찾는 시간은 1분내 5번 실패하는 녀석! 너무 좁혀놨을려나?

$ sudo vi /etc/fail2ban/jail.conf

[DEFAULT]

ignoreip = 127.0.0.1/8 192.168.219.1/24

ignorecommand =

bantime  = 2592000

findtime = 60

maxretry = 5


[ssh]

enabled  = true

port     = ssh

filter   = sshd

logpath  = /var/log/auth.log

maxretry = 5


[apache]

enabled  = false

port     = http,https

filter   = apache-auth

logpath  = /var/log/apache*/*error.log

maxretry = 5

[링크 : https://blog.lael.be/post/1209]

[링크 : https://www.conory.com/note_linux/11720]

일단 자고 나면 내일 한마리(!) 정도는 낚여 있을려나?



+

175.224.0.0/11 대역은 KT wibro 일려나?


+

2017.02.09

아싸 하나 낚았고 ㅋㅋㅋ

$ sudo iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh


Chain FORWARD (policy ACCEPT)

target     prot opt source               destination


Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination


Chain fail2ban-ssh (1 references)

target     prot opt source               destination

REJECT     all  --  221.194.44.252       anywhere             reject-with icmp-port-unreachable

RETURN     all  --  anywhere             anywhere


Feb  9 04:48:52 raspberrypi sshd[3342]: Invalid user admin from 221.194.44.252

Feb  9 04:48:52 raspberrypi sshd[3342]: input_userauth_request: invalid user admin [preauth]

Feb  9 04:48:52 raspberrypi sshd[3342]: pam_unix(sshd:auth): check pass; user unknown

Feb  9 04:48:52 raspberrypi sshd[3342]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.194.44.252

Feb  9 04:48:53 raspberrypi sshd[3342]: Failed password for invalid user admin from 221.194.44.252 port 2815 ssh2

Feb  9 04:48:53 raspberrypi sshd[3342]: pam_unix(sshd:auth): check pass; user unknown

Feb  9 04:48:55 raspberrypi sshd[3342]: Failed password for invalid user admin from 221.194.44.252 port 2815 ssh2

Feb  9 04:48:55 raspberrypi sshd[3342]: pam_unix(sshd:auth): check pass; user unknown

Feb  9 04:48:57 raspberrypi sshd[3342]: Failed password for invalid user admin from 221.194.44.252 port 2815 ssh2

Feb  9 04:48:57 raspberrypi sshd[3342]: pam_unix(sshd:auth): check pass; user unknown

Feb  9 04:48:59 raspberrypi sshd[3342]: Failed password for invalid user admin from 221.194.44.252 port 2815 ssh2

Feb  9 04:48:59 raspberrypi sshd[3342]: pam_unix(sshd:auth): check pass; user unknown

Feb  9 04:49:01 raspberrypi sshd[3342]: Failed password for invalid user admin from 221.194.44.252 port 2815 ssh2

Feb  9 04:49:01 raspberrypi sshd[3342]: fatal: Read from socket failed: Connection reset by peer [preauth]

Feb  9 04:49:01 raspberrypi sshd[3342]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.194.44.252

Feb  9 04:49:01 raspberrypi sshd[3342]: PAM service(sshd) ignoring max retries; 5 > 3 


아파치 까지 적용하고 서비스 재시작했더니 밴이 풀려버리네?!?!

2017-02-09 04:49:01,756 fail2ban.actions[31809]: WARNING [ssh] Ban 221.194.44.252

2017-02-09 08:50:18,961 fail2ban.server [31809]: INFO    Stopping all jails

2017-02-09 08:50:19,255 fail2ban.actions[31809]: WARNING [ssh] Unban 221.194.44.252 


'프로그램 사용 > fail2ban' 카테고리의 다른 글

fail2ban ssh 차단 실패???  (0) 2017.03.06
fail2ban phpmyadmin  (0) 2017.02.28
fail2ban 재시작을 위한 차단목록 추가?  (0) 2017.02.15
fail2ban 차단 관련...  (0) 2017.02.09
apache ip deny  (0) 2017.02.08
Posted by 구차니

webalizer를 보다 보니 이상한 접속이 보여서 차단할 방법 찾는중

그런데.. 이건 자동화 된거 없나? 일일이 apache.conf 손대고 apache를 재시작 하긴 좀 그런데...


