Skip to content

Commit aea3a79

Browse files
judasnjudasn
committed
2018-02-23 补充 SSH 暴力
1 parent a947b8e commit aea3a79

File tree

1 file changed

+74
-0
lines changed

1 file changed

+74
-0
lines changed

SSH.md

Lines changed: 74 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,7 @@
5757
- 重启服务:`sudo service sshd restart`
5858
- 设置 SSH 服务默认启动:`sudo sysv-rc-conf ssh on`
5959
- 现在 SSH 客户端可以去拿着 SSH 服务器端上的 id_rsa,在客户端指定秘钥文件地址即可,这个一般由于你使用的客户端决定的,我这里推荐的是 Xshell 软件。
60+
- 另外一种方法可以查看:[SSH 免密登录(推荐)](SSH-login-without-password.md)
6061

6162
## 限制只有某一个IP才能远程登录服务器
6263

@@ -79,8 +80,81 @@
7980
- Windows -- Xshell:<http://www.youmeek.com/ssh-terminal-emulator-recommend-xshell-and-xftp/>
8081
- Mac -- ZOC:<http://xclient.info/s/zoc-terminal.html>
8182

83+
## 查看 SSH 登录日志
84+
85+
#### CentOS 6
86+
87+
- 查看登录失败记录:`cat /var/log/auth.log | grep "Failed password"`
88+
- 如果数据太多可以用命令:`tail -500f /var/log/auth.log | grep "Failed password"`
89+
- 统计哪些 IP 尝试多少次失败登录记录:`grep "Failed password" /var/log/auth.log | awk ‘{print $11}’ | uniq -c | sort -nr`
90+
- 统计哪些 IP 尝试多少次失败登录记录,并排序:`grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -nr | more`
91+
92+
93+
#### CentOS 7
94+
95+
- 查看登录失败:`egrep "Failed|Failure" /var/log/secure`,可以得到类似信息:
96+
- 如果数据太多,可以用命令:`tail -500f /var/log/secure | egrep "Failed|Failure"`
97+
98+
```
99+
Feb 21 16:10:15 U5NHTIHOW67HKAH sshd[32753]: Failed password for invalid user oracle from 1.175.83.6 port 46560 ssh2
100+
Feb 21 16:10:16 U5NHTIHOW67HKAH sshd[32750]: Failed password for root from 42.7.26.88 port 62468 ssh2
101+
Feb 21 16:10:17 U5NHTIHOW67HKAH sshd[32744]: Failed password for root from 42.7.26.85 port 36086 ssh2
102+
Feb 21 16:10:18 U5NHTIHOW67HKAH sshd[32756]: Failed password for invalid user oracle from 1.175.83.6 port 46671 ssh2
103+
Feb 21 16:10:20 U5NHTIHOW67HKAH sshd[32744]: Failed password for root from 42.7.26.85 port 36086 ssh2
104+
Feb 21 16:10:21 U5NHTIHOW67HKAH sshd[32750]: Failed password for root from 42.7.26.88 port 62468 ssh2
105+
Feb 21 16:10:21 U5NHTIHOW67HKAH sshd[32758]: Failed password for invalid user oracle from 1.175.83.6 port 46811 ssh2
106+
```
107+
108+
- 查看登录失败统计:`grep "authentication failure" /var/log/secure`,可以得到类似信息:
109+
- 如果数据太多,可以用命令:`tail -500f /var/log/secure | grep "authentication failure"`
110+
111+
```
112+
Feb 21 02:01:46 U5NHTIHOW67HKAH sshd[16854]: Disconnecting: Too many authentication failures for root [preauth]
113+
Feb 21 02:01:46 U5NHTIHOW67HKAH sshd[16854]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.7.26.85 user=root
114+
Feb 21 02:01:47 U5NHTIHOW67HKAH sshd[16858]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.7.26.85 user=root
115+
Feb 21 02:02:02 U5NHTIHOW67HKAH sshd[16858]: Disconnecting: Too many authentication failures for root [preauth]
116+
Feb 21 02:02:02 U5NHTIHOW67HKAH sshd[16858]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.7.26.85 user=root
117+
Feb 21 02:03:11 U5NHTIHOW67HKAH sshd[16870]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.7.26.85 user=root
118+
Feb 21 02:03:25 U5NHTIHOW67HKAH sshd[16870]: Disconnecting: Too many authentication failures for root [preauth]
119+
Feb 21 02:03:25 U5NHTIHOW67HKAH sshd[16870]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.7.26.85 user=root
120+
Feb 21 02:03:29 U5NHTIHOW67HKAH sshd[16872]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.7.26.85 user=root