<Directory /var/www/>

Options FollowSymLinks MultiViews

AllowOverride None

Order deny,allow

Allow from xxx.xxx.xxx.xxx

Allow from xxx.xxx.xxx.xxx

Allow from xxx.xxx.xxx.xxx

Deny from all

</Directory>

[링크 : http://ngee.tistory.com/209]

[링크 : https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html]

[링크 : https://httpd.apache.org/docs/2.4/howto/access.html]


mod_rewrite를 이용해서 외부 파일을 이용하는 방법.. 이건 좀 나아 보이긴 하네..

#Required set of rewrite rules

RewriteEngine on

RewriteMap    hosts-deny  txt:/etc/apache/banned-hosts

RewriteCond   ${hosts-deny:%{REMOTE_ADDR}|NOT-FOUND} !=NOT-FOUND [OR]

RewriteCond   ${hosts-deny:%{REMOTE_HOST}|NOT-FOUND} !=NOT-FOUND

RewriteRule   ^  /why-am-i-banned.html


##  inside our banned hosts file, we have:

## /etc/apache2/banned-hosts (maintain the format .. its not just a plain text file)

## 


193.102.180.41 -

192.168.111.45 -

www.example.com -

www.sumwia.net - 

[링크 : http://stackoverflow.com/questions/23157707/apache-2-4-x-ip-blacklist]


다른것들을 찾아봐도.. 결론은 fail2ban을 이용한 ipfilter인데..

'프로그램 사용 > fail2ban' 카테고리의 다른 글

fail2ban ssh 차단 실패???  (0) 2017.03.06
fail2ban phpmyadmin  (0) 2017.02.28
fail2ban 재시작을 위한 차단목록 추가?  (0) 2017.02.15
fail2ban 차단 관련...  (0) 2017.02.09
ssh 로그인 보안 - fail2ban  (4) 2017.02.08
Posted by 구차니
일단 geoDB를 다운로드 하고 저장해준다음

$ wget ftp://ftp.mrunix.net/pub/webalizer/geodb/geodb-latest.tgz

$ tar -xvf geodb-latest.tgz

$ sudo mkdir /usr/share/GeoDB

$ sudo mv GeoDB.dat /usr/share/GeoDB/

webalizer의 설정을 변경!

$ sudo vi /etc/webalizer/webalizer.conf

GeoDB           yes

GeoDBDatabase   /usr/share/GeoDB/GeoDB.dat 

그리고 실행하면 나온다.

$ sudo webalizer 



---

7a. Why does the country section show only 100% unresolved?

Most likely because your web server is not doing name lookups and simply logging IP addresses. In order to determine the top level domain of the remote site, the program needs a resolved hostname, not an IP address. The simple fix is to just turn on name lookups on your web server so it starts logging names. Otherwise, you can pre-process your logs with something like the logresolve program supplied with apache or similar utilities, or you can use the Webalizers built in DNS lookup code (see 7b below). Another alternative is to enable the geolocation services, which will lookup the geographic location of IP addresses. You can use either the Webalizers native geolocation support (GeoDB) which supports both IPv4 and IPv6 addresses, or optionally, GeoIP support from MaxMind Inc. While geolocation support will give you accurate country information, other aspects of the analysis may suffer, such as search string analysis (which depends on resolved hostnames to identify the various search engines).


7b. My Server doesn't do name lookups. Will The Webalizer?

Yes. The Webalizer fully supports both IPv4 and IPv6 reverse DNS lookup support. See the DNS.README file for additional information. If you don't enable hostname lookups on your web server, or use the geolocation services provided by The Webalizer, you will get '100% Unresolved/Unknown' country totals. This is because your log files only have IP addresses and not names. While it is recommended that you let your web server handle the DNS lookups, DNS support can be used for those sites where DNS resolution is not an option.


[링크 : http://www.webalizer.org/faq.html]


The webalizer has the ability to perform reverse DNS lookups,  and

fully supports both IPv4 and IPv6 addressing schemes.  This document

attempts to explain how it works, and some things that you should be

aware of when using the DNS lookup features.


Note: The Reverse DNS feature may be enabled or disabled at compile

      time.  DNS lookup code is enabled by default.  You can run The

      Webalizer using the '-vV' command line options to determine what

      options are enabled in the version you are using. 

[링크 : ftp://ftp.mrunix.net/pub/webalizer/DNS.README]

[링크 : http://www.webalizer.org/webalizer.1.html]

[링크 : ftp://ftp.mrunix.net/pub/webalizer/geodb/]


$ webalizer -vV

Webalizer V2.23-08 (Linux 4.4.38-v7+ armv7l) locale

Copyright 1997-2013 by Bradford L. Barrett

Mod date: 26-Aug-2013  Options: DNS/GeoDB GeoIP

Default GeoDB dir : /usr/share/GeoDB

Default config dir: /etc/webalizer



+

GeoIP 라는게 있어서 켜봤는데 차이가 없어서 다시 보니 GeoDB가 설정되면 GeoIP는 무시된다. 라네?

# The GeoIP option enables or disables the use of geolocation

# services provided by the GeoIP library (http://www.maxmind.com),

# if available.  Values may be 'yes' or 'no, with 'no' being the

# default.  Note: if GeoDB is enabled, then this option will have

# no effect (GeoDB will be used regardless of this setting).


#GeoIP no


# GeoIPDatabase specifies an alternate database filename to use by the

# GeoIP library.  If an absolute path is not given as part of the name

# (ie: starts with a leading '/'), then the name is relative to the

# default output directory. This option should not normally be needed.


#GeoIPDatabase /usr/share/GeoIP/GeoIP.dat 


GeoIP의 경우에는 패키지로 관리되니, 

수작업으로 GeoDB 업데이트 할바에는 GeoIP를 활성화 해주는게 나을지도 모르겠다.

$ apt-file search GeoIP

geoip-database: /usr/share/GeoIP/GeoIP.dat

geoip-database: /usr/share/GeoIP/GeoIPv6.dat

geoip-database-contrib: /usr/share/GeoIP/GeoIP.dat

geoip-database-contrib: /usr/share/GeoIP/GeoIPASNum.dat

geoip-database-contrib: /usr/share/GeoIP/GeoIPASNumv6.dat

geoip-database-contrib: /usr/share/GeoIP/GeoIPv6.dat

geoip-database-contrib: /usr/share/GeoIP/GeoLiteCity.dat

geoip-database-contrib: /usr/share/GeoIP/GeoLiteCityv6.dat

geoip-database-extra: /usr/share/GeoIP/GeoIPASNum.dat

geoip-database-extra: /usr/share/GeoIP/GeoIPCity.dat 


+

[링크 : https://www.siteground.com/tutorials/geoip/]

[링크 : https://www.maxmind.com/download/geoip/api/php-20120410/geoip.inc]

Posted by 구차니

float 보단 decimal(11,2) 이런식으로 소수점 지원하는 10진수가 무난하려나?


[링크 : http://stackoverflow.com/questions/13030368/best-data-type-to-store-money-values-in-mysql]

[링크 : https://dev.mysql.com/doc/refman/5.7/en/fixed-point-types.html]

'프로그램 사용 > mysql & mariaDB' 카테고리의 다른 글

db designer  (0) 2017.03.14
데이터베이스 구조 버전관리  (0) 2017.02.13
mysql 다국어 문자길이  (0) 2017.02.06
mysql select case insensitive  (0) 2017.02.06
mysql event (schedule)  (0) 2017.02.05
Posted by 구차니

utf8에서 char(20) 이면

한영 구분 없이 20자인가?

그러고 보면 dbms에서 null문자는 빼고 처리하나보네?


문자열 중간에 null 넣으면 어떻게 되려나 궁금하네 ㅋㅋㅋ


[링크 : http://www.phpschool.com/gnuboard4/bbs/board.php?bo_table=tipntech&wr_id=64686]

[링크 : https://dev.mysql.com/doc/refman/5.7/en/string-literals.html]

Posted by 구차니

char형은 문자열이라 대소문자 구분하지 않고

binary형은 대소문자를 구분한다

[링크 : https://dev.mysql.com/doc/refman/5.7/en/case-sensitivity.html]


collate를 이용해 대소문자 구분여부를 변경할수있다

그리고 _cs는 case sensitive collation

_ci는 case insensitive collation의 접미인듯

[링크 : http://stackoverflow.com/questions/3936967/mysql-case-insensitive-select]

'프로그램 사용 > mysql & mariaDB' 카테고리의 다른 글

mysql 통화관련 변수타입  (0) 2017.02.07
mysql 다국어 문자길이  (0) 2017.02.06
mysql event (schedule)  (0) 2017.02.05
mysql 테이블 내 일정 문자열 치환하기  (0) 2017.01.26
mysql 암호화 방법들...?  (0) 2017.01.16
Posted by 구차니

대충 요약하면..

event 라는 mysql 내의 기능을 쓰거나

cron등으로 mysql에 sql을 사용해서 강제로 구동하거나

둘중에 하나?