121+
Feb 21 02:03:44 U5NHTIHOW67HKAH sshd[16872]: Disconnecting: Too many authentication failures for root [preauth]
122+
Feb 21 02:03:44 U5NHTIHOW67HKAH sshd[16872]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.7.26.85 user=root
123+
Feb 21 02:03:45 U5NHTIHOW67HKAH sshd[16875]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.7.26.85 user=root
124+
Feb 21 02:04:01 U5NHTIHOW67HKAH sshd[16875]: Disconnecting: Too many authentication failures for root [preauth]
125+
Feb 21 02:04:01 U5NHTIHOW67HKAH sshd[16875]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.7.26.85 user=root
126+
Feb 21 02:04:05 U5NHTIHOW67HKAH sshd[16878]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.7.26.85 user=root
127+
Feb 21 02:04:20 U5NHTIHOW67HKAH sshd[16878]: Disconnecting: Too many authentication failures for root [preauth]
128+
Feb 21 02:04:20 U5NHTIHOW67HKAH sshd[16878]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.7.26.85 user=root
129+
Feb 21 02:04:24 U5NHTIHOW67HKAH sshd[16883]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.7.26.85 user=root
130+
Feb 21 02:04:40 U5NHTIHOW67HKAH sshd[16883]: Disconnecting: Too many authentication failures for root [preauth]
131+
Feb 21 02:04:40 U5NHTIHOW67HKAH sshd[16883]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.7.26.85 user=root
132+
Feb 21 02:04:43 U5NHTIHOW67HKAH sshd[16886]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.7.26.85 user=root
133+
Feb 21 02:04:59 U5NHTIHOW67HKAH sshd[16886]: Disconnecting: Too many authentication failures for root [preauth]
134+
Feb 21 02:04:59 U5NHTIHOW67HKAH sshd[16886]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.7.26.85 user=root
135+
Feb 21 02:05:02 U5NHTIHOW67HKAH sshd[16888]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.7.26.85 user=root
136+
Feb 21 02:05:08 U5NHTIHOW67HKAH sshd[16891]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=146.0.228.146
137+
Feb 21 02:05:18 U5NHTIHOW67HKAH sshd[16888]: Disconnecting: Too many authentication failures for root [preauth]
138+
Feb 21 02:05:18 U5NHTIHOW67HKAH sshd[16888]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.7.26.85 user=root
139+
Feb 21 02:05:20 U5NHTIHOW67HKAH sshd[16899]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.7.26.85 user=root
140+
Feb 21 02:05:34 U5NHTIHOW67HKAH sshd[16899]: Disconnecting: Too many authentication failures for root [preauth]
141+
Feb 21 02:05:34 U5NHTIHOW67HKAH sshd[16899]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.7.26.85 user=root
142+
Feb 21 02:05:37 U5NHTIHOW67HKAH sshd[16901]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=42.7.26.85 user=root
143+
Feb 21 02:05:53 U5NHTIHOW67HKAH sshd[16901]: Disconnecting: Too many authentication failures for root [preauth]
144+
```
145+
146+
## 防止 SSH 暴力破解:DenyHosts
147+
148+
- 官网地址:<https://github.com/denyhosts/denyhosts>
149+
- 参考文章:
150+
- <http://blog.51cto.com/linuxroad/673425>
151+
- <http://blog.csdn.net/wanglei_storage/article/details/50849070>
152+
- <https://chegva.com/2338.html>
153+
- <http://blog.csdn.net/miner_k/article/details/78948100>
154+
82155
## SSH 资料
83156

84157
- <http://www.jikexueyuan.com/course/861_1.html?ss=1>
85158
- <http://www.361way.com/ssh-autologout/4679.html>
86159
- <http://www.osyunwei.com/archives/672.html>
160+
- <https://www.tecmint.com/find-failed-ssh-login-attempts-in-linux/>

0 commit comments

Comments
 (0)