[링크 : http://stackoverflow.com/questions/9621355/how-to-schedule-a-mysql-query]





[링크 : https://dev.mysql.com/doc/refman/5.5/en/create-event.html]

Posted by 구차니

역시 결론은.. 꺼부기가 최고야 -_-!

$ svn list file:///home/pi/repo@2 --verbose 


$ svn help list

list (ls): List directory entries in the repository.

usage: list [TARGET[@REV]...]


  List each TARGET file and the contents of each TARGET directory as

  they exist in the repository.  If TARGET is a working copy path, the

  corresponding repository URL will be used. If specified, REV determines

  in which revision the target is first looked up.


  The default TARGET is '.', meaning the repository URL of the current

  working directory.


  With --verbose, the following fields will be shown for each item:


    Revision number of the last commit

    Author of the last commit

    If locked, the letter 'O'.  (Use 'svn info URL' to see details)

    Size (in bytes)

    Date and time of the last commit


Valid options:

  -r [--revision] ARG      : ARG (some commands also take ARG1:ARG2 range)

                             A revision argument can be one of:

                                NUMBER       revision number

                                '{' DATE '}' revision at start of the date

                                'HEAD'       latest in repository

                                'BASE'       base rev of item's working copy

                                'COMMITTED'  last commit at or before BASE

                                'PREV'       revision just before COMMITTED

  -v [--verbose]           : print extra information

  -R [--recursive]         : descend recursively, same as --depth=infinity

  --depth ARG              : limit operation by depth ARG ('empty', 'files',

                             'immediates', or 'infinity')

  --incremental            : give output suitable for concatenation

  --xml                    : output in XML

  --include-externals      : include externals definitions


Global options:

  --username ARG           : specify a username ARG

  --password ARG           : specify a password ARG

  --no-auth-cache          : do not cache authentication tokens

  --non-interactive        : do no interactive prompting (default is to prompt

                             only if standard input is a terminal device)

  --force-interactive      : do interactive prompting even if standard input

                             is not a terminal device

  --trust-server-cert      : accept SSL server certificates from unknown

                             certificate authorities without prompting (but only

                             with '--non-interactive')

  --config-dir ARG         : read user configuration files from directory ARG

  --config-option ARG      : set user configuration option in the format:

                                 FILE:SECTION:OPTION=[VALUE]

                             For example:

                                 servers:global:http-library=serf 


[링크 : http://svnbook.red-bean.com/en/1.7/svn.tour.history.html]

'프로그램 사용 > Version Control' 카테고리의 다른 글

git 공부..  (2) 2017.04.25
git-svn 관련글  (0) 2017.04.25
svn hook encv  (0) 2016.12.30
svn commit email - python / synology  (0) 2016.12.30
svn diff 결과물 컬러로 보기  (0) 2016.12.30
Posted by 구차니
프로그램 사용/vi2017. 2. 1. 20:38

메모장에서

shift - end

ctrl - c,v를 자주쓰다보니

vi에서는 yy만 시용해서 복사하고 지우다 보니 영 불편했는데

고민을 해보니 처음,끝 이동을 연결해서 쓰면 될거 같기도 하네?!


y% 지금부터 끝까지 복사

y^ 처음부터 지금까지 복사


[링크 : http://stackoverflow.com/.../how-to-copy-from-current-position-to-end-of-line-in-vi]

'프로그램 사용 > vi' 카테고리의 다른 글

vi buffer window tab 차이점?  (0) 2017.02.11
vi 창 분할해서 보기  (0) 2017.02.10
vi 단어 단위 이동  (0) 2017.02.01
vi syntax highlight 선택하기  (0) 2017.01.03
vimdiff 사용법  (0) 2016.11.17
Posted by 구차니
프로그램 사용/vi2017. 2. 1. 20:28

메모장이나 notepad++에서 빠르게 이동하려고

ctrl - ←,→ 으로 이동을 했는데 vi에서도 비슷하게 존재는 하는데.. 조금 아쉽네?


단어 단위로 이동

bb ww


[링크 : http://soooprmx.com/wp/archives/2777]

'프로그램 사용 > vi' 카테고리의 다른 글

vi 창 분할해서 보기  (0) 2017.02.10
vi 현재 위치에서 끝까지 복사  (0) 2017.02.01
vi syntax highlight 선택하기  (0) 2017.01.03
vimdiff 사용법  (0) 2016.11.17
vi 스크롤  (0) 2016.11.10
Posted by 구차니